Maximum penalty of $50 million under Australia’s new privacy regulation

In Q3 of 2022, data breaches have risen by 70% compared to the previous quarter, according to Info Security. There seem to be frequent news articles about data breaches across the globe at major organisations and hackers taking advantage of the increase in the usage of digital services.

As more and more products and services move online, consumer data is stored online too – vulnerable private customer information is out there waiting to be stolen if not properly protected. It’s now more important than ever to invest in robust security systems and to ensure firms are meeting data privacy guidelines and regulations.

Australia experiences its largest data breach

Down under in Australia, the telecom provider Optus suffered a data breach that affected 2.1 million of its customers. According to the Australian Information Commissioner (AIC), the Optus incident was the “largest data breach in Australia’s history due to the sheer number of affected Australians and the extensive kinds of personal information involved.”

As a result of this breach, the AIC began the process of amending and improving the current Privacy Legislation Bill.

From September to October 2022, Australia experienced a string of data breaches involving Optus, Medibank Private and MyDeal. The personal information of millions of Australians was compromised. This included names, dates of birth, phone numbers, email addresses, addresses, driver’s licenses, and passport numbers.

“These data breaches may have direct and long-lasting impacts on affected Australians, including financial harm through identity theft or fraud, psychological harm and reputational harm.” – Australian Information Commissioner

What is the Privacy Legislation Amendment Bill 2022

The large-scale breaches triggered the Australian Government to make changes to the current data and privacy laws in a bid to prevent future breaches. These were the immediate actions of the Government:

• Investigations into issues arising from the data breach by the Office of the Australian Information Commissioner (OAIC) and the Australian Communications and Media Authority (ACMA).  

• Intelligence and law enforcement agencies across the Australian Government worked profusely to respond to the breach.

• There were amendments to the Telecommunications Regulations 2021 to allow telecommunication companies, including Optus, to share approved government identifier data such as passport numbers and driver’s licence details with regulated financial services firms, in order to implement monitoring and safeguards for consumers affected by the breach.

Key takeaways of the Privacy Legislation Amendment

The purpose of the Privacy Legislation Amendment was to:

• Increase penalties for serious or repeated interferences with privacy under the Privacy Act 1988.

• Provide the Australian Information Commissioner with greater enforcement and information-sharing powers under the Privacy Act and the Australian Information Commissioner Act 2010 (AIC Act).

• Provide the Australian Communications and Media Authority (ACMA) with greater information-sharing powers under the Australian Communications and Media Authority Act 2005 (ACMA Act).

Increased penalties for data breaches

• The maximum civil penalty for serious or repeated offences to do with privacy has increased from a cap of AUD$2.22 million to a whopping AUD$50 million – the highest data breach penalty in the world, three times the benefit attained by a firm and if unable to determine the benefit, 30 percent of a firm’s domestic turnover.

• If a data breach is going to cause serious harm to others, firms must notify the commissioner and the individuals that will be affected.

• If a breach occurs, companies need to reveal what types of personal data were leaked. The bill requires “particular” kinds of information that was compromised during the breach.

• The OAIC can request information, and documents or ask individuals to answer questions. Firms that don’t comply with requests could face criminal penalties.

“This is necessary to provide the information commissioner with a comprehensive understanding of the information compromised in a breach in order to assess the particular risks to individuals and take actions, such as issuing a direction for the entity to notify individuals who have been affected by a data breach.” – Mark Dreyfus, Attorney General and Cabinet Secretary.

New information-sharing authority

Further amendments to the Privacy act include:

• The OAIC is expected to share information gathered with other enforcement and regulatory bodies, including in other states or territories, to “drive better cooperation between regulators” and “deliver better outcomes for Australians.”

• The Act can be “enforced against global technology companies who may possess Australians’ information on servers offshore.”

Attorney-General, Mark Dreyfus has criticised the “very outdated” Privacy Act and has taken steps to finalise it by the end of 2022. He also confirmed that there will be further reforms.

The State Standing Committee on Legal and Constitutional Affairs will be reporting the review of the bill in November 2022.

What will the review cover?

• The details of the Privacy Act amendments.

• The effectiveness of the Act in protecting consumer data and whether it provides a practical and proportionate framework for promoting good privacy practices.

• Whether individuals should have the authority to enforce privacy obligations under the Privacy Act.

• Whether a statutory tort for serious invasions of privacy should be introduced into Australian law.

• Assessing the impact of the Notifiable Data Breaches (NDB) scheme and its effectiveness.

• The effectiveness of enforcement powers under the Privacy Act and how they interact with other Commonwealth regulatory frameworks.

• The desirability and feasibility of an independent certification scheme to monitor and demonstrate compliance with Australian privacy laws.

CUBE comment

Consumer data is at risk of being breached no matter which industry you are in. Across the board, there have been several data breaches throughout 2022 involving both large-scale and smaller companies.

In October 2022, the Information Commissioner’s Office (ICO) fined a construction company £4.4 million for a data breach, affecting 113,000 employees. John Edwards, the UK Information Commissioner, comments:

“The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office…Leaving the door open to cyber attackers is never acceptable, especially when dealing with people’s most sensitive information. This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud. Cyber-attacks are a global concern, and businesses around the world need to take steps to guard against complacency.”

Firms from all industries should identify gaps in their data privacy regulations and guidelines to ensure that it is operating to the highest possible standards and is well protected against a breach.

When new data privacy laws are published, such as in Australia, firms are expected to review the new data policies, once approved, to ensure data policies reflect new privacy regulations.

Regulatory technology isn’t just for the financial industry, it can be used for regulatory compliance across a variety of industries and types of regulations – such as data privacy.

RegTech can identify gaps in privacy regulations in policies and alert firms to relevant laws so that compliance teams can implement changes swiftly and lessen the risk of getting hit with such a huge penalty, let alone the reputational damage.

Data breaches have a direct financial impact, invest in RegTech to close data privacy regulation gaps.