The Albanese government passed the Privacy Penalty bill, dramatically hiking the penalties for severe and repeated privacy breaches in companies. Privacy Legislation Amendment Bill 2022 increased the maximum penalty from the previous sum of $2.22 million to the greater one of either of the mentioned criteria:
- $50 million
- Three times the value of benefit gained after exposing the data,
- 30% of the company’s turnover in the relevant period.
Despite the Australian information industry association (AIIA) urging the Albanese government to reconsider the proposed privacy penalty bill, the House passed the privacy bill the next day. The move comes amid notable increase in the number of data breaches and cyber attacks on Australian businesses this year.
Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022
According to the privacy penalty bill passed by the house this week, the greater one of either of the criteria will be chosen owing to this Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022. Moreover, the Australian information commissioner will exercise greater power in handling data breach incidents and alerting impacted customers to prevent further damage.
The revised penalty is to address the increased number of data breaches faced by the country in the recent past. With this privacy penalty bill, the House asks companies to update their security measures that may be outdated leading to successful cyberattacks. The bill awaits a comprehensive review which will be done by the attorney general’s department this year. This will also include a complete reevaluation of the Privacy Act, next year.
How companies reacted to this bill?
As soon as the bill was approved by the House, companies started voicing their opinion about the high amount of fine that they may have to pay. The Australian information industry association addressed some concerns in a letter addressed to the secretary of the Australian parliament house dated November 7. The Australian innovation technology body that represents the information and communications industry in Australia wrote, “The AIIA has concerns about the quantum of the proposed increases in penalties and the disincentives to good corporate behaviour and transparency around data breaches that this may lead to, including cooperation with governments.”
The letter expressed concerns coming from the increased sum of fines that may deter companies from addressing similar cyberattacks owing to fear of penalty. The letter concluded with a request echoed by other associations regarding having a better mechanism incorporated into the legislation.
The news publication of the Australian Computer Society (ACS), also put forward concerns of businesses pertaining to the huge fine. Anna Johnston, founder of the consultant firm Salinger Privacy said that altering penalties may not bring about a change in the level of protection. The same report addresses that local technology companies are requesting consideration in understanding that some cyberattacks impact companies despite maintaining cyber hygiene.
AIIA CEO Simon Bush said that such punitive actions are not to deter businesses working in good faith but to ensure the government works with industries to maintain best data security practices.
Cybercrimes such as the Optus data breach that exposed the data of over 9 million users, the Medibank incident that impacted 9.7 million users, the PNORS cyberattack impacting school students’ data, and the data breach in the systems of the real estate company Harcourt among others led the government bodies to take stringent actions.
