In late 2022, the Privacy Legislation Amendment (Enforcement and Other Measures) Bill was passed into law. This means that the maximum penalty for serious or repeated breaches of the Privacy Act is now much higher.
The maximum penalty was once $2.2 million, but fines can now sit at up to $50,000,000—or more, in some cases.
Why did this change?
It’s part keeping pace with community expectations and part a response to the changing data privacy landscape in Australia. In September 2022, Optus had a data breach that exposed about 9.8 million individuals’ data—that’s about 40% of Australia. This was followed in October by an equally large data breach from Medibank, which additionally exposed some 480,000 sensitive health claims records.
The two breaches contextualise the new penalties, which arrived hard on their heels and passed rapidly through both Houses.
How does this affect businesses in Australia?
Responsibilities under the Privacy Act haven’t changed. Only the penalties for abrogating them have.
“Serious or repeated” interference with privacy is the relatively high bar at which these penalties are set, but it’s still possible to fall afoul of the new penalties through poor governance or error.
And that higher penalty means that some organisations, which might have been tolerant of a potential $2 million risk, are now facing a possible $50 million risk… or greater. Other penalties under the amendment include 30% of a company’s annual turnover, for example. It’s a change that gives existing privacy legislation in Australia bigger teeth, so organisations that don’t follow the rules risk a lot more.
What does the change mean for my organisation?
The change to penalties creates a new urgency around data security for companies operating in Australia. Even for those organisations that are not APP entities, the change still communicates new information about community expectations. People are increasingly aware of the value of their personal information, and they expect that their information will be treated with due care.
The key to making sure your privacy obligations are discharged properly, and meeting the changing tide of community expectations, is data governance: developing and understanding your policies and strategies that allow you to care for data at an organisational level.
Are there resources can I review?
Absolutely. If you have any questions about your legal obligations or whether the Australian Privacy Principles apply to you, the Office of the Australian Information Commissioner is an ideal starting point.
Here at DCA, we’ve recently published a checklist of things you can do to improve your data security, and we’ve also developed a whitepaper with much more detail on the amendment with case studies, stats and more detailed recommendations from our data experts.
And as always, if you have queries about your organisational data specifically, you can reach out to a member of our team for a free, no-strings chat any time. We’re here to help!