The government has passed a bill increasing the penalty for businesses that suffer repeated or major data breaches.
The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 will increase the civil penalty from $2.2 million to whatever is the most of:
- $50 million;
- 30 per cent of adjusted turnover for the period;
- three times the financial gain from the misuse of data in the case of outstandingly shocking breaches.
“The government has wasted no time in responding to recent major data breaches,” said Attorney-General Mark Dreyfus.
“We have announced, introduced and delivered legislation in just over a month.
“These new, larger penalties send a clear message to large companies that they must do better to protect the data they collect.”
Passing through the Senate and then the lower house on Monday, the bill was slightly reworded to target organisations that experience “serious” or “repeated” privacy breaches.
There has been concerns raised over the lack of definition of serious and repeated, as well as the term benefit, which rivals to the bill say assumes that a data breach always benefits a business.
Company stakeholders have also expressed concerns at the bill, suggesting that a tier system be introduced so that small or medium businesses do not get hit by the same penalties as large organisations.
The government has rejected these suggestions but has said that it will consider the issues as part of the Attorney-General’s review of the Privacy Act, which is due to finish before the year ends.
“Reforms to clarify key definitions in the Privacy Act, developed a tiered penalty regime, provide greater clarity on the applications of penalties and enhance security guidelines are being considered through the Privacy Act review,” said Labor Senator and Agriculture Minister Murray Watt.
“It’s appropriate that these reforms be considered holistically in these processes given the range of complex and interconnected issues and other work across government.
Greens Senator David Shoebridge supports the bill with reservations but does believe that the lack of clear definition and the concept of a benefit influencing the penalty are issues that need to be addressed.
“In the privacy space, the benefit that corporations may obtain from privacy breaches is in fact far more ambiguous than for many entities, and we’re seeing this play out at the moment with Medibank and Optus and others.”
He has expressed concern that in the case of an accidental breach where the benefit to an organisation is uncertain and could indeed be an overall loss, businesses will still be treated as if they gained from the incident.
“Those difficulties arise from taking provision that are designed for one part of the law, in this case competition law and unthinkingly cutting and pasting them and whacking them into privacy law,” he said.
“So, there is a very real need for the government to closely consider these drafting issue and do it as a matter of urgency.”
Responding to this, Senator Watt has said that “The bill is an essential first step of the government’s agenda to ensure Australia’s privacy framework is fit for purpose and responds to new challenges in the digital era. Further reforms will be considered next year, following consideration of the AGD’s review of the Privacy Act.”