Gov increases penalties for privacy breach to $50m

In response to the recent spate of data breaches, the Government has announced the new legislation which will significantly increase  penalties for repeated privacy breaches to up to $50 million.

Currently under the Privacy Act 1988 the maximum penalties that can be applied for serious or repeated privacy breach was $2.22 million, but the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 will increase maximum penalties to whichever is greater:

  • $50 million;
  • three times the value of any benefit obtained through the misuse of information; or
  • 30% of a company’s adjusted turnover in the relevant period

The new Bill, which will be introduced this week, will also provide the Australian Information Commissioner with greater powers to resolve privacy breaches, strengthen the Notifiable Data Breaches scheme to ensure the Australian Information Commissioner has “comprehensive knowledge and understanding of information compromised in a breach to assess the risk of harm to individuals” and equip the Commissioner and the Australian Communications and Media Authority with greater information sharing powers.

“We need better laws to regulate how companies manage the huge amount of data they collect, and bigger penalties to incentivise better behaviour,” Attorney General, Mark Dreyfuss, said in the announcement.

“Unfortunately, significant privacy breaches in recent weeks have shown existing safeguards are inadequate. It’s not enough for a penalty for a major data breach to be seen as the cost of doing business.”

The new Bill will be in addition to a comprehensive review of the Privacy Act by the Attorney-General’s Department that will be completed this year, with recommendations expected for further reform.

On 21 September, the Government was advised of a ‘significant cyber security breach’ by Optus, which is owned by Singapore-based telecommunications conglomerate Singtel.

In October, Australia’s largest health insurer Medibank confirmed it had been contacted by a hacking group threatening to on-sell highly sensitive customer data captured during a suspected ransomware attack.

The other major data loss events reported by Australian firms recently also included Woolworths-owned online retailer, MyDeal (with 2.2 million customers impacted) and wine retailer Vinomofo which reported to have been subject to significant data hacks.