ENG

Data Protection - Tougher Penalties for Serious Data Breaches

Published

Oct 28 2022

Written By

hamish fraser module
Hamish Fraser

Partner
Australia

james hoy Module
James Hoy

Special Counsel
Australia

belyndy rowe Module
Belyndy Rowe

Senior Associate
Australia

emma croft Module
Emma Croft

Senior Associate
Australia

On 22 October 2022, the Australian Government announced that it will introduce legislation next week to significantly increase penalties for repeated or serious privacy breaches.

The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Bill) will increase maximum penalties for serious or repeated privacy breaches under the Privacy Act 1988 (Cth) (Act) from the current $2.22 million penalty to whichever is the greater of:

  1. $50 million;
  2. three times the value of any benefit obtained through the misuse of information; or
  3. 30% of a company’s adjusted turnover, during the breach turnover period if the court cannot determine the value of the benefit under (b).

The “breach turnover period” will be the longer of either:

  1. the period of contravention; or
  2. the 12 month period at the end of the month in which the body corporate ceased the contravention, or proceedings in relation to the contravention were instituted (whichever is earlier).

This marks not only a significant increase to the current penalties, it is also a significant increase on earlier draft reforms to the current penalties, proposed last year.

Additionally, the Bill will:

  • grant the Australian Information Commissioner (AIC) additional powers to resolve privacy breaches;
  • amend the Notifiable Data Breaches scheme to provide the AIC with additional information regarding data compromised in a breach to better assess the risk of harm to individuals; and
  • provide the AIC and Australian Communications and Media Authority with greater information sharing powers.

The timeliness at which the legislation has been introduced has come largely as a response to the recent cyber breaches which have occurred in Australia.

Last week, Prime Minister Anthony Albanese formally added cybercrime to the Attorney General’s (the Hon Mark Dreyfus KC) responsibilities, highlighting the importance of cyber security in the current environment. “When Australians are asked to hand over their personal data, they have a right to expect it will be protected,” said Dreyfus. “I look forward to support from across the Parliament for this Bill.”

The Bill is being introduced amidst a more comprehensive review of the Act that is due to be completed by the end of 2022.

It seems at least possible that the pace of those other reforms and indeed the scope of them will also be accelerated.

For more information, please contact Hamish Fraser, Belyndy Rowe, James Hoy, Emma Croft and Lukas Mitterlechner.