The Australian government announced on Monday that Parliament approved the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022.
Commonly known as the Privacy Penalty Bill, the new legislation substantially increases penalties for repeated or severe privacy breaches by companies failing to take care of customer data adequately.
In particular, the new legislation increases the maximum penalties for serious or repeated privacy breaches from the current $2.22m fine to whichever is greater of $50m, three times the value of benefits obtained through the misuse of information, or 30% of a firm’s adjusted turnover in the relevant period.
“The penalties associated with this could prove to be a significant part of their privacy system,” Andrew Barratt, vice president at Coalfire, told Infosecurity.
“One of the interesting points, though, was in relation to how the data is used to make money. This could turn out to be quite nebulous.”
More specifically, Barratt said it would be interesting to see how “benefit” is fully defined and tested in court.
“Hopefully organizations with well-designed privacy management systems will be given some leniency, but it really does show the need for security by design but with a focus on loss of privacy.”
The Coalfire executive added that while he hopes the new legislation will lead to meaningful action taken by businesses operating in the region, it will likely be impactful to global organizations who are now navigating a global soup of subjective privacy laws with varying penalties to manage.
“None of [them] have clearly defined co-trip frameworks that the cyber community has come to expect from its security regulators,” Barratt concluded.
The new bill also grants the Office of the Australian Information Commissioner (OAIC) greater powers to resolve privacy breaches and increases its capacity to rapidly share information about data breaches to help protect impacted customers.
The higher penalties and extended powers will become effective the day after the bill receives royal assent ahead of an overhaul of the Privacy Act 1988. This will happen following a comprehensive review by the Attorney General’s Department, which is currently in its final phase.
The bill comes weeks after the Australian government revealed its intentions to ban ransomware payments.