Privacy breaches are about to cost companies operating in Australia quite a bit more money in fines, as the country has raised the maximum penalty from AUD 2.2 million to AUD 50 million. The calculation process has also been changed, with the potential value of the stolen data and the impact to the organization as possible factors in a fine decision.
Privacy breaches become a major focus as Australia weathers cybersecurity storm
Revision of the Privacy Act 1988 has been a slow process that has been going on in stages for some years now, but the recent string of high-profile cyber crimes in the country appears to have spurred quick and decisive government action on privacy breaches. The new terms not only increase penalties by a very substantial amount, but also hasten the government’s ability to take direct action and expand the scope of covered entities to include organizations that try to offshore their operations to avoid regulation.
Organizations in Australia are now looking at a maximum fine of AUD 50 million for privacy breaches, but can take several different paths in getting there. The first step is a court estimation of the monetary value of the data that was stolen, and if that cannot be established the organization will be looking at loss of up to 30% of its annual turnover.
A full revision of the Privacy Act is not expected until sometime in 2023 (at the earliest), but these new penalty terms for privacy breaches could go into effect following a review by the Attorney-General’s Department and establishment of Royal Assent.
Late 1980s terms continue to be updated
The Privacy Act has seen numerous additions and revisions over the past three decades, but many aspects of it remain stuck in an era before home internet was even available. This adjustment to the penalties for privacy breaches is one of the most meaningful thus far.
Relevant government agencies are also granted more power by this change, in terms of information about privacy breaches that must be reported to them and in their ability to make announcements to impacted data subjects. When the Privacy Act overhaul is complete, Australian Information Commissioner and Privacy Commissioner Angelene Falk has said that it will align closely with the terms of the EU’s General Data Protection Regulation (GDPR).
Though the activity appears to have slowed down at this point, Australian companies spent a good deal of the fourth quarter of the year fending off a wave of cyber attacks that ended up causing multiple major privacy breaches. Several different ransomware and data exfiltration gangs hit major companies such as Medibank and Optus and leaked millions of records of sensitive information to the dark web, causing ordinary citizens throughout the country to scramble to protect their privacy (and in some cases, have national identity and bank account numbers changed). The government is also eyeing stricter requirements for banks to notify customers and ensure accounts are secured when major data breaches happen that could potentially lead to scams and financial theft.