Australia to increase maximum data breach penalty to $50 million

Mark Dreyfus speaking in the Australian Parliament in 2019
(Image credit: Getty Images)

The Australian government is set to introduce new legislation this week to increase penalties for repeated or serious privacy breaches in the wake of a series of high-profile cyber attacks targeting the region.

The attorney general revealed that the new maximum penalties will be introduced by the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 which will amend the existing statutes under the Privacy Act 1988.

This will introduce a rise from a maximum of $2.22 million (£1.2 million) to a new maximum which will be whichever is greater out of three possible figures: $50 million (£27 million), three times the value of any benefit obtained through the misuse of information, or 30% of a company's adjusted turnover in the relevant period.

Significant privacy breaches in recent weeks have shown that the current safeguards are inadequate, said attorney general Mark Dreyfus on 22 October. He added that it’s not enough for a penalty for a major data breach to be seen as the cost of doing business.

Dreyfus underlined the need for better laws to regulate how companies manage the huge amount of data they collect, and bigger penalties to incentivise better behaviour.


Customer 360 for data leaders

Create your ideal 360° customer view solution


“I look forward to support from across the Parliament for this Bill, which is an essential part of the government's agenda to ensure Australia's privacy framework is able to respond to new challenges in the digital era,” said Dreyfus.

The Bill will also look to provide the Australian information commissioner with greater powers to resolve privacy breaches. It will also seek to strengthen the Notifiable Data Breaches scheme to ensure the commissioner has comprehensive knowledge and understanding of information compromised in a breach to assess the risk of harm to individuals.

Additionally, it will aim to equip the commissioner and Australian Communications and Media Authority with greater information-sharing powers.

Australia has been rocked by a number of cyber attacks in the last couple of months, exposing the details of millions of Australian citizens. Optus and Telstra, the nation's two largest telcos, suffered data breaches in September and October. The Optus breach affected around two million customers, while the Telstra incident affected 30,000 people.

This was followed by online retail marketplace mydeal, a Woolworths subsidiary, which revealed in October its CRM system had been compromised, affecting around 2.2 million customers.

Most recently Medibank was also affected by an unknown ransomware group in October, with the company revealing that the hacker had entered negotiations with the firm over the release of client data.

Zach Marzouk

Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.