In the wake of the Optus and Medibank data breaches, the Australian Government acted swiftly to significantly increase the maximum penalties under the Australian Privacy Act 1988 (Privacy Act).
On 28 November 2022 the Federal Parliament passed the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Enforcement Act) to increase the maximum penalty for serious or repeated interferences with privacy. This includes a data breach but will also apply to other serious or repeated breaches of the Australian Privacy Principles.
For individuals bound by the Privacy Act, the maximum penalty is now $2.5 million, increased from $444,000. For organisations, the maximum penalty has increased from $2.2 million to the greater of:
- $50 million; or
- three times the value the benefit the organisation gained from the misuse of personal information (if quantifiable); or
- 30% of the organisation’s “adjusted turnover” during the relevant period (this will depend on the duration of the data breach).
The Enforcement Act also broadens the application of the Privacy Act to those organisations outside Australia but with an “Australian link”. Previously, an “Australian link” required the foreign organisation to carry on business in Australia and collect or hold personal information in Australia.
Now, all foreign organisations who carry on business in Australia (including online businesses) will need to comply with the Privacy Act, even if they don’t collect or hold personal information in Australia.
How to protect your business?
Businesses operating in Australia and bound by the Privacy Act need to be prepared for both cyber-attacks and human error data breaches. A failure to do so could expose your business to the increased penalties under the Privacy Act, as well as loss of customers and damage to reputation.
Undertaking regular privacy and cyber security “health checks” is a key step to reducing the risk of your business being impacted by a data breach and being able to recover when it happens. For more information or if you would like to book a free privacy consult, please contact, Shauna Mounsey on 0439 389 745 or email firstname.lastname@example.org.