Following the Optus breach, both the government and digital rights advocates pointed to the inadequacy of current penalties in Australia for privacy breaches.
The maximum fine for serious or repeated breaches of privacy is just $2.2 million.
Under the proposed bill, penalties would skyrocket to:
- $50 million, or;
- Three times the value of any benefit obtained through the misuse of the information, or;
- 30 per cent of a company's domestic turnover in the relevant period if the court can't quantify that value
The bill would also extend the reach of Australian privacy law so that it better covers overseas businesses that may interact with local data.
It proposes that a company that “carries on a business” in Australia, but doesn't collect or hold Australians’ information from a direct source in the country, must still comply with local rules.
Privacy critics are encouraged by the proposed changes, but say privacy reform must go much further to protect Australians and change corporate attitudes about data collection and management.
The increased penalties are likely to have some deterrent effect, according to Katharine Kemp, a data privacy expert at UNSW's Faculty of Law & Justice, but she says the Privacy Act must also be amended to make it clearer when companies must dispose of customer data, among other changes.
She also questioned the Office of the Australian Information Commissioner's (OAIC) ability to fully apply the harsher penalties or its new investigative powers at its current level of funding and staffing.
"In the absence of changes to the privacy principles themselves, and a properly resourced privacy regulator, you may be getting a bigger stick with no-one to swing it and not a great deal to swing it at," Dr Kemp said, referring to the 13 standards that govern the treatment of personal information under the Privacy Act.
"Things may be waiting in a queue for a long time until that power is used."
A highly anticipated review of Australian privacy law by the attorney-general is in its final stages, ahead of reforms flagged for 2023.
Privacy advocates hope the upcoming reforms will do more to address the sheer amount of data companies are able to ask for and store about Australians — and in some cases, the laws that require them to do so.
For example, Medibank has confirmed its data breach affected past and present customers and claimed that it was required by state health record laws to keep information for seven years.
"This can't be the finish line, but should be just the beginning of better privacy protections for Australians," Chandni Gupta, digital policy director at the Consumer Policy Research Center, said of the new bill.
