Data Protection - Tougher Penalties for Serious Data Breaches

Written By

james hoy Module
James Hoy

Special Counsel
Australia

I am a Special Counsel in our Sydney office and I specialise in media and technology disputes and advice with a particular focus on privacy and data protection matters.

emma croft Module
Emma Croft

Senior Associate
Australia

I am a senior associate in our Dispute Resolution Group in Sydney, specialising in media and technology disputes, commercial litigation and privacy and cybersecurity advisory work.

On 22 October 2022, the Australian Government announced that it will introduce legislation next week to significantly increase penalties for repeated or serious privacy breaches.

The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Bill) will increase maximum penalties for serious or repeated privacy breaches under the Privacy Act 1988 (Cth) (Act) from the current $2.22 million penalty to whichever is the greater of:

  1. $50 million;
  2. three times the value of any benefit obtained through the misuse of information; or
  3. 30% of a company’s adjusted turnover, during the breach turnover period if the court cannot determine the value of the benefit under (b).

The “breach turnover period” will be the longer of either:

  1. the period of contravention; or
  2. the 12 month period at the end of the month in which the body corporate ceased the contravention, or proceedings in relation to the contravention were instituted (whichever is earlier).

This marks not only a significant increase to the current penalties, it is also a significant increase on earlier draft reforms to the current penalties, proposed last year.

Additionally, the Bill will:

  • grant the Australian Information Commissioner (AIC) additional powers to resolve privacy breaches;
  • amend the Notifiable Data Breaches scheme to provide the AIC with additional information regarding data compromised in a breach to better assess the risk of harm to individuals; and
  • provide the AIC and Australian Communications and Media Authority with greater information sharing powers.

The timeliness at which the legislation has been introduced has come largely as a response to the recent cyber breaches which have occurred in Australia.

Last week, Prime Minister Anthony Albanese formally added cybercrime to the Attorney General’s (the Hon Mark Dreyfus KC) responsibilities, highlighting the importance of cyber security in the current environment. “When Australians are asked to hand over their personal data, they have a right to expect it will be protected,” said Dreyfus. “I look forward to support from across the Parliament for this Bill.”

The Bill is being introduced amidst a more comprehensive review of the Act that is due to be completed by the end of 2022.

It seems at least possible that the pace of those other reforms and indeed the scope of them will also be accelerated.

For more information, please contact Hamish Fraser, Belyndy Rowe, James Hoy, Emma Croft and Lukas Mitterlechner.