The last few months have been challenging for Australians, in light of several major breaches that exposed highly sensitive customer data. And this frustration has resulted in a push for action — more than 50% of Australians want stricter controls on corporate data collection. We’re seeing demand become a reality with the newly approved Privacy Penalty Bill, formally known as the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022.
This new bill sharply raises the stakes for companies that do business in Australia, turning data breaches from economic inconveniences into existential threats. Let’s look at how the new bill accomplishes this and how companies should respond.
Privacy Penalty Bill Increases Penalties
The Privacy Penalty Bill modifies past legislation in two significant ways: It augments the role of the Australian Information Commissioner to handle breaches better, and it increases Privacy Act penalties. The latter is likely more notable due to the eye-popping increase in fines.
In the past, if an Australian company either repeatedly violated an individual’s privacy or seriously violated their privacy a single time, they would pay a maximum fine of AU$ 2.1 million. This paled in comparison to the billion-plus AU$ in annual profit that some large Australian corporations report, which made the penalty rather toothless.
With the new bill, the minimum penalty for either repeated infractions or a single major infraction will be AU$ 50 million. A company will be fined the highest of AU$ 50 million, 30% of the company’s adjusted turnover, or three times the value of any misused data. This is substantially stricter than when the bill was first proposed in 2021, with a minimum fine of AU$ 10 million.
Of particular note is the chance of being fined based on the value of misused data. This makes it impossible for companies to determine the fine they would face for a hypothetical breach in advance.
The new bill should be understood as the first of several significant changes coming to Australia. In the near future, the country’s core privacy legislation will be overhauled. Even before the major breaches this year, a recent paper released by the Australian government clarified that major changes were on the horizon, pointing toward a protection law that could resemble the European Union’s General Data Protection Regulation (GDPR) — considered the “gold standard” of privacy legislation.
How to Respond to Increased Australian Privacy Penalties
The Privacy Penalty Bill shows that allowing breaches to happen can no longer be “part of doing business.” A single fine on the scale defined by the Privacy Penalty Bill would be devastating. Still, especially when one considers that there are hundreds of global regulations each with breach penalties, a multinational incident wil soon become financially ruinous for companies of any size.
Given that the fine may be tied to the value of exfiltrated data, it’s more important than ever to know what data you have and where it lives. Even before the new penalty system, this process was urgent because recent and pending regulations like the California Privacy Rights Act (CPRA) and the GDPR demand special protection for sensitive data.
It’s also important to recognize that fortifying your firewall and securing your data are separate processes that are both essential. Many assume that critical data has been compromised if a firewall is breached, but that’s not necessarily true. If you can identify and lock down valuable data, even if someone breaches your company, they’ll come up empty-handed.
Data discovery is at the heart of avoiding the fines associated with Australia’s new Privacy Penalty Bill. If you need to take stock of the data you are storing about Australian customers, Enterprise Recon by Ground Labs provides an excellent starting point. It delivers rapid discovery against an exhaustive profile of hundreds of data types, including a full range of Australian personal information, and offers a range of tools for instant remediation.
Book a demo with Ground Labs so you can stay compliant — the stakes are higher than ever.