Introducing tougher penalties for data breaches in Australia
A little over a year ago, an amendment to Australia’s Privacy Act 1988 established mandatory data breach notification obligations. Called the Notifiable Data Breaches scheme (NDB), these new requirements meant that organizations subject to the Act would now be required to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) of a data breach if the breach was likely to result in serious harm to individuals.
In March of this year, Australian Government officials Attorney General Christian Porter and Minister for Communications and the Arts Mitch Fifield announced a new penalty and enforcement regime under the Privacy Act. The new legislation is not yet drafted, but is expected to be available for consultation in the second half of 2019. A media release stated that the amendments to the Privacy Act will:
- Increase penalties for all entities covered by the Act, which includes social media and online platforms operating in Australia, from the current maximum penalty of $2.1 million for serious or repeated breaches to $10 million or three times the value of any benefit obtained through the misuse of information or 10% of a company’s annual domestic turnover – whichever is the greater.
- Provide the Office of the Australian Information Commissioner (OAIC) with new infringement notice powers backed by new penalties of up to $63,000 for bodies corporate and $12,600 for individuals for failure to cooperate with efforts to resolve minor breaches.
- Expand other options available to the OAIC to ensure breaches are addressed through third-party reviews, and/or publish prominent notices about specific breaches and ensure those directly affected are advised.
In the announcement of the new regime, Minister Fifield said, “Today we are sending a clear message that this Government will act to ensure consumers have their privacy respected and we will punish those firms and platforms who defy our norms and our laws.”
A New High Water Mark: Global Data Breach Notification Requirements and the GDPR
In the year since the NDB was introduced in Australia, we have seen the GDPR go into force and the regulation’s far-reaching impact, including a growing public awareness of privacy concerns. The influence of the GDPR on the announcement of steeper fines and penalties from the OAIC is certainly felt. On the anniversary of the Notifiable Data Breaches scheme, Information Commissioner and Privacy Commissioner Angelene Falk said the introduction of the scheme reflected the increasing global focus on data protection, including the European Union General Data Protection Regulation.
Privacy teams supporting global incident response programs face complexity in compliance amidst an ever-shifting regulatory landscape. Keeping tabs on ever-evolving regulations is the name of the game.
We’ve created a new comparison guide that highlights key differences and similarities between data breach notification requirements under the GDPR, Australia’s Privacy Act, and U.S. state and federal data breach notification laws. Download the guide now.
The RADAR incident response and decision-support platform helps privacy professionals and their organizations comply with the complexities of global data breach notification regulations, including Australia’s mandatory breach notification requirements. Contact us to learn more about simplifying compliance with notification obligations.