Anna Johnston

Australia now has the biggest fines for privacy breaches in the world. 

Parliament passed the Privacy Legislation Amendment (Enforcement and Other Measures) Bill last month, which introduced significantly increased penalties for severe or repeated privacy breaches. 

At the Professional Planner Researcher Forum, Salinger Privacy principal Anna Johnston discussed the bill’s implications.

The bill will increase the penalty for privacy breaches under section 13G of the Privacy Act to three times the value of the benefit of the privacy breach. If the value can’t be determined, it will instead be based on 30 per cent of the firm’s adjusted turnover for the relevant period.

For an individual, the maximum penalty will be $2.5 million. The maximum penalty for a corporate body is $50 million.

Johnston said the recent Optus and Medibank breaches revealed that current safeguards are outdated and inadequate. The new law makes it clear to companies that the penalty for significant data breaches cannot be regarded as the cost of doing business anymore.

The difference between cyberattacks, data breaches, and privacy breaches 

Johnston said there were misunderstandings between cyberattacks, data breaches, and privacy breaches. 

A cyberattack is an attempt by hackers to damage or destroy a computer network or system. 

Data breaches occur when personal information is accessed and disclosed without authorisation or is lost. 

A privacy breach is when personal information is stolen or lost or is collected, used, or disclosed without permission or prior knowledge. 

“Not every cyberattack will result in a data breach,” Johnston said. 

“It’s almost like a truck parking across your driveway. You can’t get in or out of your house with your car anyway, or in or out of your garage. No-one’s stolen anything, no-one’s accessed anything – they’ve just blocked your ability to move in or out.” 

She added that although a cyber-security incident may not necessarily be serious, companies are still required to report them to the federal government.