The federal government amendments to privacy laws passed the Senate on November 28, spurred on by the Optus and Medibank Private data breaches.
Attorney-General Mark Dreyfus said the law would raise the maximum penalties on companies for serious or repeated privacy breaches, sending a “clear message” to large companies to do better.
The new Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 raises the current maximum penalty of $2.22 million to whichever is the greater of: $50 million; three times the value of any benefit obtained through the misuse of information; or 30% of a company’s adjusted turnover in the relevant period.
The bill also expands the information commissioner’s enforcement and information-sharing powers.
Commissioner Angelene Falk from the Office of the Australian Information Commissioner (OAIC) welcomed the new law, saying the updated penalties bring Australia “into closer alignment” with competition and consumer remedies and penalties governed by Europe’s General Data Protection Regulation.
The Optus data breach involved malicious third parties obtaining current and previous customers’ personal information. While it caused headaches, and some people were held to ransom and potential identity theft, most only had to fork out for new licences and passports.
The Medibank breach, by contrast, involved the exposure of personal health information, such as medical procedures, which could have more serious repercussions.
While some companies need to access personal information, limits on how long it can be stored are needed. The amendments do not address this.
The commodification of personal data is another major privacy issue that the new laws do not tackle.
Digital Rights Watch (DRW) said in its Cheat Sheet: Getting privacy reform right, on October 26 that the right to privacy enables other rights that also have to be protected.
“Without privacy it would be extremely hard to enjoy freedom of speech and expression, and the ability to organise, protest and hold those in power accountable.”
It said protecting privacy is a key to reining in corporate power and “fighting harmful and invasive data practices of Big Tech (and other) companies”.
Privacy, it said, “puts power and agency back in the hands of individuals and communities”. This is not hyperbole. There have been cases in which law enforcement agencies and even the United States military have bought data harvested by social media companies, as a way of bypassing laws against harvesting data.
When social media companies harvest personal data for profit, it’s weird and creepy. When state agencies and actors do the same, sometimes with that same data, it’s scary.
Government and corporate spending on data protection and regulation has lagged far behind the explosion of data collection.
DRW’s Samantha Floreani wrote a week before the bill passed that seeking to penalise those skirting privacy requirements is “important”, but “the impact will ultimately be limited if the underlying requirements themselves remain weak, unclear, and unenforced”.
She said “not a single penalty has been imposed under the Privacy Act since the provision came into effect in 2014”.
In one case, the regulator sought a penalty against Facebook in relation to the Cambridge Analytica scandal. More than two years later, it has not been settled.
“There is little to reassure Australians that the increased penalties will be anything more than hypothetical,” Floreani said.
“Punishing organisations with larger fines after the fact may act as a deterrent in the future, but it does nothing to assist individuals when they need it most, nor does it restore their privacy once it has been lost.”
There is also a lack of clarity in how the value of a “benefit” in a privacy breach is defined in the new law, which could undermine its effectiveness. For instance, had the new law been in place before the Optus and Medibank breaches, it is not clear how the penalties would have been calculated.
Greens Senator David Shoebridge noted this in his comments to a Senate review of the bill in November. “It appears that in neither of these cases was the privacy breach intentional, the ‘benefit’ if there was one was historic underinvestment in cyber security.”
Shoebridge criticised the “one-size-fits-all offense with a maximum penalty of $50 million”, which would leave the regulator “with only one button to push, the nuclear button with a potentially financially disastrous fine”.
He said OAIC’s underfunding means it is only able to tackle one serious privacy breach at a time. While tougher penalties could be agreed to, if the regulator is starved of the funds to seriously enforce them it would be “a pyrrhic victory for data security”.
While this bill was never going to be a fix-all, it does not even help those affected by data breaches. Bigger fines are welcome, but privacy protections also need to be strengthened.
Also missing are laws against data retention and proactive protections to ensure that data is removed when no longer required.