Australia To Toughen Privacy Laws With Huge Hike in Penalties for Breaches

Australia has confirmed an incoming legislative change will significant strengthen its online privacy laws following a spate of data breaches in recent weeks -- such as the Optus telco breach last month. From a report: "Unfortunately, significant privacy breaches in recent weeks have shown existing safeguards are inadequate. It's not enough for a penalty for a major data breach to be seen as the cost of doing business," said its attorney-general, Mark Dreyfus, in a statement at the weekend. "We need better laws to regulate how companies manage the huge amount of data they collect, and bigger penalties to incentivise better behaviour."

The changes will be made via an amendment to the country's privacy laws, following a long process of consultation on reforms. Dreyfus said the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 will increase the maximum penalties that can be applied under the Privacy Act 1988 for serious or repeated privacy breaches from the current AUS $2.22 million (~$1.4M) penalty to whichever is the greater of:
AUS $50 million (~$32M);
3x the value of any benefit obtained through the misuse of information; or
30% of a company's adjusted turnover in the relevant period.

Australia is a pretty good model

[battingly]

Every country, including Australia, has it's shortcomings, but Australia is doing a lot of things right, and the US could do worse than using it as a model for how to run a democracy in the 21st century.

Re: First they disarmed you, then they beat your a

[natd]

Nothing of what youâ(TM)re misleadingly stating is reality.

Free trials

[devslash0]

What they need to start penalising as well is collecting excessive data in the first place. If company doesn't have data X, it cannot be leaked in the breach. This means that when they ask for your age, they should not have to collect your full date of birth; or when a company offers you a free trial, they should not be allowed to collect your payment details in advance, only if you commit to a subscription at the end of the free period.

Re:

[splutty]

Yes. There should be FAR more "None of your fucking business" clauses in those laws.

Re:

[HanzoSpam]

That's probably part of the rationale for punishing breaches. If the risk of liability for a breach is high enough, the cost of collecting and holding the data becomes prohibitive. Make the data too hot to handle and companies will lose an interest in collecting it real quick.

Re:

[timeOday]

Yes, although I suppose it will come down to how damages are determined. A headline might say, "Company XYZ had a data breach and information on 800,000 customers was stolen." Will the penalty actually be different if the information was a mailing address on file, vs. individuals' full browser history?

Re:

[mjwx]

What they need to start penalising as well is collecting excessive data in the first place. If company doesn't have data X, it cannot be leaked in the breach. This means that when they ask for your age, they should not have to collect your full date of birth; or when a company offers you a free trial, they should not be allowed to collect your payment details in advance, only if you commit to a subscription at the end of the free period.

That's the point of these laws, to make holding excessive personally identifiable information a liability instead of an asset. The organisation mentioned in TFS, Optus, is the 2nd largest telco in Australia (well last time I checked, but I haven't lived there in 7 years so that was a long time ago) so generally have a reason and to some level, a legal obligation to hold some PII. Future penalties will be for failing to keep the data secure (TBF, in Australia several government agencies have failed terribly

unnecessary information = liability

[LeadGeek]

Hopefully this will pressure those collecting / requiring unnecessary information to just stop. Personal data is a liability, and if it is not absolutely needed, it shouldn't be collected in the first place. Here in the USA, (government-issue) social security numbers are collected and used as primary identifiers with wreckless abandon. Besides financial institutions requiring it, it wasn't too long ago most gym memberships required disclosing it, and all medical institutions still require it, even if paying cash. Ultimately what needs to happen is clean separation between authentication and authorization.

Personal liability

[bradley13]

As mentioned in another article: the only way these breaches *won't* be seen as a cost if doing business, is to hold the company officers *personally* responsible. Including those who were at fault but have since left the company. Personal fines and - in egregious cases - jail time.

It is almost never really the fault of the IT people. If they are under qualified or understaffed, that is the result of management decisions.

Elites don't like to be personally responsible

[MIPSPro]

I so wish we could do this. However, look at all they have done to prevent it. Case and point: corporate personhood. Not only can the officers of the company rarely be personally held liable, but even worse, the corporate "person" cannot be held liable either. They can be fined, but not jailed or executed for capital crimes or treason. A real person could. The folks that own all the things don't want to ever be held liable for anything that goes wrong so they surround themselves with legal abstraction layer

Re: Personal liability

[felixrising]

True story! I'm doing just that, it's a nightmare.

Re:

[youngone]

If you're having to "deal with all the pressure and shit" and it is stressful then your manager is failing you and the only reason you're having to "deal with all the pressure and shit" is because the person before you in that job decided not to.

Re:

[Bandraginus]

But the executive class get paid millions to carry exactly this kind of responsibility, no?

Who gets the money?

[brunes69]

On a privacy breach

- 30M+ goes to the government so that it can fund the next pork-barrel project in some MPs backyard

- You get a hearty "sorry about that" apology and a year of free "credit monitoring"

Re:

[sit1963nz]

Who cares.
Currently the victims do not get any money anyway , so if the fines go up markedly then perhaps data breaches will happen less often.

The less data collected because it is a bigger liability and the stronger protection used is only a good thing for the average person.

Re:

[brunes69]

The point is that it would have been pretty trivial to craft this legislation to compensate the victims appropriately vs funnel the money to the government.

Re:

[youngone]

That's not really how Australia works.

Re: Who gets the money?

[brunes69]

Please explain how it works then... explain how this fine makes its way to the victims of the breach.

Re:

[youngone]

Australia is not America, so the people there don't need to pay for "credit monitoring" (whatever that is. Sounds awful).
Also, "pork barrel" is something that really only happens in America too. You guys should try to do better.
So when companies pay a fine to the government, the money winds up being spent on stuff like schools and hospitals. You know, like civilised countries do it.

Re:

[brunes69]

First point: Credit monitoring means monitoring the dark web for your identity information that was stolen. It is aplicable to anyone. The fact that you don't seem to even know or care about your PII being stolen in a security breach illustrates how little you understand of the issues at play here.

Second point: If you think pork-barrel politics does not happen in Australia, you are living in a reality distortion field. It happens in all democracies, and runs rampant in Australia.

https://www.smh.com.au/polit [smh.com.au]

It comes down to

[zkiwi34]

Cheapskate companies hiring imbeciles to produce code, quickly.