Following recent high-profile data breaches, the federal government has proposed changes to Australia’s privacy law to significantly increase penalties for privacy breaches and give the regulator more powers.
The Australian government announced Monday that Parliament has approved Bill 2022 to amend privacy legislation.
Commonly referred to as the « Privacy Penalty Bill, » the new legislation significantly increases penalties for repeated or serious privacy breaches by companies that fail to protect their customers’ data.
The most significant change is to increase the maximum civil penalties for « serious or repeated » privacy breaches from the current cap of A$2.22 million (US$1.5 million) to an amount not exceeding the greater of A$50 million (US$33.5 million); three times the profit earned by the company; or, if a court cannot determine the value of the profit earned, 30 percent of the company’s domestic turnover during the relevant period.
« The penalties associated with this could prove to be an important part of their privacy system, » Andrew Barratt, vice president of Coalfire, told Infosecurity.
The Coalfire executive added that while he hopes the new legislation will lead to meaningful action by companies operating in the region, it will likely have an impact on global organizations now navigating a global soup of subjective privacy laws with varying penalties to manage.
« Hopefully, organizations with well-designed privacy management systems will receive some leniency, but this really shows the need for security by design. »
The new bill also gives the Office of the Australian Information Commissioner (OAIC) greater powers to resolve privacy breaches and increases its ability to quickly share information about data breaches to help protect affected customers.
The higher penalties and expanded powers will come into effect the day the bill receives Royal Assent, prior to a review of the Privacy Act 1988. This review will follow a comprehensive review by the Department of Justice, which is currently in its final stages.
In light of these proposed changes, all organizations should urgently review their privacy compliance posture to determine if their policies and processes – and those of their key vendors – are adequate.