Companies could be slapped with penalties of up to $50 million for failing to protect personal data as the federal government looks to rush through tough new privacy powers.
Subscribe now for unlimited access.
$0/
(min cost $0)
or signup to continue reading
A string of high-profile cyber attacks, including one last week against private health insurer Medibank, have resulted in the sensitive data of millions of Australians being compromised and, in some cases, attempted to be sold for profit.
Under the bill, businesses responsible for serious or repeated privacy breaches would be subject to steep financial penalties; the greater of $50 million, 30 per cent of the company's turnover or three-times the value of any benefit obtained through the misuse of the compromised data.
The proposed changes, which would bring Australia in line with some of the toughest jurisdictions in the world against privacy breaches, are set to be introduced during budget week.
It would lift the country's current penalty regime by more than 25-times the existing maximum fine of $2.2 million.
Attorney-General Mark Dreyfus said the new framework, if passed, would push companies into taking privacy more seriously.
"Unfortunately, significant privacy breaches in recent weeks have shown existing safeguards are inadequate. It's not enough for a penalty for a major data breach to be seen as the cost of doing business," he said.
"We need better laws to regulate how companies manage the huge amount of data they collect, and bigger penalties to incentivise better behaviour."
The Australian Information Commissioner would also be granted additional enforcement powers, including strengthened information gathering abilities in order to conduct its own assessment on a company's compliance with the law.
A wider-ranging review of the Privacy Act is expected to be handed to Mr Dreyfus before the end of the year.
READ MORE:
The announcement follows a massive data breach against Medibank last week estimated to have affected up to four million customers.
The health insurer on Wednesday revealed it had received messages from alleged hackers claiming they had obtained customer data, including names, addresses, dates of births and Medicare and phone numbers.
Home Affairs Clare O'Neil called the attack a "dog act" but said federal government agencies and Medibank were working together to investigate it.
Last month, nearly 10 million Optus customers were caught up in a massive data breach against the telco, which left personal details and passport, licence and Medicare numbers exposed to the hackers.
An investigation into the telco's handling of the breach is underway by the Information Commissioner's office, which could leave it facing civil penalties of up to $2.2 million per contravention through the Federal Court.
The amendments put forward by Mr Dreyfus would bring Australia's regime into line with the European Union, where fines are capped at 20 million Euros ($30.6 million) or 4 per cent of a company's global revenue.
Under the bloc's data privacy laws, companies have 72 hours to inform their customers what data has been breached or face penalties.
The former Coalition government released an exposure draft amending laws to enhance online privacy late last year, which would result in the maximum penalty being raised to $10 million for companies, or 10 per cent of their domestic annual turnover.
Its draft also gave the Information Commissioner additional powers to issue infringement notices for failure to give information.
The privacy amendment was never introduced to the previous parliament.