It’s not enough for a penalty for a major data breach to be seen as the cost of doing business, the statement noted.

The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 will increase the maximum penalties that can be applied under the Privacy Act 1988 for serious or repeated privacy breaches from the current $2.22 million penalty to whichever is the greater of:

• $50 million;
• Three times the value of any benefit obtained through the misuse of information; or
• 30 per cent of a company’s adjusted turnover in the relevant period.

• Provide the Australian Information Commissioner with greater powers to resolve privacy breaches;
• Strengthen the Notifiable Data Breaches scheme to ensure the Australian Information Commissioner has comprehensive knowledge and understanding of information compromised in a breach to assess the risk of harm to individuals; and
• Equip the Australian Information Commissioner and the Australian Communications and Media Authority with greater information-sharing powers.

“It might be hoped that the proposed increases will focus the governing minds of organisations who collect and hold significant personal information … on alternative ways of being able to confirm the identity of their clients without retaining large holdings of personal information,” said Ian Temby, public sector partner, and Kirsten Webb, partner in competition at Clayton Utz. 

“Courts have applied the three-limb threshold to impose increasingly higher penalties to ensure that they ‘permeate [the organisation’s] operations so far as they are connected to the breaches”, they noted. 

“Higher headline maximum penalties are more likely to encourage investment in compliance by organisations, and signal the consequences that breach of the law can have for companies and consumers alike,” Mr Temby and Ms Webb explained. 

VIEW ALL

“I agree that increasing the penalties and adequately resourcing the regulator to enforce the penalties is likely to significantly enhance data security standards, at least across significant entities in the private sector,” noted Steven Klimt, partner in banking and financial services at Clayton Utz. 

He evidenced his prediction: “When ASIC successfully took proceedings against RI Finance on the basis that inadequate data security standards also represented breaches of the general obligations that apply to financial services licensees, this led the whole financial services industry to review data security standards.”

Valeska Bloch, head of cyber at Allens, highlighted the potential unintended consequences that may result from the new penalties. 

For these newly imposed penalties, the risk of unintended consequences is high, argued Ms Bloch. 

“Raising penalties in isolation could have a chilling effect on the notification of data breaches without more practical guidance about when notification is required and/or a reduction in the potential penalties that could be imposed if organisations do notify,” she commented.

“Assessing whether a data breach meets the threshold for mandatory notification is hard, and organisations have, to date, been given very little practical guidance to help them make these assessments,” she explained.

“Organisations often feel as though they are making a line-ball call on whether or not to notify. Until now, many have taken a conservative approach and [have] notified anyway.

“If the notification position is grey and the potential consequence of notification is a $50 million penalty, that will likely play into any decision as to whether to bring it to the attention of the regulator.”