Australia To Toughen Privacy Laws With Huge Hike in Penalties for Breaches (techcrunch.com) 24
Australia has confirmed an incoming legislative change will significant strengthen its online privacy laws following a spate of data breaches in recent weeks -- such as the Optus telco breach last month. From a report: "Unfortunately, significant privacy breaches in recent weeks have shown existing safeguards are inadequate. It's not enough for a penalty for a major data breach to be seen as the cost of doing business," said its attorney-general, Mark Dreyfus, in a statement at the weekend. "We need better laws to regulate how companies manage the huge amount of data they collect, and bigger penalties to incentivise better behaviour."
The changes will be made via an amendment to the country's privacy laws, following a long process of consultation on reforms. Dreyfus said the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 will increase the maximum penalties that can be applied under the Privacy Act 1988 for serious or repeated privacy breaches from the current AUS $2.22 million (~$1.4M) penalty to whichever is the greater of:
AUS $50 million (~$32M);
3x the value of any benefit obtained through the misuse of information; or
30% of a company's adjusted turnover in the relevant period.
The changes will be made via an amendment to the country's privacy laws, following a long process of consultation on reforms. Dreyfus said the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 will increase the maximum penalties that can be applied under the Privacy Act 1988 for serious or repeated privacy breaches from the current AUS $2.22 million (~$1.4M) penalty to whichever is the greater of:
AUS $50 million (~$32M);
3x the value of any benefit obtained through the misuse of information; or
30% of a company's adjusted turnover in the relevant period.
Australia is a pretty good model (Score:3)
Re: First they disarmed you, then they beat your a (Score:3)
Free trials (Score:5, Insightful)
What they need to start penalising as well is collecting excessive data in the first place. If company doesn't have data X, it cannot be leaked in the breach. This means that when they ask for your age, they should not have to collect your full date of birth; or when a company offers you a free trial, they should not be allowed to collect your payment details in advance, only if you commit to a subscription at the end of the free period.
Re: (Score:2)
Yes. There should be FAR more "None of your fucking business" clauses in those laws.
Re: (Score:2)
That's probably part of the rationale for punishing breaches. If the risk of liability for a breach is high enough, the cost of collecting and holding the data becomes prohibitive. Make the data too hot to handle and companies will lose an interest in collecting it real quick.
Re: (Score:2)
Re: (Score:2)
What they need to start penalising as well is collecting excessive data in the first place. If company doesn't have data X, it cannot be leaked in the breach. This means that when they ask for your age, they should not have to collect your full date of birth; or when a company offers you a free trial, they should not be allowed to collect your payment details in advance, only if you commit to a subscription at the end of the free period.
That's the point of these laws, to make holding excessive personally identifiable information a liability instead of an asset. The organisation mentioned in TFS, Optus, is the 2nd largest telco in Australia (well last time I checked, but I haven't lived there in 7 years so that was a long time ago) so generally have a reason and to some level, a legal obligation to hold some PII. Future penalties will be for failing to keep the data secure (TBF, in Australia several government agencies have failed terribly
unnecessary information = liability (Score:4, Insightful)
Personal liability (Score:2)
As mentioned in another article: the only way these breaches *won't* be seen as a cost if doing business, is to hold the company officers *personally* responsible. Including those who were at fault but have since left the company. Personal fines and - in egregious cases - jail time.
It is almost never really the fault of the IT people. If they are under qualified or understaffed, that is the result of management decisions.
Elites don't like to be personally responsible (Score:2)
Re: Personal liability (Score:2)
Re: (Score:2)
Re: (Score:2)
But the executive class get paid millions to carry exactly this kind of responsibility, no?
Who gets the money? (Score:2)
On a privacy breach
- 30M+ goes to the government so that it can fund the next pork-barrel project in some MPs backyard
- You get a hearty "sorry about that" apology and a year of free "credit monitoring"
Re: (Score:2)
Currently the victims do not get any money anyway , so if the fines go up markedly then perhaps data breaches will happen less often.
The less data collected because it is a bigger liability and the stronger protection used is only a good thing for the average person.
Re: (Score:2)
The point is that it would have been pretty trivial to craft this legislation to compensate the victims appropriately vs funnel the money to the government.
Re: (Score:2)
Re: Who gets the money? (Score:2)
Please explain how it works then... explain how this fine makes its way to the victims of the breach.
Re: (Score:2)
Also, "pork barrel" is something that really only happens in America too. You guys should try to do better.
So when companies pay a fine to the government, the money winds up being spent on stuff like schools and hospitals. You know, like civilised countries do it.
Re: (Score:2)
First point: Credit monitoring means monitoring the dark web for your identity information that was stolen. It is aplicable to anyone. The fact that you don't seem to even know or care about your PII being stolen in a security breach illustrates how little you understand of the issues at play here.
Second point: If you think pork-barrel politics does not happen in Australia, you are living in a reality distortion field. It happens in all democracies, and runs rampant in Australia.
https://www.smh.com.au/polit [smh.com.au]
It comes down to (Score:2)