Over the weekend, the government announced that amendments would be made to the Privacy Act to bring it into line with the burgeoning role of social media and in light of a number of high-profile privacy breaches and data leaks.
With Facebook still trying to rebuild trust after the Cambridge Analytica affair and the more recent revelation that it stored hundreds of millions of user passwords in plain text, the Attorney General said the Privacy Act would be strengthened with tougher penalties. Here’s how that might affect users.
The new laws, which are being drafted with social media giants in mind but will apply to all companies operating in Australia, will levy much more significant fines, not just for major breaches but for failing to cooperate and remediate issues relating to smaller breaches.
This is important as the majority of breaches reported to the Office of The Australian Information Commissioner (OAIC) involve fewer that 1000 records according to its quarterly reports.
Attorney-General Christian Porter told reporters over the weekend “We need better protections and stronger penalties and stronger incentives to ensure that the social media platforms do the right thing with our private information”.
It was also noted that the current fines, which top out at $2.1M are irrelevant to multi-billion dollar firms such as Facebook. But the proposed penalties of $10M aren’t much stronger. Facebook’s annual revenue in 2018 was almost US$56B and it has been growing at a rapid rate each year so even $10M isn’t likely to matter.
It’s proposed that a penalty regime that is more aligned with the European GDPR could be introduced. That would result in penalties of the greater of three times the value of any benefit obtained by misusing information or 10% of annual domestic turnover.
The OAIC would also be given greater powers to issue infringement notices and an increased budget to investigate potential breaches. And the users of online services would be given greater power to ask companies to stop using or disclosing personal information.
A news report noted that the Digital Industry Group Incorporated (DIGI), an industry body founded by Facebook, Google, Twitter, Amazon and Yahoo! parent company Verizon, downplayed the proposed laws saying they were already doing what the proposed changes would require in order to be compliant in other jurisdictions.
That begs the question – why hasn’t Facebook been charged in the EU over the recent revelation that it stored abut 600M user passwords in plain text, leaving them vulnerable to hackers?
The new laws will be introduced as amendments to the Privacy Act later this year.