Foreign companies operating in Australia could soon be subject to privacy law even if they do not collect or hold citizens’ data “directly from a source in Australia” under new laws which also offer penalties significantly higher in the event of a data breach.
Attorney General Mark Dreyfus introduced the Privacy Legislation (Enforcement and Other Measures) Amendment Bill 2022 to Parliament on Wednesday, after announcing the changes over the weekend.
Almost at the same time, Medibank revealed that the scale of its data breach was far worse than expected, with all 3.9 million customers served by the health insurer and its subsidiaries potentially compromised.
The bill will amend the Privacy Act to increase the maximum penalty for a serious or repeated violation from $2.22 million to $50 million, or three times the value of any benefit gained through privacy. misuse of information, regardless of its value.
If the value of the data cannot be determined, the company will be fined 30% of its adjusted turnover during the relevant period.
Mr Dreyfus said the amendments will help ensure that “Australia’s privacy laws remain fit for purpose in a globalized world”.
“To ensure that the Privacy Act can be enforced against global technology companies that may process Australians’ information on offshore servers, the Bill will amend the extraterritoriality provisions of the Act,” a- he declared.
“This means that even if overseas organizations do not collect or hold Australians’ information directly from a source in Australia, they must still meet obligations under the Privacy Act as long as they “operate a business” in Australia.
In addition, businesses affected by qualifying data breaches involving Australian data held overseas will be required to report such incidents under the Notifiable Data Breach program introduced in 2018.
The changes come as global tech companies clash with Australian governments over the prospect of data localization.
Other additional powers that will be given to the Australian Information Commissioner include an expansion of the statements that can be made following an investigation, new powers to conduct assessments, new powers to issue notices of sanctioning entities that do not provide information, and a strengthening of the notifiable data breach regime.
Home Affairs Minister Clare O’Neil has signaled increased penalties for data breaches following the Optus compromise last month which affected the data of nearly 10 million Australians. While most had personal information compromised, around 2.1 million people had their identity documents compromised, including 43,000 Medicare card numbers.
Medibank has since revealed an equally significant data breach affecting its customers, which was initially thought to be limited to international student customers and those under the ahm brand.
On Wednesday, the health insurer confirmed that the personal data and significant amounts of health claims data of the 3.9 million customers were accessible to the cybercriminal.
Health claims data includes the location where medical services were received and codes for diagnoses and procedures. Other data stolen by the criminal includes health insurance numbers and police numbers, as well as “credit card security data”.
The Australian Federal Police are currently investigating the offence.
To enhance the coordination of Federal, State and Territory government agencies and private sector stakeholders, in response to the data breach, Home Secretary Clare O’Neil activated the national coordination over the weekend. The emergency management tool was put in place in response to the COVID-19 pandemic.
Cybercrime, which had previously been the responsibility of the Home Secretary, was added to the ministerial responsibilities of the Attorney General earlier this month through an Administrative Arrangements Order.
Do you know more? Contact James Riley by email.