The federal government will this week introduce legislation that radically increases the penalties to $50 million and more against companies for repeated or serious privacy breaches.
The law changes come in the wake of high-profile breaches at telecommunications carrier Optus and the private health insurer Medibank that resulted in the theft of millions of Australian’s personal information.
Attorney General Mark Dreyfus said the data breaches in recent weeks demonstrate that existing safeguards are inadequate.
“It’s not enough for a penalty for a major data breach to be seen as the cost of doing business,” Mr Dreyfus said in a statement over the weekend.
“We need better laws to regulate how companies manage the huge amount of data they collect, and bigger penalties to incentivise better behaviour,” he said.
The proposed changes would lift the maximum penalty for serious or repeated privacy breaches from its current $2.22 million penalty to whatever is the greater of $50 million; three-times the value of any benefit obtained through the misuse of information; or 30 per cent of a companies adjusted turnover in the relevant period.
The government will introduce the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 to the parliament this week that will outline the changes.
The bill will also give the Australian Information Commissioner more powers to resolve privacy breaches, as well as strengthen the Notifiable Data Breaches scheme to ensure that companies provide the Information Commissioner with comprehensive details of precisely what information has been compromised so that risk assessments can be made about harm to individuals.
The bill also gives the Office of the Australian Information Commissioner (OAIC) and the Australian Communications and Media Authority greater information sharing powers.
“This Bill is in addition to a comprehensive review of the Privacy Act by the Attorney-General’s Department that will be completed this year, with recommendations expected for further reform,” Mr Dreyfus statement said.
The changes were essential to ensuring Australia’s privacy frameworks are able to respond to new challenges in the digital era, he said.
Do you know more? Contact James Riley via Email.