The New Commonwealth Bill Seeking to Force Companies to Put Consumers' Interests First

In the aftermath of recent major data breaches causing unprecedented amounts of private information being stolen, the Commonwealth Government has tabled The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (the Bill) to force companies to better protect their clients' / consumers' personal data.

The Bill, if passed, is the current Government's way of sending a clear message to any entity that retains consumer data, that they owe an obligation to their consumers and that privacy, security and data protection must be taken seriously.

Under the current regime, companies that fail to sufficiently protect client and consumer data could face up to $2.22 million in fines for serious or repeated data breaches. While for many these fines are a substantial motivator to prevent data breaches, the increasingly burdensome costs of maintaining secure, large-scale data management systems have caused companies to start viewing the current penalties as simply being "the cost of doing business". As a result, Legislatures have realised that a failure to take action to change this view will continue to place consumers and their data in increasingly vulnerable positions.

Notwithstanding the fact that companies stand to gain exponentially greater benefits with data analytics software continuously improving, as historically seen when the cost of compliance becomes greater than the maximum fines, companies will opt for cheaper and less secure systems for as long as legislative frameworks fail to adequately motivate putting third-party interests ahead of profits.

If the Bill were to pass in its present form, the key operative clauses would result in the maximum fine for serious or repeated data breaches to be increased to the greater of $50 million, three times the benefit obtained through the misuse of the private information subject of the breach, or 30% of the company's adjusted turnover for the relevant period after the breach event occurred. The Bill will also seek to improve the powers granted to the Australian Information Commissioner and broaden the jurisdiction of the Privacy Act to include foreign parties carrying on business in Australia.

Further implications of the new laws can be seen in coupling these changes with the already implemented laws that have broadened the scope of directors' obligations. Whereby, the failure of a director to take positive action to avoid data breaches, may result in a finding of personal liability against a director for the payment of these substantially increased legislative penalties.

While not yet law, this Bill has the potential to set the tone for further legislative change, wherein ensuring secure data management remains a top priority for Australian companies across all industries.

In light of the Bill and the direction legislatures appear to be moving, we highly recommend seeking professional advice to ensure your company's internal data management systems, policies and procedures are keeping you and your clients' information safe and secure.

If ever in doubt as to what action you as a director or business owner should take to ensure the security of your data management systems, the team at Sajen Legal are here to help by providing high quality advice and support.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.