Australia plans to strengthen its online privacy laws after several serious data breaches, Attorney General Mark Dreyfus said in a statement on Saturday.
An amendment to the country’s privacy law, which will be tabled in Australia’s parliament this week, will increase fines for repeated or serious privacy breaches from the current A$2.2 (about $1.4 million) to A$50 million (about $32 million). .
The fine can also amount to 30% of the company’s revenue for the relevant period if this amount exceeds $32 million.
The announcement comes after several major Australian companies reported data breaches. Earlier this month, Australian health insurer Medibank suffered a cyber attack. Hackers breached Medibank employee credentials, gaining access to at least 1,000 policy records contains personal patient data and health information.
In September, a cyber attack on the country’s second largest telecommunications company, Optus, compromised the personal information of almost 10 million Australians, or about 40% of the population.
After the Optus hack, Australian Cyber Security Minister Claire O’Neill said that Australia is “probably decades behind” on privacy protections and the government “must be involved when the stakes are so high”.
The new data privacy law
Australia’s new online privacy law gives the country’s data regulator more powers to intervene when critical services, such as banking or health services, come under cyber attack. The bill also requires companies to notify banks of customers potentially affected by a data breach to minimize fraud.
Australia’s proposed fines exceed the European General Data Protection Regulation (GDRP) fine of €20 million (about $20 million), or 4% of annual global turnover.
Previous Australian online privacy legislation was more lenient. In addition to lower fines, it has allowed companies to voluntarily make restitution for the damages caused by the data breach — by apologizing or making payments to those affected by the cyber attack.
Stricter rules, Dreyfus said, “will encourage better behavior.”
“When Australians are asked to provide their personal data, they have a right to expect that it will be protected,” he said.
According to Dreyfus, the amount should be three times the value of any benefit obtained through the improper use of the information. In practice, however, it can be difficult to prove a direct causal link between data abuse and companies’ profits, said Dr. Lukasz Olejnik, an independent researcher and privacy consultant.
Strict rules can prevent companies from building their business on mass abuse and misuse of user data, Oleynyk believes.
But without clear guidance on how the Australian government plans to enforce the new rules and apply penalties, it’s hard to say what effect the new privacy law will have, he told The Record.
This is not the first time Australia has tried to change its privacy laws and strengthen its cyber security protections. In 2020, the Australian government pledged to spend A$1.66 billion (about $1.06 billion) over the next 10 years on cyber security for the private sector.
At the time, former Australian Prime Minister Scott Morrison said cyber attacks on local businesses and households cost about A$29 billion (about $18.57 billion), or 1.5% of Australia’s gross domestic product (GDP).
Last year, Australia amended its privacy laws with a fine of A$10 million (about $6.4 million) or 10% of a company’s turnover.
It seems that these efforts were not enough. From July to December 2021, the Australian data privacy regulator received 464 reports of data breaches. Healthcare, finance and legal services were among the most targeted industries.
But a few recent headline-grabbing attacks have had perhaps the most impact. The Australian government was outraged by the Optus hack, and O’Neill said the country “should not have a telecommunications provider that has effectively left a window open for data theft of this nature”.
On Tuesday, Optus issued a statement defending its handling of the data breach. “We are committed to learning, doing better in the future and sharing lessons so that all companies and all Australians can benefit from our terrible experience,” the company said.