Optus, Medibank and Changes to Privacy Laws

In November of 2022, the Australian Parliament approved Privacy Legislation Amendments that aim to increase penalties and provide greater powers to the Office of the Australian Information Commissioner (OAIC) in order to strengthen privacy protections. This is particularly pertinent given the data breaches of Optus and Medibank late last year which exposed the fallibility in privacy protection systems. Read on to discover what these amendments are, and how they may impact your business or personal information.


  1. Increased Penalties

The most prominent change is the dramatic increase in penalties for serious or repeated privacy breaches by a corporate body. The maximum penalty for this crime has increase from $2.22 million to the greater of the following:

  • $50 million
  • 3 times the value of the benefit obtained (either directly or indirectly) from the contravention
  • 30% of the adjusted turnover of the corporate body during the breach turnover period (if they cannot determine the value of the benefit)

This significantly increased fine is intended to enforce greater accountability for organisations who we rely upon for secure and effective privacy management. This is particularly important given the new complex ways in which our personal information is being handled, and thus the difficulty for everyday citizens to properly evaluate how their data is being utilised.

New OAIC powers

Another significant change actioned by the Amendment is giving the OAIC enhanced powers of enforcement and information collection. Notably, these greater powers include:

  • Capacity to request information about an eligible data breach, which may only be refused if permitted by a certificate from the Attorney-General
  • Capacity to conduct assessment of an entities’ ability to comply with the data breach scheme, including reviewing whether appropriate procedures were in place to respond to suspected data breaches breach
  • Capacity to fine entities failing to provide requested information
  • Capacity of OAIC to make determinations following the investigation of a complaint such as requiring statements about the conduct

These greater enforcement powers provide OAIC with the capacity to obtain tangible material and thus provide greater recommendations to enforcement authorities. However, none of these new powers allows for OAIC to take action in resolving breaches.

Information Sharing Powers

The other notable change is the provision allowing for greater sharing powers between the OAIC and ACMA. These include the ability to:

  • Disclose documents to other authorities and third parties
  • Request information from the ACMA that would assist in the performance of the functions of OAIC

This new power allows OAIC to more effectively integrate with other organisations in obtaining information necessary in developing an understanding as to what has occurred in a particular scenario, and what should be done to resolve it.

Ultimately, the enormous data breaches of Optus and Medibank in tandem has accentuated the necessity for strong privacy laws in Australia. These amendments at least partially increase the accountability of businesses toward their clients insofar as they place the emphasis on the business to implement appropriate processes for managing sensitive data and potential breaches of this data. In doing so, the government is hopeful that personal information breaches may be more infrequent, and those responsible are brought to account.

If you have any questions or wish to discuss your circumstances with a lawyer, please contact the BAL Lawyers Business & Commercial team on 02 6274 0999.

Join our mailing list

Get in touch