Under planned changes to privacy laws.
The federal government is set to fast-track changes to Australia’s privacy laws which, if passed, would see fines for “repeated or serious” data breaches rise from $2.2 million to “up to” $50 million or 30 percent of “adjusted” turnover.
Attorney-General Mark Dreyfus said Saturday morning that present penalties for breached organisations were “seen as a cost of doing business”.
“The maximum fine at the moment is $2.2 million, and for a really big company that’s just … something that they can safely ignore,” he said.
“What we need is really large penalties that will concentrate the minds of corporations who are storing Australians’ data, making sure that in the future they will look after that.”
He also said that “significant privacy breaches in recent weeks have shown existing safeguards to be inadequate”.
Optus, Medibank, Vinomofo and MyDeal are among companies to have disclosed large data breaches in recent weeks.
“We need better laws to regulate how companies manage the huge amount of data they collect, and bigger penalties to incentivise better behaviour,” Dreyfus said.
The penalties proposed include a fine of “up to $50 million”, “three times the value of any benefit obtained through the misuse of information”, or “30 percent of a company’s adjusted turnover in the relevant period”.
Dreyfus said the higher figure of those three would be the one payable.
Seriousness would be measured against several criteria.
“[The definition of] serious is going to be determined by how many people are affected, by how serious the information that has been leaked is, what the consequences of the breach are, and how reckless the company was,” Dreyfus said.
The proposed privacy legislation amendment will also give the information commissioner “greater” – though unspecified – powers “to resolve privacy breaches”.
“The information commissioner has been asking for these powers now for years,” he said.
Dreyfus also flagged changes to the mandatory notifiable data breach (NDB) scheme, aimed at ensuring the commissioner “has comprehensive knowledge and understanding of information compromised in a breach to assess the risk of harm to individuals”.
The scheme has had past issues where organisations did not report ransomware attacks due to a perceived loophole that they were not required to unless they were absolutely sure that data exfiltration had taken place.
Dreyfus also said the commissioner and the Australian Communications and Media Authority would be equipped with “greater information sharing powers.”
The legislative amendments will be put before the parliament this week.
Dreyfus said that a comprehensive review of the Privacy Act is continuing and is likely to result in “further reform” once it is completed later this year.