Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Australia Privacy Technology

Australia To Toughen Privacy Laws With Huge Hike in Penalties for Breaches (techcrunch.com) 24

Australia has confirmed an incoming legislative change will significant strengthen its online privacy laws following a spate of data breaches in recent weeks -- such as the Optus telco breach last month. From a report: "Unfortunately, significant privacy breaches in recent weeks have shown existing safeguards are inadequate. It's not enough for a penalty for a major data breach to be seen as the cost of doing business," said its attorney-general, Mark Dreyfus, in a statement at the weekend. "We need better laws to regulate how companies manage the huge amount of data they collect, and bigger penalties to incentivise better behaviour."

The changes will be made via an amendment to the country's privacy laws, following a long process of consultation on reforms. Dreyfus said the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 will increase the maximum penalties that can be applied under the Privacy Act 1988 for serious or repeated privacy breaches from the current AUS $2.22 million (~$1.4M) penalty to whichever is the greater of:
AUS $50 million (~$32M);
3x the value of any benefit obtained through the misuse of information; or
30% of a company's adjusted turnover in the relevant period.

This discussion has been archived. No new comments can be posted.

Australia To Toughen Privacy Laws With Huge Hike in Penalties for Breaches

Comments Filter:
  • by battingly ( 5065477 ) on Monday October 24, 2022 @01:19PM (#62994195)
    Every country, including Australia, has it's shortcomings, but Australia is doing a lot of things right, and the US could do worse than using it as a model for how to run a democracy in the 21st century.
  • Free trials (Score:5, Insightful)

    by devslash0 ( 4203435 ) on Monday October 24, 2022 @01:20PM (#62994203)

    What they need to start penalising as well is collecting excessive data in the first place. If company doesn't have data X, it cannot be leaked in the breach. This means that when they ask for your age, they should not have to collect your full date of birth; or when a company offers you a free trial, they should not be allowed to collect your payment details in advance, only if you commit to a subscription at the end of the free period.

    • by splutty ( 43475 )

      Yes. There should be FAR more "None of your fucking business" clauses in those laws.

    • That's probably part of the rationale for punishing breaches. If the risk of liability for a breach is high enough, the cost of collecting and holding the data becomes prohibitive. Make the data too hot to handle and companies will lose an interest in collecting it real quick.

      • Yes, although I suppose it will come down to how damages are determined. A headline might say, "Company XYZ had a data breach and information on 800,000 customers was stolen." Will the penalty actually be different if the information was a mailing address on file, vs. individuals' full browser history?
    • by mjwx ( 966435 )

      What they need to start penalising as well is collecting excessive data in the first place. If company doesn't have data X, it cannot be leaked in the breach. This means that when they ask for your age, they should not have to collect your full date of birth; or when a company offers you a free trial, they should not be allowed to collect your payment details in advance, only if you commit to a subscription at the end of the free period.

      That's the point of these laws, to make holding excessive personally identifiable information a liability instead of an asset. The organisation mentioned in TFS, Optus, is the 2nd largest telco in Australia (well last time I checked, but I haven't lived there in 7 years so that was a long time ago) so generally have a reason and to some level, a legal obligation to hold some PII. Future penalties will be for failing to keep the data secure (TBF, in Australia several government agencies have failed terribly

  • by LeadGeek ( 3018497 ) on Monday October 24, 2022 @01:24PM (#62994213)
    Hopefully this will pressure those collecting / requiring unnecessary information to just stop. Personal data is a liability, and if it is not absolutely needed, it shouldn't be collected in the first place. Here in the USA, (government-issue) social security numbers are collected and used as primary identifiers with wreckless abandon. Besides financial institutions requiring it, it wasn't too long ago most gym memberships required disclosing it, and all medical institutions still require it, even if paying cash. Ultimately what needs to happen is clean separation between authentication and authorization.
  • As mentioned in another article: the only way these breaches *won't* be seen as a cost if doing business, is to hold the company officers *personally* responsible. Including those who were at fault but have since left the company. Personal fines and - in egregious cases - jail time.

    It is almost never really the fault of the IT people. If they are under qualified or understaffed, that is the result of management decisions.

    • I so wish we could do this. However, look at all they have done to prevent it. Case and point: corporate personhood. Not only can the officers of the company rarely be personally held liable, but even worse, the corporate "person" cannot be held liable either. They can be fined, but not jailed or executed for capital crimes or treason. A real person could. The folks that own all the things don't want to ever be held liable for anything that goes wrong so they surround themselves with legal abstraction layer
  • On a privacy breach

    - 30M+ goes to the government so that it can fund the next pork-barrel project in some MPs backyard

    - You get a hearty "sorry about that" apology and a year of free "credit monitoring"

    • Who cares.
      Currently the victims do not get any money anyway , so if the fines go up markedly then perhaps data breaches will happen less often.

      The less data collected because it is a bigger liability and the stronger protection used is only a good thing for the average person.
      • by brunes69 ( 86786 )

        The point is that it would have been pretty trivial to craft this legislation to compensate the victims appropriately vs funnel the money to the government.

    • That's not really how Australia works.
      • Please explain how it works then... explain how this fine makes its way to the victims of the breach.

        • Australia is not America, so the people there don't need to pay for "credit monitoring" (whatever that is. Sounds awful).
          Also, "pork barrel" is something that really only happens in America too. You guys should try to do better.
          So when companies pay a fine to the government, the money winds up being spent on stuff like schools and hospitals. You know, like civilised countries do it.
          • by brunes69 ( 86786 )

            First point: Credit monitoring means monitoring the dark web for your identity information that was stolen. It is aplicable to anyone. The fact that you don't seem to even know or care about your PII being stolen in a security breach illustrates how little you understand of the issues at play here.

            Second point: If you think pork-barrel politics does not happen in Australia, you are living in a reality distortion field. It happens in all democracies, and runs rampant in Australia.

            https://www.smh.com.au/polit [smh.com.au]

  • Cheapskate companies hiring imbeciles to produce code, quickly.

Time is the most valuable thing a man can spend. -- Theophrastus

Working...