Australian government strengthens stance on data security threats

After a year marked by several data breaches that captured public attention, the Australian government intends to designate a privacy commissioner - a post that the previous administration abolished. This step is being taken due to the increasing security threats faced by the country. 

The reestablishment of the privacy commissioner post is particularly crucial following several high-profile breaches that resulted in the exposure of the sensitive information of millions of individuals across Australia. 

In an official release earlier this week, Australian Attorney-General Mark Dreyfus said:

“Australians rightly expect their privacy regulator to have the resources and powers to meet the ongoing challenges of the digital age and protect their personal information.”

Major data breaches through the past 12 months in Australia have been described as “distressing” by Dreyfus, who added that such incidents put users at risk of identity fraud and scams. To deal with the growing data security threats and the increasing volume and complexity of data privacy issues, Dreyfus sees the appointment of a dedicated privacy commissioner as necessary.

The move to reinstate the privacy commissioner position, which was abolished by the previous administration, aims to address the issues at hand. The Office of the Australian Information Commissioner (OAIC) was targeted as part of the Liberal Party’s cost-cutting measures under John Abbot’s leadership, but the necessary legislation to abolish it was not passed. 

However, the OAIC lacked sufficient funds to sustain its operations during the interim, which led to the roles of the privacy and information commissioner being merged.

Currently, Angelene Falk serves as both the country’s information and privacy commissioner. This new development will return the OAIC to its original structure, with three commissioners, including one for freedom of information, according to a statement released by the OAIC backing the appointment.

“The former Liberal Government left Australia disgracefully unprepared for this challenge [of growing security threats] by failing to strengthen privacy laws, and scrapping the position of a standalone privacy commissioner,” Dreyfus added:

According to Dreyfus, the Labour Party-led administration in Australia recognises the importance of privacy regulation and has taken steps to increase penalties for companies that do not adequately protect customer data. He added that it is crucial to provide the Australian people with greater protections, transparency, and control over their personal information.

For the time being, Falk will retain her position as OAIC head and information commissioner while serving as privacy commissioner until the appointment of a new commissioner. In November 2022, the Australian government passed legislation to increase financial penalties for violators of data privacy. Top-end fines for serious or repeated breaches were raised from AU$2.22m ($1.49m) to AU$50m ($32.34m), or three times the value of any benefit obtained through data misuse, or 30% of the company’s adjusted turnover in the relevant period, whichever is greater.

Last October, Medibank suffered a security incident that compromised the data of 9.7 million current and former customers, including 1.8 million overseas customers. Following the health insurer’s refusal to pay ransom demands, hackers published large quantities of data on the dark web, stating that the folders held all the data seized during the breach.