Australia to increase maximum data breach penalty to $50 million

The Australian government is set to introduce new legislation this week to increase penalties for repeated or serious privacy breaches in the wake of a series of high-profile cyber attacks targeting the region.

The attorney general revealed that the new maximum penalties will be introduced by the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 which will amend the existing statutes under the Privacy Act 1988.

This will introduce a rise from a maximum of $2.22 million (£1.2 million) to a new maximum which will be whichever is greater out of three possible figures: $50 million (£27 million), three times the value of any benefit obtained through the misuse of information, or 30% of a company's adjusted turnover in the relevant period.

Significant privacy breaches in recent weeks have shown that the current safeguards are inadequate, said attorney general Mark Dreyfus on 22 October. He added that it’s not enough for a penalty for a major data breach to be seen as the cost of doing business.

Dreyfus underlined the need for better laws to regulate how companies manage the huge amount of data they collect, and bigger penalties to incentivise better behaviour.

“I look forward to support from across the Parliament for this Bill, which is an essential part of the government's agenda to ensure Australia's privacy framework is able to respond to new challenges in the digital era,” said Dreyfus.

The Bill will also look to provide the Australian information commissioner with greater powers to resolve privacy breaches. It will also seek to strengthen the Notifiable Data Breaches scheme to ensure the commissioner has comprehensive knowledge and understanding of information compromised in a breach to assess the risk of harm to individuals.

Additionally, it will aim to equip the commissioner and Australian Communications and Media Authority with greater information-sharing powers.

Australia has been rocked by a number of cyber attacks in the last couple of months, exposing the details of millions of Australian citizens. Optus and Telstra, the nation's two largest telcos, suffered data breaches in September and October. The Optus breach affected around two million customers, while the Telstra incident affected 30,000 people.

This was followed by online retail marketplace mydeal, a Woolworths subsidiary, which revealed in October its CRM system had been compromised, affecting around 2.2 million customers.

Most recently Medibank was also affected by an unknown ransomware group in October, with the company revealing that the hacker had entered negotiations with the firm over the release of client data.