‘Flawed’ data breach penalty laws pass Parliament

Legislation that significantly increases fines against companies for privacy breaches has sailed through Parliament with support from the Opposition, despite enduring concerns around the operation and practicality of the penalty regime.

Companies will now be subject to fines of $50 million, three times the value of any benefit obtained through the misuse of data, or 30 per cent of a company’s adjusted turnover in the relevant period, whatever is larger, for serious or repeated privacy breaches.

The change, which was prompted by the Optus data breach and precedes further structural changes to the Privacy Act, brings the maximum penalties available to the Office of the Australian Information Commissioner (OAIC) in line with newly minted consumer law.

Parliament House

The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 passed the Senate on Monday afternoon after an hour-long debate and was later given the tick of approval by the House of Representatives.

Both the Opposition and Greens moved amendments in the Senate to address concerns raised by multiple stakeholders and witnesses at the Legal and Constitutional Affairs Legislation Committee inquiry earlier this month but were unsuccessful.

The concerns raised go to the lack of a definition for ‘serious’ and ‘repeated’ interferences of privacy in the bill, as well as the inclusion of terms like ‘benefit’ in the penalty regime which assumes companies always benefit from a privacy interference.

Stakeholders, including Australia’s three technology industry groups, also recommended tiering of penalties to ensure small to medium-sized businesses and charities aren’t subject to the same penalties as multinationals.

The government rejected the amendments on Monday but committed to addressing the concerns as part of its ongoing review of the Privacy Act, which the Attorney-General’s Department (AGD) is expected to finish before of the year.

“Reforms to clarify key definitions in the Privacy Act, developed a tiered penalty regime, provide greater clarity on the applications of penalties and enhance security guidelines are being considered through the Privacy Act review,” Agriculture minister and Labor senator Murray Watt said.

“It’s appropriate that these reforms be considered holistically in these processes given the range of complex and interconnected issues and other work across government.”

Greens Senator David Shoebridge, who supported the bill “with reservations”, said the absence of clear definitions and linking the maximum penalties to benefit “expose significant weaknesses in the government’s proposed model”.

“In the privacy space, the benefit that corporations may obtain from privacy breaches is in fact far more ambiguous than for many entities, and we’re seeing this play out at the moment with Medibank and Optus and others,” he said.

Senator Shoebridge said the operation of the penalty regime in the case of an unintentional privacy breach, where the benefit to an entity is at the very least unclear, if not “actually a net loss”, is as “clear as mud”.

“Those difficulties arise from taking provision that are designed for one part of the law, in this case competition law and unthinkingly cutting and pasting them and whacking them into privacy law,” he said.

“So, there is a very real need for the government to closely consider these drafting issue and do it as a matter of urgency.”

The reliance on benefit to determine the fine and the structure of the penalty regime could also see organisations that intentionally breach the privacy of individuals receive a smaller fine than those suffer an accidental breach.

Senator Shoebridge said it could similarly see the OAIC fall back on the $50 million “nuclear option” as it is the only realistic fine available, leaving the regulator “in an almost impossible situation”, particularly in the case of charities.

“The end result is that the Parliament might agree to these tougher penalties — and it looks they will — but the government has starved the regulator of the funds to serious enforce them,” he added.

“We might at the end of this have a pyrrhic victory for data security. We get a headline, we get a penalty that’s almost impossible to use because of the size and the scale of it, and we give it to a regulator which barely has the money needed to keep the lights on, let alone bring an actual prosecution in this space.”

Liberal senator Paul Scarr made similar recommendations for “where the legislation can be enhanced an improved”, but the Opposition ultimately supported the bill in its current form, having been given assurance its concerns will be be addressed.

In response to senator Shoebridge’s concerns, senator Watt said the bill “does not otherwise constrain the exercise of the court’s discretion to impose a penalty that is appropriate”, meaning that there is “some protection of an overwhelming fine” against small to medium-sized business and charities.

“The bill is an essential first step of the government’s agenda to ensure Australia’s privacy framework is fit for purpose and responds to new challenges in the digital era. Further reforms will be considered next year, following consideration of the AGD’s review of the Privacy Act,” he said.

“This bill is an important and pressing reform that will make sure penalties effectively deter the misuse of Australians’ personal data and will ensure Australia’s privacy regulator has the enforcement tools necessary to resolve privacy breaches efficiently and effectively.”

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories