Australia to Fine Companies up to AU$50 Million for Data Breaches

Colin Thierry Colin Thierry

The Australian parliament approved a bill to amend the country’s privacy legislation to increase the maximum penalties to AU$50 million for companies and data controllers who fall victim to large-scale data breaches.

The financial penalty introduced by the new bill is set to either AU$50 million, three times the value of any benefit obtained through the misuse of information, or 30% of a company’s adjusted turnover in the relevant period, whichever is greatest.

In comparison, the previous penalty for severe data exposures was AU$2.22 million, which wasn’t considered adequate for companies to improve their data security structures.

This new bill came in response to recent cyberattacks against Australian companies, including ransomware and network breaches. These data breaches resulted in the exposure of highly sensitive data for millions of people across the country.

“The Albanese Labor government has wasted no time in responding to recent major data breaches. We have announced, introduced, and delivered legislation in just over a month,” read the media announcement on Monday.

“These new, larger penalties send a clear message to large companies that they must do better to protect the data they collect,” the Australian government added.

The most notable cybersecurity incidents were the Optus telecommunication provider data breach that impacted 11 million people and the Medibank insurance firm ransomware attack that exposed the data of 9.7 million people.

“Significant privacy breaches in recent months have shown existing safeguards are outdated and inadequate. These reforms make clear to companies that the penalty for a major data breach can no longer be regarded as the cost of doing business,” continued the announcement.

Along with setting higher fines, the new legislation gives greater powers to the Office of the Australian Information Commissioner (OAIC) to have more involvement in the privacy breach resolution and scope determination process.

OAIC welcomed the passing of the amendment in an announcement on Tuesday and promised Australian citizens that it would use its enhanced role to better protect individuals and the country’s economy.

“The updated penalties will bring Australian privacy law into closer alignment with competition and consumer remedies and international penalties under Europe’s General Data Protection Regulation,” saud Commissioner Angelene Falk.

“In seeking penalties or taking regulatory action, our approach will continue to be pragmatic, evidence-based, and proportionate,” she added.

About the Author

About the Author

Colin Thierry is a former cybersecurity researcher and journalist for SafetyDetectives who has written a wide variety of content for the web over the past 2 years. In his free time, he enjoys spending time outdoors, traveling, watching sports, and playing video games.