Calls are growing for Australia to adopt harsher financial penalties against offending companies in the midst of the Optus data breach, with critics warning it could happen again without disincentives.
Subscribe now for unlimited access.
or signup to continue reading
Greens senator David Shoebridge said a breach of this size would cost Optus a maximum penalty of nearly $30 million in the European Union, in stark contrast to Australia's current framework, which would only cost the telco a maximum of $2.2 million.
It comes as Attorney-General Mark Dreyfus vowed to look at fixing privacy laws by the end of the year in order to more harshly penalise companies who fail to protect customer data.
Nearly 10 million customers have been impacted so far in the breach, which has resulted in personal data, including passport and Medicare numbers, being compromised.
Optus has committed to covering the costs of replacement passports and drivers licences in some states but privacy advocates want to see more done to prevent massive-scale attacks from being repeated.
Senator Shoebridge said data privacy laws were lagging behind the rest of the world and needed reform.
"We're getting the information that Optus is choosing to give us and it looks like people who have had their privacy breached may well be limited to the compensation or assistance that Optus is shamed into providing," Senator Shoebridge said.
"We're seeing a real-time demonstration of the inadequacies of data and privacy protections."
Under the bloc's data privacy laws, companies have 72 hours to inform their customers what data has been breached or face penalties.
Those penalties are capped at a maximum of 20 million Euros ($30.6 million) or 4 per cent of their global revenue.
READ MORE:
The Greens senator said a push to move to stronger protections in the past had failed but it was time for a champion within government to step up.
"We have the private corporate interest of players, like Optus, to retain the data for its marketing and customer retention purposes. We also have the security motive from the likes of the AFP and the federal government," he said.
"What's totally missing are the protections for individuals whose data is at risk. We need to make the penalties sufficient to provide an incentive to protect data."
An exposure draft amending laws to enhance online privacy was released late last year and would result in the maximum penalty being raised to $10 million for companies, or 10 per cent of their domestic annual turnover.
It would also give the Information Commissioner additional powers to issue infringement notices for failure to give information.
But the privacy amendment was never introduced to the previous parliament.
Mr Dreyfus said he was looking to reform the laws by the end of the year following Optus' failure to keep sensitive data safe.
"Companies throughout Australia should stop regarding all of this personal data of Australians as an asset for them, they actually should think of it as a liability," he said.
"I may be bringing reforms to the Privacy Act before the end of the year to try and both toughen penalties and make companies think harder about why they are storing the personal data of Australians."
The telco came under additional fire on Sunday for failing to earlier notify the government or its customers that Medicare and concession card data was also accessed.
Home Affairs Minister Clare O'Neil publicly lashed Optus for not responding to government agency requests for further details.
The telco had yet to acknowledge a letter sent by Services Australia five days ago requesting full customer details.
"This is a security breach that should not have occurred, but what's really important here is that we row in the same direction and do everything we can to stop financial crime against Australians," she said.
"We urge Optus do everything it can to provide our agencies with the information they need to help us do that."