The
Australian
government
has
passed
a
bill
that
markedly
increases
the
penalty
for
companies
suffering
from
serious
or
repeated
data
breaches.

To
that
end,
the
maximum
fines
have
been
bumped
up
from
the
current
AU$2.22
million
to
AU$50
million,
30%
of
an
entity’s
adjusted
turnover
in
the
relevant
period,
or
three
times
the
value
of
any
benefit
obtained
through
the
misuse
of
information,
whichever
is
greater.

The
turnover
period
is
the
time
duration
from
when
the
contravention
occurred
to
the
end
of
the
month
when
the
incident
is
officially
addressed.

“Significant
privacy
breaches
in
recent
months
have
shown
existing
safeguards
are
outdated
and
inadequate,”
Attorney-General
Mark
Dreyfus

said
in
a
statement. “These
reforms
make
clear
to
companies
that
the
penalty
for
a
major
data
breach
can
no
longer
be
regarded
as
the
cost
of
doing
business.”

The
legislation,
called
the
Privacy
Legislation
Amendment
(Enforcement
and
Other
Measures)
Bill
2022,
also
bestows
more
powers
to
the
Australian
Information
Commissioner
to
address
security
breaches.

The “new
information
sharing
powers
will
facilitate
engagement
with
domestic
regulators
and
our
international
counterparts
to
help
us
perform
our
regulatory
role
efficiently
and
effectively,”
Australian
Information
Commissioner
and
Privacy
Commissioner
Angelene
Falk

said.

The
bill,
which
has
been
tabled
as
part
of
wider
reforms
to
the

Privacy
Act
1988,
now
awaits

Royal
Assent
to
be
formally
signed
into
law.

The
development
comes
in
the
wake
of
recent
major
breaches
at

Optus
and

Medibank
that
have
resulted
in
the
leak
of
personal
information
associated
with
2.1
million
and
9.7
million
customers,
respectively.