The federal government is set to fast-track changes to Australia’s privacy laws next week which, if passed, would see fines for “repeated or serious” data breaches rise from $2.2 million to $50 million or 30 percent of “adjusted” turnover.
Attorney-General Mark Dreyfus said in a statement on Saturday morning that present penalties for breached organisations were “seen as a cost of doing business”.
He also said that “significant privacy breaches in recent weeks have shown existing safeguards to be inadequate”.
Optus, Medibank, Vinomofo and MyDeal are among companies to have disclosed large data breaches in recent weeks.
“We need better laws to regulate how companies manage the huge amount of data they collect, and bigger penalties to incentivise better behaviour,” Dreyfus said.
The penalties proposed include a fine of $50 million, “three times the value of any benefit obtained through the misuse of information”, or “30 percent of a company’s adjusted turnover in the relevant period”.
Dreyfus said the higher figure of those three would be the one payable.
The proposed privacy legislation amendment will also give the information commissioner “greater” – though unspecified – powers “to resolve privacy breaches”.
Dreyfus also flagged changes to the mandatory notifiable data breach (NDB) scheme, aimed at ensuring the commissioner “has comprehensive knowledge and understanding of information compromised in a breach to assess the risk of harm to individuals”.
The scheme has had past issues where organisations did not report ransomware attacks due to a perceived loophole that they were not required to unless they were absolutely sure that data exfiltration had taken place.
Dreyfus also said the commissioner and the Australian Communications and Media Authority would be equipped with “greater information sharing powers.”
The legislative amendments will be put before the parliament next week.
Dreyfus said that a comprehensive review of the Privacy Act is continuing and is likely to result in “further reform” once it is completed later this year.