By: Ravie Lakshmanan
The Australian government has passed a bill that markedly increases the penalty for companies suffering from serious or repeated data breaches.
To that end, the maximum fines have been bumped up from the current AU$2.22 million to AU$50 million, 30% of an entity’s adjusted turnover in the relevant period, or three times the value of any benefit obtained through the misuse of information, whichever is greater.
The turnover period is the time duration from when the contravention occurred to the end of the month when the incident is officially addressed.
“Significant privacy breaches in recent months have shown existing safeguards are outdated and inadequate,” Attorney-General Mark Dreyfus said in a statement. “These reforms make clear to companies that the penalty for a major data breach can no longer be regarded as the cost of doing business.”
The legislation, called the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, also bestows more powers to the Australian Information Commissioner to address security breaches.
The “new information sharing powers will facilitate engagement with domestic regulators and our international counterparts to help us perform our regulatory role efficiently and effectively,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said.
The bill, which has been tabled as part of wider reforms to the Privacy Act 1988, now awaits Royal Assent to be formally signed into law.
The development comes in the wake of recent major breaches at Optus and Medibank that have resulted in the leak of personal information associated with 2.1 million and 9.7 million customers, respectively.