Australia to tighten privacy laws, increase fines after series of data breaches

Australia plans to strengthen its online privacy laws following several major data breaches, attorney-general Mark Dreyfus said in a statement on Saturday.

An amendment to the country’s privacy law, which will be tabled in the Australian parliament this week, will increase fines for repeated or serious privacy breaches from the current $2.2 AUD (about $1.4 million) to up to AUD$50 million (about $32 million).

The penalty can also amount to 30% of the company's revenue for the relevant period if that amount exceeded $32 million.

The announcement comes after several major Australian companies reported data breaches. Earlier this month, the Australian health insurer Medibank was hit by a cyberattack. Hackers compromised the credentials of a Medibank employee, gaining access to at least 1,000 policy records containing patients’ personal and health claims data.

In September, a cyberattack on the country’s second-largest telecommunications company, Optus, compromised the personal information of almost 10 million Australians, or about 40% of the population.

After the Optus hack, Australia’s Cyber Security Minister Clare O'Neil said that Australia is "probably a decade behind" in privacy protections, and the government "has to be involved when the stakes are this high."

New data privacy law

New Australian online privacy legislation gives the country’s data regulator more power to step in when critical services, such as banking or health care providers, suffer cyberattacks. The bill also requires companies to notify banks of customers who were potentially affected by a data breach to minimize fraud.

Australia’s proposed fines are higher than Europe’s penalty of EUR$20 million (about $20 million) or 4% of annual global turnover under the General Data Protection Regulation (GDRP).

Previous Australian online privacy legislation was more forgiving. In addition to lower fines, it has allowed companies to voluntarily remedy the damages caused by the data breach — by apologizing or making payments to those affected by the cyberattack.

The stricter rules, according to Dreyfus, will “incentivize better behavior.” 

“When Australians are asked to hand over their personal data they have a right to expect it will be protected,” he said.

According to Dreyfus, the amount should be three times the value of any benefit obtained through the misuse of information. In practice, however, it may be difficult to prove a direct causal link between data misuse and companies' profits, said Dr. Lukasz Olejnik, an independent privacy researcher and consultant. 

The strict rules can prevent companies from building their business on the massive abuse and misuse of users’ data, according to Olejnik.

But without clear guidance on how the Australian government plans to enforce the new rules and apply the penalties, it's hard to say what effect the new privacy law will have, he told The Record.

Old problems

This is not the first time Australia is trying to change its privacy laws and strengthen cybersecurity defense. In 2020, the Australian government pledged to spend AUD$1.66 billion (about $1.06 billion) over the next 10 years on cybersecurity for the private sector.

At that time, Australia’s former Prime Minister Scott Morrison said that cyberattacks on local businesses and households cost about AUD$29 billion (approximately $18.57 billion), or 1.5% of Australia’s gross domestic product (GDP).

Last year, Australia drafted an amendment to its privacy legislation with a fine of AUD$10 million (about $6.4 million) or 10% of the company’s turnover.

It seems that these efforts were not enough. From July to December 2021, the Australian data privacy regulator received 464 data breach notifications. Among the most targeted industries were health care, finance, and legal services.

But a handful of recent headline-grabbing attacks have perhaps had the most impact. The Australian government was outraged by the Optus hack and O'Neil said that the country “should not have a telecommunications provider which has effectively left the window open for data of this nature to be stolen.”

On Tuesday, Optus published a statement defending its handling of the data breach. “We are committed to learning, doing better in the future, and sharing lessons so all companies and all Australians can benefit from our terrible experience,” the company said.