Data breach penalties go under spotlight

The government is pushing to beef up privacy laws in the wake of large-scale cyber attacks and data breaches compromising personal details of millions of Australians.

Proposed legislation will force overseas companies to comply with Australian laws in more circumstances.

Penalties for serious or repeated interferences with privacy will also be increased to a maximum of $50 million, three times any gain the company receives from the breach, or 30 per cent of its turnover in a certain time frame.

New information-gathering powers will also be granted to the independent Australian Information Commissioner in relation to actual or suspected data breaches.

Privacy Commissioner Angelene Falk said the simplification of the law will protect against overseas companies avoiding domestic laws through complex technicalities.

"In a digital world where data knows no borders, our privacy law must protect Australians' personal information wherever it flows," she told a Senate inquiry on Thursday.

Ms Falk said increased fines needed to provide a large enough incentive to ensure corporate Australia invests in the security of Australians' personal information.

"Ideally, the penalties wouldn't need to be utilised because we'd see an uplift in security posture and a reduction in data breaches," she said.

David Vaile, from the Australian Privacy Foundation, wants the legislation to go further, telling the inquiry large companies can put fines down to the cost of doing business.

Mr Vaile wants the "serious or repeated" test removed, saying the likelihood of low or no fines for initial underinvestment in cyber security is the equivalent of being "lashed with a limp lettuce leaf".

"Everyone looks around at this and says 'There are no penalties, so why not try it'," he said.

"The rule of thumb in some of the bigger operators is ... better to ask for forgiveness than permission, which is effectively 'Let's see if we can get away with it'."

Privacy groups say the laws need to increase the cost of "data gluttony", where companies try to gather and store as much information as possible.

"You can't lose what you don't have," Electronic Frontiers Australia's Justin Warren told the hearing.

The Australian Federal Police noted an increase in cyber crime and attacks.

The agency is supportive of the new measures, saying it is important sensitive information is not made public.

The committee is due to report its findings on Tuesday, paving the way for the Senate to debate the bill.