Legal experts are calling for Australia to adopt European Union-style data privacy laws including harsher penalties in the wake of the cyber hack on Optus last week that compromised the personal details of millions of customers.
Fines under the EU regime would be “significantly” higher they say but according to one media intelligence company Optus is already paying a huge reputational price in terms of negative media and social comments.
Australians were just beginning to understand the seriousness of the data breach for their personal data and the complex steps now required to protect themselves, said the University of NSW Law and Justice’s Tony Song.
“I think our laws should at the very least be updated to match the European Union’s General Data Protection Regulation, which has become something of the gold standard for data protection regulation,” Mr Song said.
With the maximum penalty under Australia’s cyber security measures just $2.2 million dollars, it would also greatly increase the liability for Optus-type lapses with fines potentially running into hundreds of millions.
“This means increasing the penalties not just for the cyber criminals, as suggested by Shadow Home Affairs Minister Karen Andrews – as this will not effectively deter bad actors, who will assume they will not get caught anyway – but actually for the companies that hold, use and process all our data,” he said.
“Our current $2.2 million limit [in corporate penalties for breaches] is nothing compared to the GDPR’s maximum of $20 million euros or 4 per cent of the firm’s worldwide annual revenue. For many large tech companies, that is still peanuts to them.”
Mr Song said Optus faces three main ramifications: a regulatory enforcement response, civil litigation including class actions, and the effect on Optus' reputation.
That is already plummeting according to research by global media intelligence specialist Meltwater, which shows a spike in coverage of the telecom company since the hack but a huge leap in negative comment.
“Media coverage has seen a 25 per cent spike in negative media and a 13 per cent drop in positive content,” it said. “Optus normally averages around 18 per cent positive versus 8 per cent negative, with the rest being neutral.
“Since the breach it's been 33 per cent negative and 5 per cent positive.”
Men were discussing Optus more than women, it said, while social media mentions were led TikTok and Twitter.
Regarding regulations, Mr Song said Australia was already in the process of making changes to data protection laws with a review underway of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Online Privacy Bill).
The measure was significantly based on requirements and concepts found in the GDPR as well as the California Consumer Privacy Act of 2018, he said.
It would increase the maximum Australian penalty to either $10 million, three times the benefit of the misconduct, or 10 per cent of the organisation’s turnover in the 12 month period up to the conduct.
The new standard could also further grant the Office of the Information Commissioner powers to make new determinations or compel entities to effectively audit their privacy practices and report findings back to the office.
Meanwhile, law firm Slater & Gordon have already declared an intention to mount a class action, while Maurice Blackburn is currently running another class action against Optus for an earlier breach in 2020.
“Optus has lost the trust and confidence of its customers, in the case of some, forever. Trust takes years to build, and seconds to destroy. Optus now faces a long and expensive road ahead to rebuild that trust,” Mr Song said.
You are not authorised to post comments.
Comments will undergo moderation before they get published.