Australia: AG introduces penalty increase for privacy breaches
View 7.7K
words 582 read in 2 minutes, 54 Seconds
The Attorney General ('AG') of Australia, Mark Dreyfus, announced, on 22 October 2022, that the Australian government will be introducing legislation to significantly increase penalties for repeated or serious privacy breaches. In particular, the AG stated that, in light of significant breaches in recent weeks proving existing safeguards to be inadequate, the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 will increase maximum penalties that can be applied under the Privacy Act 1988 (No. 119, 1988) (as amended) ('the Privacy Act') for serious or repeated privacy breaches from the current $2.2 million penalty to whichever is the greater of:
- $50 million;
- three times the value of any benefit obtained through the misuse of information; or
- 30% of a company's adjusted turnover in the relevant period.
Furthermore, the AG outlined that the Bill will also:
- provide the Australian Information Commissioner ('OAIC') with greater powers to resolve privacy breaches;
- strengthen the notifiable data breaches scheme to ensure the OAIC is better informed following a breach to assess the risk of harm to individuals; and
- equip the OAIC and the Australian Communications and Media Authority with greater information sharing powers.
In this regard, the AG noted that they look forward to support on the Bill from the parliament, deeming its passing 'an essential part of the Government's agenda to ensure Australia's privacy framework is able to respond to new challenges in the digital era'.
Notably, the AG specified that this Bill is in addition to a comprehensive review of the Privacy Act by the AG's department, which will be completed this year, with recommendations expected for further reform of privacy legislation. / dataguidance
Tougher penalties for serious data breaches
The Albanese Government will next week introduce legislation to significantly increase penalties for repeated or serious privacy breaches.
When Australians are asked to hand over their personal data they have a right to expect it will be protected.
Unfortunately, significant privacy breaches in recent weeks have shown existing safeguards are inadequate. It's not enough for a penalty for a major data breach to be seen as the cost of doing business.
We need better laws to regulate how companies manage the huge amount of data they collect, and bigger penalties to incentivise better behaviour.
The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 will increase maximum penalties that can be applied under the Privacy Act 1988 for serious or repeated privacy breaches from the current $2.22 million penalty to whichever is the greater of:
- $50 million;
- three times the value of any benefit obtained through the misuse of information; or
- 30 per cent of a company's adjusted turnover in the relevant period.
The Bill will also:
- provide the Australian Information Commissioner with greater powers to resolve privacy breaches;
- strengthen the Notifiable Data Breaches scheme to ensure the Australian Information Commissioner has comprehensive knowledge and understanding of information compromised in a breach to assess the risk of harm to individuals; and
- equip the Australian Information Commissioner and the Australian Communications and Media Authority with greater information sharing powers.
This Bill is in addition to a comprehensive review of the Privacy Act by the Attorney-General's Department that will be completed this year, with recommendations expected for further reform.
I look forward to support from across the Parliament for this Bill, which is an essential part of the Government's agenda to ensure Australia's privacy framework is able to respond to new challenges in the digital era.
The Albanese Government is committed to protecting Australians' personal information and to further strengthening privacy laws.
more info ministers.ag.gov.au
