investor daily logo

What Australia can learn from the EU regarding data laws

3 minute read

The Optus data breach has sparked debate over Australia’s data privacy laws. 

As Australians come to terms with the seriousness of Optus’ data breach, UNSW Law & Justice’s Tony Song, a research fellow for the NSW Law Society’s Future of Law and Innovation, has urged the federal government to overhaul the nation’s protections for consumers.

In a statement published last week, Mr Song argued that Australia should strongly consider changing to European Union standards — such as the European Union’s General Data Protection Regulation (GDPR) — to protect Australians after the massive Optus data breach.

“I think our laws should at the very least be updated to match the EU’s GDPR, which has become something of the gold standard for data protection regulation,” he said.

The GDPR — put into effect on 25 May 2018 after a six-year long negotiation — is considered to be the world’s toughest data and privacy legal framework.

“Our current $2.2 million limit [in corporate penalties for breaches] is nothing compared to the GDPR’s maximum of [€20 million] or 4 per cent of the firm’s worldwide annual revenue. For many large tech companies, that is still peanuts to them,” Mr Song explained.

“This means increasing the penalties not just for the cyber criminals, as suggested by shadow home affairs minister Karen Andrews, as this will not effectively deter bad actors, who will assume they will not get caught anyway but actually for the companies that hold, use and process all our data.”

In Australia, the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Online Privacy Bill) is currently under review and is significantly based on requirements and concepts found in the GDPR and the California Consumer Privacy Act of 2018.

“This bill has been in the pipeline for a while, so the news articles extolling that new laws will be enacted in response to the Optus breach is only half-correct. 

“While the Optus breach will no doubt prioritise attention to rushing the bill through, these laws were already in the process of being reformed even before the incident,” Mr Song said.

If Australia were to base its privacy laws on the GDPR, Mr Song believes changes for companies and consumers would include hefty fines, more rights for consumers, and updated consent protections. 

“By harmonising or adopting GDPR-style framework, it could improve trade and collaboration between Australia and the EU, and greatly improve the prospects of finalising the free-trade agreement with the EU that Australia is currently in the process of negotiating on,” he said.

Also, last week, researchers from the University of Queensland urged Australian organisations to prioritise cyber security training for board directors in the wake of the Optus data breach.