WP Harsher penalties for data breaches in new Australian privacy bill | Imperva

Harsher penalties for data breaches in new Australian privacy bill

Harsher penalties for data breaches in new Australian privacy bill

High-profile breaches mean high-profile action

In the aftermath of another crop of high-profile data breaches, the Australian Government (also known as the Commonwealth Government) has introduced amendments to Australian privacy law which give the regulator new powers and the ability to impose harsher penalties for serious or repeated digital privacy breaches. These amendments will include the power to share breach information with enforcement bodies, and the Australian Communications and Media Authority (ACMA).

In October 2022, the Australian Government introduced the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 into Parliament. With significant reforms, the Bill strengthens the government’s commitment to protecting the personal information of Australian citizens and will take effect immediately after it receives the obligatory Royal Assent. 

Privacy reform becomes a priority

In September 2022, the personal information of customers of one of Australia’s major telecommunications providers – such as their name, date of birth, emails, passport numbers, driver’s licenses, and Medicare card details – was exposed. As recently as October 2022, one of Australia’s largest medical insurers announced it had suffered a cyberattack – including the personal details of 9.7 million customers and sensitive information regarding medical procedures and diagnoses – where bad actors demanded AUD 15 million or these details would be released on the dark web.

In a sobering wake-up call, the Australian Government has allocated AUD 5.5 million for the Australian Information Commissioner to investigate these breaches, and has further pledged AUD 31.1 million to better secure government networks. The Government also commented that the current penalties were inadequate in “the light of community expectations,” prompting reforms to the Privacy Act 1988. While Attorney-General, Mark Dreyfus KC, was already committed to “sweeping reforms” of the Bill, several of these changes have now been fast-tracked for immediate inclusion.

The Bill significantly increases the maximum penalties applicable under the Privacy Act for serious or repeated breaches and affords the Australian Information Commissioner increased powers of enforcement. It further provides the Commission and the Australian Communications and Media Authority (ACMA) with greater information-sharing powers. The Bill also introduces other small procedural amendments to modernize and address any current Act limitations.

The most significant change will increase the maximum penalties that can be applied under the Privacy Act for “serious or repeated” privacy infringement. For non-corporate entities, the maximum penalty will be raised to AUD 2.5 million. For corporations, the penalty will be three times the value of any benefit obtained through the misuse of the information, 30% of a company’s adjusted turnover in the relevant period, or AUD 50 million – whichever is greater. This is a drastic increase of almost 7 times the existing fine, as the current maximum civil penalty for non-corporate entities stands at 2,000 penalty units (AUD 444,000), with corporate entities currently at 10,000 penalty units (AUD 2.22 million).

It should be noted that this will not apply to small businesses which have an annual turnover of AUD 3 million or less – though this is subject to some exceptions. These exceptions are expected to be removed, however, in future privacy reforms.

New powers for the Australian Information Commissioner

The new Bill will further afford the Australian Information Commissioner additional powers to address privacy breaches, by expanding the types of declarations that the Commissioner can make during the conclusion of any investigation. The Commissioner may, for example, now make the decision that a respondent to a complaint should prepare and publish a statement about the conduct of the subject of the privacy complaint. The statement may be required to be provided to the complainant or may be required to be formally published.

The changes will alter the extra-territorial jurisdiction of the Privacy Act to encompass foreign organizations that carry on business in Australia, demanding they comply with obligations under the Act, even if they do not collect or hold Australians’ information directly from sources in Australia. Currently, foreign organizations only need to comply with the obligations under the Privacy Act if they have an ‘Australian link.’ In today’s digital era, foreign organizations can employ collection technologies that do not collect or store information ‘directly from sources in Australia.’ This reform to the Privacy Act is presumably a repercussion of the Facebook Cambridge Analytica scandal, in which Meta Platforms, Inc. is currently arguing in Australian Court that the required ‘Australian link’ is absent.

The Commissioner will also receive new ‘information-gathering powers’ for the purposes of conducting assessments of actual (or suspected) breaches. They will, for example, be able to require a person or entity to produce documentation, provide information, or answer the Commissioner’s questions, and will be able to penalize individuals and organizations for failing to provide that information.

The Notifiable Data Breaches (NDB) scheme requires any organizations covered by the Privacy Act to notify any parties likely to be at risk of serious harm by any data breach, and the Commissioner will be further empowered to conduct assessments of an organization’s compliance with the NDB scheme – helping citizens and affected parties to take action in preventing any further breach to their privacy and inform them of the specific type of their data that has been breached – any information which directly identifies an individual, such as name, address, telephone number, email address, social security number, etc.

The Commissioner will further have the power to release any information acquired in the course of exercising their powers, to the public, if they feel it is in the public interest to do so. They will also be able to share information with other complaint bodies, enforcement organizations, and State, Territory, or foreign government authorities, in the process of exercising their powers or for the purpose of allowing other bodies to exercise their powers/functions. The Bill also expands the Australian Communications and Media Authority’s capacity to share information with any non-corporate Commonwealth entity where the information will help enforce Commonwealth law. 

The future is private

Organizations dealing with the data of Australian citizens must address all the best possible standards of data privacy to ensure compliance in the future.

In the months to come businesses of all sizes will be affected by the new legislation, and creating a robust data security posture now will be critical in maintaining the required standards of personal information protection. From Switzerland’s Federal Act on Data Protection (nFADP) to the German Telecommunications and Telemedia Data Protection Act (TTDSG), this is the future of digital data security, and protecting their citizens, and failure to comply is on every government’s agenda – each requiring compliance to its own nuanced variation of Europe’s General Data Protection Regulation (GDPR) or state legislation.

Building a plan to implement internal and external privacy policies and procedures around data governance and data privacy, in compliance with local laws, with be more important than ever for any businesses and individuals dealing digitally with the Australian continent and the island of Tasmania – and beyond, as more and more territories follow suit.

We’re here to help. If you want to learn more about our comprehensive, automated data security portfolio, or our data masking solutions, please contact us now via the chat box below.