Next week, a new bill proposing stiffer penalties for privacy offences will be introduced to parliament as part of a comprehensive review of Australia’s privacy law.
After the Optus and Medibank hacks, which prompted the revisions, both digital rights advocates and the government expressed concerns about the lack of significant consequences for privacy violations.
Medibank and Optus attacks prompt harsher penalties for privacy violations
In the Albanese government’s latest proposal, companies will be fined $50 million if they commit multiple violations of the Privacy Act, which means they were hit by several significant data breaches.
The maximum current penalty is $2.22 million for multiple serious data breaches.
Australians are not protected from significant data breaches by the current penalty, says Attorney-General Mark Dreyfus.
“Unfortunately, significant privacy breaches in recent weeks have shown existing safeguards are inadequate.” he said.
The proposed legislation would increase penalties for “serious or repeated data breaches” to whatever is higher:
- $50 million
- Three times the value of the benefit obtained through misuse of data
- 30 per cent of a company’s turnover in the relevant period
This comes after a series of high-profile attacks against Australian companies, including the Optus cyberattack that exposed the data of 2.1 million Australians and the Medibank crisis, which resulted in the theft of confidential medical records of 3.9 million Australians.
As part of the bill, Australian privacy law would be extended to cover overseas businesses that may interact with local data.
Despite not collecting or storing Australians’ information directly, a company that “carries on a business” in Australia must still comply with the local laws.
Information sharing and customer protection
Two methods will be implemented to strengthen information sharing.
As well as updates on ongoing investigations, the commissioner will have “express powers” to publish its findings following a privacy investigation.
In addition, enforcement bodies, complaints bodies, privacy regulators and the Australian Communications and Media Authority will be given better enforcement powers.
You might also be interested in: Cyber Security Guide
