Big penalties for Australian privacy breaches

By Alison Baker, Eden Winokur, Iona Goodwin and Alexandra Gallagher

The Australian Government has moved swiftly to significantly increase the financial penalties that companies face if they fail to protect the personal information of their customers.

Currently, the maximum penalty for serious or repeated privacy breaches is $2.22 million.

Under the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Bill) which will be introduced into the Parliament this week, the maximum penalty for serious or repeated privacy breaches will increase to whatever is the greater of:

  • $50 million;
  • three times the value of any benefit obtained through the misuse of information; or
  • 30% of a company’s adjusted turnover in the relevant period.

The Attorney-General’s office has indicated the Bill will also:

  • provide the Australian Information Commissioner (AIC) with greater powers to resolve privacy breaches;
  • strengthen the Notifiable Data Breaches scheme to ensure the AIC has comprehensive knowledge and understanding of information compromised in a breach to assess the risk of harm to individuals; and
  • equip the AIC and the Australian Communications and Media Authority with greater information sharing powers.

This Bill is in addition to a comprehensive review of the Privacy Act 1988 (Cth) by the Attorney-General's Department to be completed this year, with recommendations expected for further reform (Privacy Act Review).

The Bill and the Privacy Act Review are in addition to the urgent passing of the Telecommunications Amendment (Disclosure of Information for the Purpose of Cyber Security) Regulations 2022, soon after the Optus data breach became news, to introduce a suite of amendments to the Telecommunications Regulations 2021 (Regulations).

The recent amendments to the Regulations are designed to enhance protections for consumers in the event of significant data breaches.

Under the amendments, in certain circumstances, telecommunications companies who experience a data breach will be able to temporarily share approved government-related identifiers (such as driving licence, Medicare number and passport numbers) of affected individuals, or other information specified by the Minister for Communications, with regulated financial services entities (such as banks). This will allow those financial services entities to implement enhanced monitoring and safeguards for customers affected by the data breach.

The amended Regulations apply to disclosures made to financial institutions regulated by the Australian Prudential Regulation Authority (APRA). They provide that:

  • information can be used for the sole purpose of preventing or responding to cyber security incidents, fraud, scam activity or identity theft;
  • entities that wish to receive the data must:
    • provide written commitments to the Australian Competition and Consumer Commission that they will comply with their obligations under the Privacy Act;
    • attest to APRA that they meet the relevant information security standard; and
    • confirm in writing that the information they are seeking is necessary and proportionate;
  • approved recipients of the government-related identifiers must satisfy robust information security requirements and protocols for any transfer and storage of data; and
  • the information must be destroyed once it is no longer required.

The above changes reflect increasing recognition of the significant risk posed by large-scale data breaches and represent increasing efforts to enhance protections for personal information, including through increasing obligations on the part of entities who hold such information.

The previous government had made moves towards reforming Australia’s privacy laws, but those efforts had not moved to the point of implementation.

While the Attorney-General had already flagged his intention to move forward with privacy law reform via the Privacy Act Review, the Optus and Medibank breaches have resulted in some of those changes being implemented quickly.

Proposals for reform we expect to see in the Privacy Act Review include:

  • changes to the definition in the Privacy Act of ‘personal information’;
  • change to the current exemptions to certain requirements of the Privacy Act (such as removing or modifying the ‘employee records’ exemption);
  • the development of the right to erasure of personal information; and
  • further enhancements to enforcement of privacy law and privacy rights.

The Hall & Wilcox Privacy and Cyber teams will keep businesses updated on these crucial reforms.

If you would like to discuss your organisation’s privacy policy, data retention policy or how to ensure that privacy regulations are being complied with, please contact our privacy and cyber experts at Hall & Wilcox.


Eden Winokur

Partner & Head of Cyber

John Gray

Partner, Technology & Digital Economy Co-Lead and NSW Government Co-Lead

James Deady

Partner & Technology and Digital Economy Co-Lead

Related industries

Related practices

You might be also interested in...

Cyber | 18 Oct 2022

Brace for impact – the importance of a tested cyber incident response plan

Australian organisations should be taking steps to mitigate cyber risk and ensure they have an up-to-date and tested cyber incident response plan in place.

Cyber | 28 Sep 2022

No Optus – Australia’s largest data breach

The Optus data breach is a reminder to everyone that cyber attacks can impact any organisation or individual. We outline the attack, its implications, lessons learned.