Australia materially increased penalties for privacy breaches, but will a larger stick be enough to improve data security practices?

It feels like barely a week goes by where a significant data breach isn’t front and centre of the Australian news cycle. In September, Optus announced a breach of 10 million customer records. In October, Woolworths announced its subsidiary MyDeal had 2 million customer records compromised, and Medibank declared a leak impacting 10 million individuals. In November, hackers acquired details of 5 million customers and employees from AirAsia. These are only the largest hacks, with many smaller-scale incidents also occurring each week.

Surely, It is reasonable for us to expect that organisations treat our data responsibly and respectfully. Unfortunately, many large and small companies fail in their duties and betray our trust. It feels like a matter of when, not if, a data breach occurs. More robust security measures are no longer nice to have but necessary for organisations looking to maintain customer trust.

Until this week, the 1998 Privacy Act limited maximum civil penalties in cases of ‘serious or repeated’ breaches to $2.22 million (AUD). However, the potential punitive damages were trivial compared to the size of the business. For instance, Optus’ revenue was $8 billion and EBITDA was $2 billion in the year ending 2022, Woolworths’ revenue was $61 billion, and Medibank’s revenue was $7 billion. On top of this, the Office of the Australian Information Commissioner (OAIC) rarely enforces damages.

However, this might all be about to change and as businesses will be exposed to far greater risk of financial penalty. On Monday, 28th November, earlier this week, The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 passed both houses of parliament with bipartisan support. A core aspect of the legislation was an increase to maximum penalties to the greater of:

• $50 million;
• Three times the value of any benefit obtained through the misuse of information; or
• 30% of a company’s adjusted turnover in the relevant period.

The Australian bill goes further than many may have anticipated towards financially penalising companies who fall foul of their obligations. The limits are even more punitive than those defined in Europe under the General Data Protection Regulation (GDPR) introduced in May 2018. The EU penalties are capped based on the greater of €20 million ($31 million) or 4% of worldwide turnover for the preceding financial year.

In addition to harsher penalties, the bill also strengthened the Australian Information Commissioner’s power to investigate breaches, including:

• To provide the Australian Information Commissioner with greater powers to resolve privacy breaches;
• To strengthen the Notifiable Data Breaches scheme to ensure the Australian Information Commissioner has comprehensive knowledge and understanding of information compromised in a breach to assess the risk of harm to individuals; and
• To equip the Australian Information Commissioner and the Australian Communications and Media Authority with greater information-sharing powers.

As per Attorney-General, Mark Dreyfus, these changes ‘send a clear message to large companies that they must do better’ and that ‘the penalty for a major data breach can no longer be regarded as the cost of doing business.’

Some industry lobby groups, AWS, and both the Opposition and Greens in parliament expressed concerns about certain aspects of the bill. These focused on the lack of tiered penalties for organisations of different sizes and charities; the lack of a clear definition for ‘serious’ or ‘repeated’ interference of privacy; and the inclusion of terms like ‘benefit’ in the penalty regime, which assumes companies always benefit from privacy interference.

Despite the above mentioned concerns, we should welcome these measures as they represent needed progress and show a willingness to hold companies to account. However, there are three reasons why these measures alone, which broadly focus on increased penalties, will fail to truly change the game and protect consumers’ interests.

Firstly, history provides little evidence of the government’s willingness or ability to enforce fines under the Privacy Act. Unless we see a radical departure from this conservative position and the AOIC demonstrates a proactive approach to leverage its new power, then it’s unlikely that we will see a fundamental shift towards successfully deterring poor practices.

Secondly, customers are often the actual victims of a data breach, yet they are not the recipient of the penalties. At best, a breach may be limited to an individual’s name and email, but at worst, it can be far more severe: one family is reported to have lost $40,000 due to identity theft following the Optus breach, while hundreds of victims have had information about addictions, mental health issues, and abortions posted online from Medibank records. Even hefty fines cannot minimise their pain once their personal information has been permanently exposed.

Thirdly, and most crucially, the legislation does not get to the heart of the issue. Many organisations struggle to keep pace with the rapidly changing landscape and lack the capability to develop more secure controls to prevent data breaches. Even government entities struggle to fully protect themselves against cyber attacks. Often the carrot is more effective than the stick; therefore, the government should do more to support businesses and encourage good behaviours rather than relying on punishments as a disincentive.

The Privacy Act is subject to further review throughout 2023. We hope that some of these issues will be addressed, but strongly believe that organisations require more support to deliver strong privacy and protection measures in the near term.

If you would like to learn more about what we are building at Onqlave to help protect sensitive data, follow our updates via LinkedIn, sign up to our newsletter or feel free to get in touch with any of our team.