Australia flags tough new data protection laws this year
Attorney-General Mark Dreyfus says Australia could have tough new data protection laws in place this year in an urgent response to a cyberattack on a telecommunications company that stole the personal data of 9.8 million customers
Your support helps us to tell the story
From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.
At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.
The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.
Your support makes all the difference.Australia could have tough new data protection laws in place this year in an urgent response to a cyberattack on a telecommunications company that stole the personal data of 9.8 million customers, the attorney-general said on Thursday.
Attorney-General Mark Dreyfus said the government would make “urgent reforms” to the Privacy Act following the unprecedented hack last week on Optus, Australia’s second-largest wireless carrier.
Dreyfus said “I think it’s possible” for the law to be changed in the four remaining weeks that Parliament is scheduled to sit this year.
"I’m going to be looking very hard over the next four weeks at whether or not we can get reforms to the Privacy Act into the Parliament before the end of the year,” Dreyfus told reporters. Parliament next sits on Oct. 25.
Dreyfus said penalties for failing to protect personal data had to be increased so that corporate boards could not dismiss fines as a “cost of doing business.”
The “absolutely huge amounts” of customer data companies held for years would have to be justified under the amended law, Dreyfus said.
“Companies need to look at data storage not as an asset, but as a liability or a potential liability,” Dreyfus said.
“For too long we have had companies solely looking at data as an asset that they can use commercially,” he added.
The government blames lax cybersecurity at Optus, a subsidiary of Singapore Telecommunications Ltd., also known as Singtel, for the theft of current and former customers’ personal information.
The data included passport, driver’s license and national health care identification numbers which could be used for identity theft and fraud.
Authorities are critical of Optus’s initial failure to disclose that Medicare numbers were among the stolen data. That became apparent on Tuesday when the hacker dumped the records of 10,000 customers on the dark web — six days after Optus discovered the cyberattack.
The urgent legislative response is separate from a broader review of the Privacy Act that began three years ago. The law was passed in 1988 and critics argue it badly needs to be adapted to the digital age.
Optus could potentially be fined a maximum 2 million Australian dollars ($1.3 million) for breaching the Privacy Act, the government said.
It could be fined hundreds of millions of dollars over a similar security breach under European Union laws, the government said.
Submissions to the Privacy Act review have suggested penalties for breaches equivalent to 10% of revenue from Australian operations.
Optus chief executive executive Kelly Bayer Rosmarin has argued against increased fines, telling Australian Broadcasting Corp. on Tuesday: “Honestly, I’m not sure what penalties benefit anybody.”
Optus maintains it was the target of a sophisticated cyberattack that penetrated several layers of security.