Australia has confirmed an incoming legislative change will significantly strengthen its online privacy laws following a spate of data breaches in recent weeks — such as the Optus telco breach last month.
“Unfortunately, significant privacy breaches in recent weeks have shown existing safeguards are inadequate. It’s not enough for a penalty for a major data breach to be seen as the cost of doing business,” said its attorney-general, Mark Dreyfus, in a statement at the weekend.
“We need better laws to regulate how companies manage the huge amount of data they collect, and bigger penalties to incentivise better behaviour.”
The changes will be made via an amendment to the country’s privacy laws, following a long process of consultation on reforms.
Dreyfus said the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 will increase the maximum penalties that can be applied under the Privacy Act 1988 for serious or repeated privacy breaches from the current AUS $2.22 million (~$1.4 million) penalty to whichever is the greater of:
- AUS $50 million (~$32 million);
- 3x the value of any benefit obtained through the misuse of information; or
- 30% of a company’s adjusted turnover in the relevant period
These amounts are substantially higher than an earlier draft of the reform last year (when penalties of AUS $10 million or 10% of turnover were being considered).
Major breaches such as at Optus — and another that followed hard on its heels, at the health insurer Medibank Private — appear to have concentrated lawmakers’ minds.
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss the 20th anniversary of TechCrunch, and a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.
The change of government, earlier this year, also means there’s a new broom at work.
Additional changes trailed by Dreyfus include greater powers for the Australian information commissioner and a beefed up Notifiable Data Breaches scheme to provide the privacy watchdog with a more comprehensive view of what’s been compromised in a breach, also so it can assess the risk of harm to individuals.
The information commissioner and the Australian Communications and Media Authority will also be furnished with greater information sharing powers to enable more regulatory joint-working.
Both agencies opened investigations of Optus following last month’s breach.
The privacy legislation amendment bill is slated to be presented to Australia’s parliament this week, per Reuters.
The Attorney-General’s Department is also undertaking a comprehensive review of the Privacy Act that’s due to be completed this year, with recommendations expected for further reform, it said.
“I look forward to support from across the Parliament for this Bill, which is an essential part of the Government’s agenda to ensure Australia’s privacy framework is able to respond to new challenges in the digital era. The Albanese Government is committed to protecting Australians’ personal information and to further strengthening privacy laws,” added Dreyfus.
Optus, Australia’s second largest telco, says customer data exposed in data breach
