What do new data privacy laws mean for Australian businesses?

Egress | 10th Nov 2022

In the wake of recent data breaches, new privacy laws have been presented in the Australian parliament. The new Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 is set to have higher penalties than Europe's General Data Protection Regulations (GDPR).

There are four key objectives in the new bill:

  • To significantly increase penalties for serious or repeated privacy breaches.
  • To give the Office of the Australian Information Commissioner (OAIC) enhanced powers to request information and conduct compliance assessments of the notifiable data breach regime.
  • To give the OAIC new enforcement powers, allowing the OAIC to require entities to conduct external reviews of their internal procedures and to publish notices about specific privacy breaches to affected individuals.
  • To introduce new information-sharing powers for the OAIC and the Australian Communications and Media Authority (ACMA).

How the Privacy Act is changing in Australia

Currently, the maximum penalty enforceable under the Privacy Act is $2.2 million AUD. In November 2021, however, the Online Privacy Draft Bill laid out plans for higher penalties for any breach that interfered with an individual's privacy. Under this draft legislation, the cost would increase to $10 million AUD plus three times the value of any benefit obtained from the contraventions – or 10% of the company's annual turnover if the benefit cannot be ascertained.

While the government didn't pursue this bill in its entirety, it chose to adopt select elements. Despite new infringement notice powers and changes to extraterritorial provisions, there's still the need for a broader update of the legislation.

With the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, the OAIC will gain more power, but penalties for breaches would rise too. For serious or repeated breaches, the maximum penalty would rise to the greater of:

  • $50 million AUD
  • If a court can determine the value of the benefit to the company of the breach, three times the value of that benefit
  • If the court cannot determine the benefit, 30% of the adjusted turnover of the business during the breach period (a minimum of 12 months)

New powers for the OAIC include:

  • Broader powers to request information about a data breach
  • The ability to conduct compliance assessments with the notifiable data breach scheme
  • Easier information sharing with other organizations
  • Serving infringement notices
  • Penalties for failure to supply information

What this means for Australian businesses

For many businesses, this news will encourage them to look closely at their own cybersecurity practices to consider how at risk of a data breach they might be. To avoid these huge penalties, compliance should be front of mind for organizations of all sizes. While the biggest penalties apply to incorporated businesses, the penalties for individuals, sole traders, and partnerships will also increase from $440,000 to $2.5 million.

This means that even smaller businesses will need to look more closely at how they handle sensitive information and customer data. Looking at Europe's GDPR, we can get a sense of how this might change a company's approach to data protection – technology will likely play a large role in how Australian businesses achieve compliance.

How this compares to GDPR

The General Data Protection Regulation applies to all businesses that handle the personal data of anyone living in Europe – even if the business is based elsewhere. To get an idea of how this compares to Australia's new privacy act, we can look at the maximum fines.

Under the EU GDPR, there's a maximum fine of 20 million euros, which is around $31 million AUD at the time of writing, or 4% of annual global turnover – whichever is greater. This means the new Australian fixed maximum penalty will be around 61% higher than those enforced in Europe.

One of the largest GDPR fines in 2022 fell to Google Ireland, which received a huge 150 million euros ($233 million AUD) fine after the French data authority received complaints about using cookies on Google and YouTube.

With Australia's new act proposing 30% of turnover – compared to 4% under GDPR – these costs could skyrocket for businesses that fail to protect their data.

How businesses can protect themselves

It might seem like a long road ahead for Australian businesses looking to protect personal information and comply with these new regulations. Thankfully, there's technology to support businesses looking to make these changes and avoid hefty fines.

Take a look at our breach of confidentiality page for more information on how Egress' technology can greatly reduce the risk of an email data breach.