AUSTRALIA: Likely increase in maximum penalties for privacy breaches

Author: Sarah Birkett

Anyone with a passing interest in Australian privacy laws will no doubt have heard about the Optus data breach. The incident, which was made public in late September 2022, is thought to have affected around 9 million individuals (almost 40% of the Australian population), with identity documents relating to approximately 2.22 million Australians being made available on the dark web. The news was swiftly followed up with an announcement from Medibank, Australia’s largest private health insurer, of a breach affecting all of its 3.9 million customers.

As part of the Australian Government’s response to the public outcry generated by these breaches, a change to the Privacy Act 1988 (Cth) has been introduced into the Australian Parliament.  If passed, this will increase the maximum civil penalties payable under the Act from the current AUD 2.22 million to the greater of:

  • AUD 50 million;
  • three times the value of the benefit resulting from the breach; or
  • 30% of the adjusted turnover of the entity in the 12 months prior to the breach.

The draft Bill (titled the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022) also seeks to strengthen the Office of the Australian Information Commissioner’s powers to request information in order to assess actual or suspected data breaches and changes the extraterritorial reach of the Australian privacy regime. Organisations will no longer be required to collect or hold personal information within Australia in order for the Privacy Act 1988 (Cth) to apply. They must however still be carrying on a business in Australia.

The opposition has indicated its broad support of the measures and it is expected that the Bill will pass without significant amendment.

The new Attorney-General, Mark Dreyfuss, has also committed to introduce broader changes to the Privacy Act 1988 (Cth) sooner rather than later, with the Government’s review scheduled to be completed before the end of 2022. This comes after a broad review of the Australian privacy regime was commenced by the previous Federal Government in 2019 but never completed.