Dec 9 – In Australia, a new bill designed to amend the country’s privacy legislation has been approved by parliament. The legislation significantly increases the maximum penalties that can be given to EU firms on account of large-scale, high-impact cyber security breaches.
The new bill arrives after a spate of recent cyber attacks that targeted Australian companies, including Optus, and Medibank, whose breaches collectively exposed the data of more than 20 million people. The attacks not only took a toll on businesses; they also disrupted consumers’ personal lives.
“The Albanese Labor government has wasted no time in responding to recent major data breaches. We have announced, introduced, and delivered legislation in just over a month,” states the corresponding media announcement.
“These new, larger penalties send a clear message to large companies that they must do better to protect the data they collect.”
The financial penalties introduced by the bill are set to whichever is greater:
- AU $50 million.
- Three times the value of any benefit retrieved through the nefarious use of information
- 30% of an organization’s adjusted turnover within the relevant window of time
The previous penalty, set at $2.2 million, is considered inadequate in incentivizing companies to change their privacy and data security practices, and to get them to focus on a customer-centric data management model.
By way of comparison, Europe’s GDPR sets fines of up to 10 million Euros for a breach event, or up to 2% of the given organization’s global turnover, as calculated based on the preceding fiscal year.
In addition to setting higher monetary fines, the new bill provides the Office of the Australian Information Commissioner (OAIC) with increased powers, giving it the ability to become actively involved in breach resolutions and the scope determination process.
OAIC eagerly greeted the passing of the amendment, promising Australians that it would use its expanded role to better protect the country’s economy and its citizens.