As Australians come to terms with the seriousness of the Optus data breach, UNSW Law & Justice’s Tony Song, Law Society of NSW Future of Law and Innovation Research Fellow, has called on the Federal Government to review the nation’s consumer protections.

In a statement released last week, Mr Song argued Australia should seriously consider changing European Union standards – such as the European Union’s General Data Protection Regulation (GDPR) – to protect Australians following the massive data breach on Optus.

“I think our laws should at least be updated to match the EU GDPR, which has become something of a gold standard for data protection regulation,” he said.

GDPR – entered into force on 25 May 2018. after six years of negotiations — is considered the strictest legal framework for data and privacy in the world.

“Our current limit of $2.2 million [in corporate penalties for breaches] is nothing compared to GDPR’s maximum of [€20 million] or 4 percent of the firm’s worldwide annual revenue. For many large technology companies, this is still worthless to them,” explained Mr Song.

“This means increasing penalties not just for cybercriminals, as Shadow Home Secretary Karen Andrews is proposing, as this will not effectively deter bad actors who will assume they won’t be caught anyway, but actually for companies who hold, use and process all our data.”

In Australia, the Privacy Legislation Amendment (Improving Online Privacy and Other Measures) Bill 2021 (online privacy bill) is currently being revised and is largely based on the requirements and concepts found in the GDPR and California Consumer Privacy Act of 2018.

“This bill has been in the works for some time, so news articles touting that new laws will be passed in response to the Optus breach are only half right.

“While the Optus breach will no doubt focus attention on rushing through the bill, these laws were already in the process of being reformed even before the incident,” Mr Song said.

If Australia bases its privacy laws on GDPR, Mr Song believes the changes for companies and consumers will include hefty fines, more rights for consumers and updated consent protections.

“By harmonizing or adopting a GDPR-style framework, this could improve trade and cooperation between Australia and the EU and significantly improve the prospects for finalizing the free trade agreement with the EU that Australia is currently negotiating,” he said.

Also last week, University of Queensland researchers urged Australian organizations to prioritize cyber security training for board directors following the Optus data breach.