The Australian Parliament has passed the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, authorizing the Office of the Australian Information Commissioner (OAIC) to clamp down on Big Tech companies that are doing little to prevent online data breaches on their platforms. The amendment bill, which awaits Royal Assent to become law, increases the penalty for failure to prevent a data breach from 2.2 to 50 million AUD (or 1.5 to 33 million USD).
Although the 50 million AUD would be the standard penalty for a data breach, the bill provides two other mechanisms for finalizing penalties. According to the bill, a violating entity may be fined in one of three ways, depending on which amounted to more:
- Fifty million AUD
- Three times the value of the profit the company gained from the breach
- Thirty percent of the company’s adjusted turnover for the period
“Companies which fail to take adequate care of customer data will face much higher penalties following today’s passage of the Albanese Government’s legislation to significantly increase penalties for repeated or serious privacy breaches,” attorney General Mark Dreyfus KC, MP of the Australian Albanese Labor Government, said.
The amendment bill puts the OAIC in charge of overseeing and investigating data breaches. OAIC’s Commissioner Angelene Falk welcomed the bill’s passing as a step in the right direction toward increasing Australia’s competitiveness and bringing the region in line with the European General Data Protection Regulation (GDPR).
Events That Led to The Amendment Bill
Recent data breaches in Australia compelled authorities to promulgate the amendment bill. In September, for instance, a massive data breach at Optus exposed 2.1 million medical customer records. Similarly, in another data breach, cybercriminals successfully breached 9.7 million medical customer records held by Medibank.
Meta has also violated user privacy on several occasions, either by deliberately colluding with other third parties or by neglecting its duty to prevent data breaches on its platforms. The Cambridge Analytica case is a prime example of how the company colluded with a political firm, allowing it access to customer records.
More recently, the Irish Data Protection Commission (DPC) fined Meta €265 million for failing to safeguard 533 million users’ information from data scrapers. And in yet another instance, plaintiffs in an ongoing lawsuit claimed Facebook’s pixel technology illegally (and knowingly) scraped the medical information of millions of patients for targeted advertising.
Will The Amendment Bill Prevent Data Breaches?
Under the amendment, companies involved in data breaches will have to pay penalties three times the size of the value obtained from misinformation, or 30% of the company’s adjusted turnover. And these seemingly draconian clauses could prove to be effective deterrents against companies that intentionally violate user information.
The bill’s proponents argue that the harsher penalties will force Big Tech companies to strengthen their data-privacy practices. Since data breaches and cybercrime have increased in recent years, the bill’s harsher penalties may be a proportionate response.
The bill’s opponents point out that many data breaches also occur in government institutions, so punishing only commercial entities for such breaches is unfair. To them, the bill is a blatant government attempt to exert regulatory power over economic and personal affairs.
How Does The Bill Help Individuals and SMBs?
Presently, no industry — healthcare, banking, social media, etc. — is off-limits for cybercriminals. With so many attack vectors available to cybercriminals, consumers need to tread with greater caution online. But, if the Australian authorities enforce the bill in its true spirit, it may restore user confidence.
Small and medium-sized business owners will still need to safeguard and test their networks regularly with third-party providers. These precautions show that an SMB has done their part to prevent a data breach. And this could potentially reduce the penalty in the event that one occurs through social engineering attacks and other means.
The bill is a warning to the Big Tech companies. They can no longer get away with shunning responsibility for preventing data breaches. Hefty penalties may also deter them from knowingly compromising user data for advertising.