ITP Techblog

When the revamped Privacy Act came into effect in December 2020, it was widely considered to be a lost opportunity to beef up privacy protections for the age of big data and the digital economy.

Sure, we got mandatory breach notifications for serious data breaches and the Privacy Commissioner received some new powers, such as the ability to issue compliance notices to wayward businesses and organisations.

But despite the urging of Commissioner John Edwards at the time, the Government decided against imposing major fines for serious and repeated data breaches. As it stands, the maximum fine for a serious data breach that can be imposed under the Privacy Act is $10,000.

That looks increasingly anaemic in the face of large-scale data breaches, such as the Waikato District Health Board hack, which saw sensitive patient data leaked onto the dark web, and last month’s data breach the Pinnacle Midlands Health Network.

Australia is in the process of reviewing its own Privacy Act and a government bill this week proposed harsh financial penalties for privacy breaches.

At the moment, the maximum fine for a serious privacy breach in Australia is A$2.2 million. This is what the Australian Government wants to replace that with:

• A maximum fine of A$50 million, or,
• Three times the value of any benefit obtained through the misuse of the information, or,
• 30% of a company's domestic turnover in the relevant period if the court can't quantify that value.

The recent massive data breaches at Optus and Medibank across the Tasman have no doubt strengthened the resolve of lawmakers to hold Australian and international companies that operate in the country, financially liable to a much greater degree, for data privacy failures.

I’m in favour of hefty fines for privacy breaches and my view was confirmed after a recent discussion I had with Liz MacPherson, the Deputy Privacy Commissioner.

As important as health & safety

“Boards need to be taking the responsibility for personal information as seriously as they are taking the responsibility for health and safety,” she told me.

Currently, most boards and leadership teams put a lot more focus on health and safety than on data privacy. That may well be because health and safety lapses can result in serious injury or death.

But health and safety breaches also attract large fines - up to $500,000 for a company even if no one is exposed to a serious risk, and up to $3 million for a company that’s acted recklessly. There are stiff fines and jail time also awaiting individuals found to have been responsible for serious health and safety breaches. That’s what has really helped focus the mind of executives.

A decent fine regime here would encourage more investment in cybersecurity. But heftier fines alone won’t make a big difference. Even the passive fines levied under the General Data Protection Regulation (GDPR) in the European Union haven’t stopped major data breaches from occurring. Every organisation is in an escalating war with hackers, who are becoming increasingly sophisticated at getting past even respectable cyber defences.

What's best practice?

Is it fair for a company to be whacked with a massive fine for a data breach even though it did everything right? Probably not, but that would be rare anyway. Too often, they result from ineffective cybersecurity practices and policies, bad behaviour and underinvestment in cyber defences.

Organisations need to know what best practice on data privacy looks like. It’s the ones that don’t live up to that and breach the privacy of their users as a result, that should be forced to write a major cheque to the government as a result. The Office of the Australian Information Commissioner has to go to court to pursue a fine against infringing organisations. That’s a time-consuming and expensive task which is why privacy advocates suggest the regulator there needs more resources to determine which data breaches warrant a big fine.

Any regulator with the power to impose a $50 million fine needs to exercise a decent margin of discretion. As it stands, Optus could be up for millions in fines as a result of its massive data breach. One thing is for sure, a $10,000 fine for bad behaviour doesn't cut it in comparison.

We had a rare opportunity to add some real teeth to our privacy legislation. We opted not to. If the Australian data breach fine proposal is passed, you can guarantee data privacy will be high on the agenda at the next round of quarterly board meetings over there.