In the few days following the Optus data breach, Prime Minister Anthony Albanese called the incident a “huge wake-up call for the corporate sector”. At the time, he also flagged “cyber reform”, that is, the intention to overhaul Australian law via amendments to the Privacy Act to better deal with such a scenario in the future.
Speaking on 4BC radio, Albanese was asked about a “change at a federal level” to put in a guarantee that people won’t be taken advantage of in the future.
“This is a huge wake-up call for the corporate sector, in terms of protecting the data which is there. And we want to make sure, as well, that we change some of the privacy provisions there so that if people are caught up like this, the banks can be let know, so that they can protect their customers as well,” he said.
“But this is a massive breach that has occurred. We know that in today’s world, there are actors, some state actors, but also some criminal organisations who want to get access to people’s data.”
Under current Australian privacy legislation, companies are prevented from sharing such details about their customers with third parties.
But, reforms to the Australian Privacy Act centred on data breaches are upon us.
Back in October, Attorney-General Mark Dreyfus introduced legislation to significantly increase penalties for repeated or serious privacy breaches. In a statement, Dreyfus said, “When Australians are asked to hand over their personal data they have a right to expect it will be protected”.
“Unfortunately, significant privacy breaches in recent weeks have shown existing safeguards are inadequate. It’s not enough for a penalty for a major data breach to be seen as the cost of doing business,” he added.
Dreyfus was of course pointing to the data breaches suffered by Optus, Woolworths subsidiary MyDeal, Medibank and wine dealer Vinomofo.
“We need better laws to regulate how companies manage the huge amount of data they collect, and bigger penalties to incentivise better behaviour,” Dreyfus continued.
When Australians hand over their personal data they have a right to expect it will be protected.
Next week I will introduce legislation to make sure it is. pic.twitter.com/QyuvOXDMPM
— Mark Dreyfus (@MarkDreyfusKCMP) October 21, 2022
The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 then entered Parliament. And last week, the Senate Legal and Constitutional Affairs Legislation Committee that was looking into the Bill, tabled its report.
The committee made three recommendations in total, two just asked for the reworking of a few words, but the third one simply requested the Bill be passed.
On Monday, the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 passed through the Senate.
The changes to the Privacy Act, via the Bill, now see fines for “repeated or serious” data breaches rise from $2.2 million to “up to” $50 million or 30 per cent of “adjusted” turnover.
While the Office of the Australian Information and Privacy Commissioner (OAIC) has opened investigations into both Optus and Medibank, the Bill will also provide the Australian Information Commissioner with greater powers to resolve privacy breaches, as well as strengthen the Notifiable Data Breaches scheme (handled by the OAIC) to ensure the Australian Information Commissioner has “comprehensive knowledge and understanding of information compromised in a breach to assess the risk of harm to individuals”.
The Privacy Act amendments will also equip the Australian Information Commissioner and the Australian Communications and Media Authority with greater information-sharing powers.
We’ve introduced strong new laws that will make sure companies keep your data safe – or face tough consequences. https://t.co/WVbqvxCN9I
— Anthony Albanese (@AlboMP) October 26, 2022
While these changes are a start, as the ABC reported previously, privacy critics reckon more is needed to deter incidents like those at Optus and Medibank.
Appearing on ABC 7:30 last month, Minister for Cyber Security Clare O’Neill said Australia is “probably a decade behind in privacy protections”, ones that would have potentially helped prevent a breach the scale of Optus’.
Minister for Cyber Security @ClareONeilMP says Australia is “probably a decade behind” in privacy protections, and the government “has to be involved when the stakes are this high” following Optus’ cyber security breach. Watch her full interview with Laura Tingle below. #abc730 pic.twitter.com/Mk791iOehl
— abc730 (@abc730) September 26, 2022
“I don’t want to blame this on the former government, but I just want to note that we are probably a decade behind in privacy protections where we ought to be, I would say we’re about five years behind in cyber protections than where we should be given how fast things are moving,” she said.
This article has been updated since it was first published.