Judge gavel near Australia flag showing privacy act changes from data breaches

Data Breaches To Become More Costly in Australia as OAIC Calls for Higher Penalties in Privacy Act Draft

It appears that Australia’s ongoing revamp of the Privacy Act 1988 will include stronger penalties for data breaches, according to new draft legislation released by the Office of the Australian Information Commissioner (OAIC).

The country’s privacy watchdog is proposing a maximum penalty of the greater of $50 million, three times the value of any benefit obtained through the misuse of information stolen in data breaches, or 30% of the company’s annual domestic turnover. Under the draft rules organizations would be facing tougher privacy requirements as well, particularly as regards underage data subjects, and the scope of types of businesses subject to stronger data handling regulations would be expanded.

Privacy act consultation process moves forward with stronger regulations, penalties proposed

The draft Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2022 is the latest contribution to Australia’s ongoing effort to modernize the Privacy Act 1988, which currently governs most issues pertaining to data privacy. The proposed new measures remain in a review and consultation process, but demonstrate that Australian legislators are favorable to much tougher penalties for data breaches going forward.

The bill introduces several other elements in addition to the increased penalties. It proposes new information sharing powers, the development of an Online Privacy Code to be applied to large platforms and data brokers, and stronger privacy requirements for children. But the attention-grabbing headline item is the massive jump in maximum penalties for serious data breaches, shooting up to potentially over $50 million from the current cap of $2.1 million stipulated by the Privacy Act 1988.

The Privacy Act addition is also calling for greater powers for the Australian Information Commissioner to intervene in and resolve privacy breaches, as well as giving that entity and the Australian Communications and Media Authority increased ability to share information. The Notifiable Data Breaches scheme would also be given new tools for the Australian Information Commissioner to use in assessing the potential damage to individuals that data breaches could cause.

The OAIC provided some limited information on exactly how fines for data breaches would be determined under these new rules; some factors that will be considered include the number of individuals potentially impacted, the scope of the sensitive information that was leaked, and what additional consequences might impact data subjects as a result. The company’s conduct in handling the incident, along with its prior record on preventing and remediating data breaches and keeping personal information safe, will also be considered. The really big fines could be levied if a company’s conduct is considered “deliberate” or “reckless,” and loss of the most sensitive categories of data (such as health and finance) could also up the penalty amount. The present Healthcare Identifiers Act only allows for a maximum penalty of $660,000 in cases of “reckless” loss of health information, an amount that is likely to shoot through the roof should the revamped Privacy Act terms hold up.

String of data breaches prompts rapid legislative action

The review of the Privacy Act 1988 has been going on for well over a year, but the past few weeks have very quickly put data security back at the front and center of the national conversation. A series of data breaches of major companies has exposed a broad variety of personal information for millions of the country’s citizens, ranging from telephone and medical records to online wine shopping histories. Legislators have promised quick action in response, including new requirements for banks to move swiftly to secure accounts when massive data breaches involving related personal information occur.

The Privacy Act review process included a 2020 public survey that demonstrated that Australia’s citizens and residents overwhelmingly wanted to see data privacy improvement via regulation even before this string of security failures; 87% said that they want more choice and control over how companies handle the personal data they are trusted with, and 70% said privacy was a top concern for them. And almost 60% reported having personal data misused in some way in the prior year, whether for unsolicited sales communications or in the wake of data breaches.

There is no formal scheduled end date for the Privacy Act review, but there are indications that it will wrap up in the next several months. Other terms that have been proposed at various points include a guaranteed right to erasure of personal data, a private right of action allowing data breaches that have been penalized by the government to be used as the basis of a civil suit, and the development of specific codes that address the unique conditions of different industries.

#Privacy act draft proposes a maximum penalty of the greater of $50 million, 3 times the value of any benefit obtained through the misuse of information stolen in #databreaches, or 30% of the company's annual domestic turnover. #respectdataClick to Tweet

There is also the question of exactly who these new Privacy Act rules will apply to when they eventually come into force. All types of businesses may wish to prepare for this transition; the current Privacy Act terms exempt any with under $3 million in annual turnover, but the OAIC has recommended removing this exemption entirely and instead basing compliance obligations on individual risk (such as amount of consumer data records handled).