Significant penalties for company data breaches pass in Parliament

Companies that fail to take adequate care of consumer data will now be subjected to significantly higher penalties. 

The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, which was passed in Parliament last week, will increase the maximum penalty for companies committing serious or repeated privacy breaches from $2.2 million to the greater penalty between: 

• $50 million 

• Three times the value of any benefit obtained from the misuse of information 
• 30 per cent of the company’s adjusted turnover in the relevant period of time. 

The Bill also increases the maximum penalty for non-corporate entities from $444,000 to $2.5 million.  

The amendments also provide additional powers to the Privacy Commissioner, including the power to obtain information regarding a data breach, to share information with other authorities, and to disclose information when it is in the public interest. 

The amendment comes in response to recent high profile cyberattacks, including Optus and Medibank, which have caused serious harm to Australians. 

By enforcing significant penalties and greater powers to the Privacy Commissioner, it aims to promote the importance of protecting personal data, while incentivising businesses and other organisations to have stronger cyber and data security safeguards in place. 

For more information on the Bill, click here.