The Australian Parliament approved Government’s privacy penalty bill: the maximum fine for companies and data controllers who are responsible for serious data breaches will rise to AU$50 million.
Companies and data controllers that suffer severe data breaches will now be liable for fines of up to AU$50 million, according to a new privacy penalty bill approved by the Australian parliament last week.
The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 raises the maximum penalty for serious or repeated privacy breaches from the current $2.22 million to whichever is greater of:
- $50 million;
- three times the value of any benefit obtained through the misuse of information; or
- 30 percent of a company’s adjusted turnover in the relevant period.
A Response to Recent Cyberattacks
The new bill is a response to a series of recent cyberattacks on Australian companies, such as ransomware and network breaches, which put millions of people’s sensitive information at risk, explains Bleeping Computer.
Significant privacy breaches in recent months have shown existing safeguards are outdated and inadequate. These reforms make clear to companies that the penalty for a major data breach can no longer be regarded as the cost of doing business.
The Albanese Government is committed to protecting Australians’ personal information and to further strengthening privacy laws. Companies must do better to prevent breaches from happening.
Extract from the Australian Government’s press release
The bill comes as a measure to protect Australian citizens from cyberattacks – the most notable incidents this year were the Optus data breach, which affected 11 million customers, and the ransomware attacks against the insurance company Medibank, which exposed the personal information of 9.7 million customers.
The new bill does more than just increase penalties for privacy breaches; it also empowers the Office of the Australian Information Commissioner (OAIC) to participate in investigating and resolving such breaches and determining their scope.
The Office of the Australian Information Commissioner (OAIC) welcomed the amendment’s passage and assured Australians that it would make good on its promise to use its expanded authority to better safeguard citizens and the Australian economy.
The updated penalties will bring Australian privacy law into closer alignment with competition and consumer remedies and international penalties under Europe’s General Data Protection Regulation.
A statement from Privacy Commissioner Angelene Falk
By comparison, Europe’s GDPR imposes fines of up to 10 million Euros or (whichever is greater) up to 2% of the preceding fiscal year’s global turnover. For “extremely serious violations,” the fine is increased to 20 million Euros and 4% of annual turnover.
The Australian Government’s complete media release is available here.
The Office of the Australian Information Commissioner (OAIC) press release is available here.