Australia’s parliament has approved a bill to amend the country’s privacy laws, dramatically increasing maximum penalties to A$50 million for companies and data controllers who have suffered data breaches in large scale.

The pecuniary penalty introduced by the new bill is set at the highest:

• 50 million Australian dollars
• Three times the value of any benefit gained from misuse of information
• 30% of a company’s adjusted revenue during the relevant period

Previously, the penalty for severe data exposures was A$2.22 million, which was considered totally insufficient to incentivize companies to improve their data security mechanisms.

The new bill follows a series of recent cyberattacks against Australian businesses, including ransomware and network breaches, resulting in the exposure of highly sensitive data for millions of people in the country.

“The Albanian Labor government wasted no time in responding to recent major data breaches. We announced, introduced and enacted legislation in just over a month,” reads the media announcement.

“These new, tougher penalties send a clear message to big businesses that they need to do better to protect the data they collect.”

The most notable incidents were the data breach by telecommunications provider Optus which impacted 11 million people and the Medibank insurance company ransomware attack that exposed the data of 9.7 million.

In addition to setting higher fines, the new bill also gives more powers to the Australian Information Commissioner’s Office (OAIC) ​​to become more involved in the process of resolving privacy breaches and scope determination.

The CATO has welcomed passage of the amendment and promised Australians that he would use his increased role to better protect people and the country’s economy.

“The updated sanctions will bring Australian privacy law closer to competition and consumer remedies and international sanctions under the European General Data Protection Regulation,” Commissioner Angelene Falk said. .

“In seeking sanctions or taking regulatory action, our approach will continue to be pragmatic, evidence-based and proportionate.”

By way of comparison, Europe GDPR imposes fines up to 10 million euros or (whichever is greater) up to 2% of the total turnover of the previous financial year.

For “particularly serious infringements”, the above amount is doubled to 20 million euros and 4% of annual turnover.