Companies that suffer privacy breaches or that misuse customer data could face much stiffer penalties of at least $10 million under law changes being floated by the federal government.
Attorney-General Christian Porter and Communications Minister Mitch Fifield said they would draft legislation “for consultation in the second half of 2019” - banking on winning the May election or bipartisanship to see the changes through.
Though the changes would impact all organisations subject to privacy laws, the government was keen to focus on how it would net social media platform operators.
“Existing protections and penalties for misuse of Australians’ personal information under the Privacy Act fall short of community expectations, particularly as a result of the explosion in major social media and online platforms that trade in personal information over the past decade,” Porter said.
“This regime will update our privacy laws without impeding the continued innovation and development of companies working in the online space.”
Among the changes the government wants to pursue are much more stringent financial penalties.
The current maximum penalty of $2.1 million “for serious or repeated breaches” would increase “to $10 million or three times the value of any benefit obtained through the misuse of information or 10 percent of a company’s annual domestic turnover - whichever is the greater”.
The Office of the Australian Information Commissioner (OAIC) would also gain “new infringement notice powers backed by new penalties of up to $63,000 for bodies corporate and $12,600 for individuals for failure to cooperate with efforts to resolve minor breaches.”
The OAIC would also be afforded additional options to “ensure breaches are addressed through third-party reviews, and/or publish prominent notices about specific breaches and ensure those directly affected are advised”.
And there would be new rules that forced “social media and online platforms to stop using or disclosing an individual’s personal information upon request”.
The OAIC would also be provided with “an additional $25 million over three years to give it the resources it needs to investigate and respond to breaches of individuals’ privacy and oversee the online privacy rules.”