Following a string of high-profile security breaches at Australian companies such as Optus, Telstra, Medibank, Woolworths, and EnergyAustralia, both houses of the Australian Parliament passed a new privacy bill on Monday.
Called the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, the new regulation grants the Office of the Australian Information Commissioner (OAIC) the power to crack down on companies that ignore security best practices and expose their customers’ data through cybersecurity breaches.
Under the new bill, companies that fail to safeguard user data face fines of up to AUS$50 million, or 30% of the company’s adjusted turnover, whichever is higher—a significant increase from the current AUS$2.22 million fine they stood to receive for any security breaches.
The bill is an update to Australia’s existing Privacy Act 1988 regulation and has been met with positive feedback from Australian cybersecurity experts, who view it as a good incentive to get local companies to pay more attention to the state of their IT systems. Not all, though.
The new bill is also part of a government-wide push to bolster Australia’s national cybersecurity posture, which recent attacks have exposed to be insufficient, even if a recent academic study ranked Australia at the top in terms of “cyber defense.”
The Australian privacy watchdog welcomed the bill’s passing in a press release and called it “an important opportunity” to secure the Australian economy.
The bill will become law and replace Australia’s Privacy Act 1988 after it receives royal assent in the coming weeks. According to the bill’s text, its provision and fines also apply to any foreign company carrying business in Australia, even if they are domiciled overseas. Australia previously tried to revamp and update its privacy laws in 2020, but that legislative effort got bogged down in political swamps.