In late 2022, the maximum penalty for a serious privacy breach in Australia was $2.22 million. Today, it is the greater of $50 million, three times the value of any benefit obtained through misuse of information, or 30 percent of the company’s adjusted turnover in the relevant period.
That is not a gradual escalation. That is a signal.
What changed and why
The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 overhauled the penalties available to the Australian Information Commissioner and the courts. The changes were a direct response to a series of high-profile data breaches that exposed the personal information of millions of Australians.
The logic from the government was straightforward: the previous penalties were too low to act as a genuine deterrent. A $2.22 million fine was a rounding error for large enterprises, and it was not enough to force genuine investment in data protection infrastructure. The new penalty structure changes that calculation entirely.
These changes follow the foundation set by international privacy legislation, including Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Australia is catching up, and the direction of travel is clear: penalties will continue to increase, and enforcement will become more active.
What the penalties actually look like
The three-tier penalty structure means the fine scales with the seriousness of the breach and the size of the business:
$50 million is the baseline maximum. For a mid-sized business, this alone could be existential.
Three times the benefit obtained targets businesses that profit from data misuse. If a company gains commercial advantage from improperly handling personal information, the penalty is calculated as a multiple of that gain.
30 percent of adjusted turnover is the provision designed for large enterprises. For a company with $500 million in annual revenue, this means a potential penalty of $150 million. At that scale, data protection is not an IT issue. It is a board-level risk.
Beyond the direct financial penalty, there is the cost of remediation, legal fees, regulatory engagement, customer notification, and the reputational damage that follows a public breach. The total cost of a major incident can be several multiples of the fine itself.
Who is exposed
Any business that collects, stores, or processes personal information is subject to the Privacy Act. That includes businesses that handle identity verification for KYC and AML compliance.
The exposure is particularly acute for businesses that maintain centralised databases of customer identity documents. Every passport scan, every driver’s licence copy, every proof-of-address document sitting in a company database represents both a compliance obligation and a breach risk.
The more data you hold, the bigger the target. The bigger the breach, the larger the penalty. The equation is not complicated.
Industries with high identity verification volumes, including real estate, legal services, accounting, and financial services, carry disproportionate exposure because they collect and retain large volumes of sensitive personal data as part of their standard client onboarding processes.
The problem with “good enough” security
Most businesses that have been breached did not have negligent security. They had standard, industry-accepted security measures in place. Firewalls. Encryption at rest. Access controls. Regular penetration testing.
The problem is that centralised data stores are inherently vulnerable. No matter how good the security is, a centralised repository of identity data remains a high-value target. The arms race between attackers and defenders continues to escalate, and the attackers need to succeed only once.
This is not a technology failure. It is an architectural one. As long as personal data is collected and stored centrally, the risk remains. Better security can reduce the probability of a breach, but it cannot eliminate it. And under the new penalty regime, “we had good security measures in place” is not a defence against a $50 million fine.
How self-sovereign identity changes the risk profile
ShareRing’s self-sovereign identity model takes a fundamentally different approach. Instead of collecting and storing customer identity data in a centralised database, ShareRing’s system keeps verified credentials on the customer’s own device, inside the ShareRing Me Vault.
When a business needs to verify a customer’s identity, the customer presents their verified credential via ShareRing Link. The business receives confirmation that the verification is valid. It does not receive, and does not need to store, the underlying personal data.
The result: the business meets its regulatory obligations for identity verification without creating the data liability that comes with holding that data. There is no centralised database of customer documents to breach. There is no honeypot. The attack surface is reduced to effectively zero for customer identity data.
A verification hash is recorded on ShareLedger, ShareRing’s blockchain, providing an immutable audit trail that the verification occurred. This satisfies regulatory requirements for record-keeping without storing any personal information.
The cost comparison
Consider two scenarios for a business that processes 10,000 identity verifications per year:
Scenario A: Traditional approach. The business collects identity documents, stores them in a database, maintains security infrastructure around that database, conducts regular security audits, and carries cyber insurance to cover breach liability. If breached, the business faces regulatory penalties, remediation costs, legal fees, customer notification costs, and reputational damage.
Scenario B: Self-sovereign approach. The business verifies customers through ShareRing. Verified credentials are presented by customers from their own devices. The business holds verification confirmations, not personal data. There is no centralised identity database to breach, no document storage to secure, and dramatically reduced exposure under privacy legislation.
The cost of Scenario B is lower in every dimension: lower infrastructure cost, lower compliance overhead, lower insurance premiums, and near-zero breach liability for customer identity data.
When the penalty for getting Scenario A wrong is $50 million or more, the business case for Scenario B is not a difficult one to make.
What to do now
The penalty changes are not coming. They are here. Any business that handles personal information should be asking three questions:
First, how much customer identity data are we currently holding, and do we need to hold all of it?
Second, what is our actual exposure if that data is breached under the current penalty structure?
Third, is there a way to meet our verification and compliance obligations without holding the data at all?
For the third question, the answer is yes. ShareRing’s identity verification suite, certified under the UK DIATF, is designed specifically to let businesses verify identity without taking on data liability.
If you want to understand your current exposure and see how self-sovereign identity could reduce it, we can walk you through it.
Related reading
- The Real Cost of Non-Compliance. And Why “We Will Deal With It Later” Is the Most Expensive Strategy.
- What Happens When AUSTRAC Comes Knocking. And What They Want To See.
- Seven Things That Make Self-Sovereign Identity Different
- Why PWC’s Data Privacy Breach Is a Wake-Up Call
- Bank of Anguilla: Digital Identity for Financial Services
- FundedHere Investor KYC
- Compare Us
Rohan Le Page
CEO, ShareRing
sharering.network
