The Australian parliament has approved a bill to amend the country’s privacy legislation, significantly increasing the maximum penalties to AU$50 million for companies and data controllers who suffered large-scale data breaches.
The financial penalty introduced by the new bill is set to whichever is greater:
Three times the value of any benefit obtained through the misuse of information
30% of a company’s adjusted turnover in the relevant period
Previously, the penalty for severe data exposures was AU$2.22 million, considered wholly inadequate to incentivize companies to improve their data security mechanisms.
The new bill comes in response to a series of recent cyberattacks against Australian companies, including ransomware and network breaches, resulting in the exposure of highly sensitive data for millions of people in the country.
“The Albanese Labor government has wasted no time in responding to recent major data breaches. We have announced, introduced, and delivered legislation in just over a month,” reads the media announcement.
“These new, larger penalties send a clear message to large companies that they must do better to protect the data they collect.”
The most notable incidents were the Optus telecommunication provider data breach that impacted 11 million people and the Medibank insurance firm ransomware attack that exposed the data of 9.7 million.
“Significant privacy breaches in recent months have shown existing safeguards are outdated and inadequate. These reforms make clear to companies that the penalty for a major data breach can no longer be regarded as the cost of doing business.” – Australian Government.
Apart from setting higher fines, the new bill also gives greater powers to the Office of the Australian Information Commissioner (OAIC) to get more involved in the privacy breach resolution and scope determination process.
OAIC has welcomed the passing of the amendment and promised Australians that it would use its enhanced role to protect individuals and the country’s economy better.
“The updated penalties will bring Australian privacy law into closer alignment with competition and consumer remedies and international penalties under Europe’s General Data Protection Regulation,” stated Commissioner Angelene Falk.
“In seeking penalties or taking regulatory action, our approach will continue to be pragmatic, evidence-based, and proportionate.”
For comparison, Europe’s GDPR sets fines of up to 10 million Euros or (whichever is higher) up to 2% of the global turnover of the preceding fiscal year.
For “especially severe violations,” the above is doubled to 20 million Euros and 4% of the annual turnover.