Under new legislation to be introduced this week, Australian companies with serious or repeated privacy breaches could face financial penalties of at least $50 million.
As announced by Attorney-General Mark Dreyfus, the maximum penalty for companies that fail to protect customer data as per privacy laws will increase from $2.2 million to whatever is higher – $50 million, 30 per cent of the company’s adjusted turnover in the relevant period, or three times the value arising from misuse of the customer data.
This could mean fines of up to $300 million for a business with revenue of $1 billion in the year before the data breach.
The move follows major data breaches of companies like Optus and Medibank in recent weeks. Hackers were able to allegedly access personal health information, Medicare card details, as well as passports and drivers licenses of up to 10 million users.
“When Australians are asked to hand over their personal data they have a right to expect it will be protected,” said Mr Dreyfus in a statement.
“Unfortunately, significant privacy breaches in recent weeks have shown existing safeguards are inadequate. It’s not enough for a penalty for a major data breach to be seen as the cost of doing business.
“We need better laws to regulate how companies manage the huge amount of data they collect, and bigger penalties to incentivise better behaviour.”
The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 will also equip the Australian Information Commissioner and the Australian Communications and Media Authority (ACMA) with greater powers to share information; strengthen the Notifiable Data Breaches scheme; and provide the Australian Information Commissioner with greater powers to resolve privacy breaches.
In recent weeks, cybersecurity concerns have been a top priority for numerous businesses. Since the breaches, Minister for Cybersecurity Clare O’Neill has been vocal about the need for an overhaul of information and privacy protections in the country.
“This is the new world that we live in, we are going to be under relentless cyber-attack, essentially from here on in,” she said. “And what it means is that we need to do a lot better as a country to make sure that we are doing everything we can within organisations to protect customer data, and also for citizens to be doing everything that they can.”
These amendments will be introducing during a busy week in parliament, with Labor’s first Budget expected to be announced later today.