Australian Privacy Act 2022 Updates

A series of stunning data breaches in 2022 has prompted lawmakers to begin making changes to the 1988 Australian Privacy Act in the form of the new Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022.
Michael Buckbee
3 min read
Last updated January 5, 2023

A series of stunning data breaches in 2022 has prompted lawmakers to begin making changes to the 1988 Australian Privacy Act in the form of the new Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022.

Minister of Cybersecurity Clare O'Neil said, “This is the new world that we live in. We are going to be under relentless cyber-attack, essentially from here on in. And what it means is that we need to do a lot better as a country to make sure that we are doing everything we can within organizations to protect customer data.”

While the 13 Australian Privacy Principles (APP) of the law remain unchanged, the penalties facing organizations and agencies who fail to properly secure personal data are sharply increasing.

Specifically designed to send a message that “...the penalty for a major data breach can no longer be regarded as the cost of doing business,.” the new fine structure scales along with the revenue of the organization and the severity of the breach.

Previously the maximum fine for a data breach was capped at AU$2.5 million.

Going forward, an organization that incurs a data breach or severe ransomware attack must pay a fine of the greater of the following:

  1. AU$50 million
  2. If the court determines that the organization has profited from the unlawful data disclosure, the fine would be three times the value of that..
  3. If the court cannot determine the value of that benefit, the fine would be 30% of the adjusted turnover (revenue) of the corporation for the 12 months prior to the violation of the law.

Alongside the increased penalties, the amendment expands the government's ability to bring potential data breaches to light by granting them the power to obtain information and documents from anyone who may be involved with an actual or suspected eligible data breach.

With these changes, it's imperative that all agencies and organizations in Australia strictly adhere to the requirements for secure data collection, processing, and protection, which we will now cover.

How to avoid becoming a data breach statistic

In the last year, 30% of Australia's population has suffered from a data breach. It's abundantly clear that all organizations can come under attack from any angle and when potentially any system, account, or person can be an attack vector, the reasonable thing to do is “assume breach.”

Considered from a threat actor's perspective, compromising even a single user in most organizations would grant them access to thousands of on-prem files and dozens of SaaS applications and cloud services. Reducing this blast radius — all the data that an attacker could exfiltrate if one employee is compromised — is crucial to preventing breaches.

By pulling back the access rights of each user, you're forcing attackers to work harder. They will have to compromise more accounts, causing more anomalous activity on the network and upping the likelihood that they will be noticed.

To reduce the blast radius, it's important to:

  • Complete an inventory of your most critical data. If you're unsure of what that is, try to consider what an attacker would find most profitable.
  • Inventory the permissions and behaviors around this critical data. Would you be alerted to a user who appeared to be logging in from a new country, copying 100x of their normal amount of files, and doing all of this in the middle of the night?
  • Automate and maintain the controls protecting your data.

This approach is proven to reduce attacker risk, but a sometimes unremarked upon benefit is that it's also remarkably effective at reducing the risk of mistakes or malicious actions done by insiders. 

Data classification by user within Varonis

Strong security controls, as described above, can prevent the following:

  • Microsoft 365 users from accidentally sharing a link containing PII that is open to the entire internet
  • Ransomware from infecting your organization because a user clicked a link they shouldn't have
  • Government identifiers being accessed in files open to your entire company
  • A company facing a fine as they're unable to identify PII with their Salesforce instance

While the new penalties and requirements can seem daunting, Varonis has helped thousands of organizations meet their compliance requirements, prevent breaches, and protect their most valuable data assets.

To learn more, contact or to schedule a free Data Risk Assessment.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:


Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.


See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.


Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

Wyden's Consumer Data Protection Act: How to Be Compliant
Will 2019 be the year the US gets its own GDPR-like privacy law? Since my last post in this series, privacy legislation is becoming more certain to pass. Leaders from...
Privacy by Design Cheat Sheet
Privacy by Design (PbD) has been coming up more and more in data security discussions. Alexandra Ross, the Privacy Guru, often brings it up in her consultations with her high...
Speed Data: The Importance of Data Privacy With Jordan McClintick
Jordan McClintick, Director of Data Governance and Privacy for Optiv, Inc. talks about how his law degree helps him in his current role in data privacy.
Wyden’s Consumer Data Protection Act: Preview of US Privacy Law
The General Data Protection Regulation (GDPR) has, for good reason, received enormous coverage in the business and tech press in 2018. But wait, there’s another seismic privacy shift occurring, and...