Companies which fail to take adequate care of customer data will face much higher penalties following today’s passage of the Albanese Government’s legislation to significantly increase penalties for repeated or serious privacy breaches.
This is the first step in cleaning up the former government’s mess. The former government started a Privacy Act Review in 2020, and never finished it. It pledged to legislate tougher penalties, and never did it.
The Albanese Labor government has wasted no time in responding to recent major data breaches. We have announced, introduced and delivered legislation in just over a month. These new, larger penalties send a clear message to large companies that they must do better to protect the data they collect.
The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 increases the maximum penalties for serious or repeated privacy breaches from the current $2.22 million penalty to whichever is the greater of:
- $50 million;
- three times the value of any benefit obtained through the misuse of information; or
- 30 per cent of a company’s adjusted turnover in the relevant period.
The Bill also provides the Australian Information Commissioner with greater powers to resolve privacy breaches and quickly share information about data breaches to help protect customers.
Significant privacy breaches in recent months have shown existing safeguards are outdated and inadequate. These reforms make clear to companies that the penalty for a major data breach can no longer be regarded as the cost of doing business.
The Albanese Government is committed to protecting Australians’ personal information and to further strengthening privacy laws. Companies must do better to prevent breaches from happening.
The higher penalties and new powers will come into effect the day after it receives Royal Assent ahead of an overhaul of the Privacy Act following a comprehensive review by the Attorney-General’s Department which is now being finalised.