Attorney-General Mark Dreyfus had flagged he would seek to rush through changes to the Privacy Act given the massive data breaches at Optus and Medibank Private in recent weeks.

Mr Dreyfus had criticised the current $2.22m fine as “totally inappropriate”.

Introducing the legislation in the lower house on Wednesday, Mr Dreyfus said recent cyberattacks had shown data breaches had the potential to cause serious financial and emotional harm to Australians.

“And this is unacceptable,” he said.

“Governments, businesses and other organisations have an obligation to protect Australians’ personal data, not to treat it as a commercial asset. The law must reflect this.”

Under the changes, companies involved in serious or repeated privacy breaches would face penalties of hundreds of millions of dollars.

Businesses would be fined whichever is higher: $50m, three times the cost of damage caused by the misuse of information, or 30 per cent of a company’s adjusted turnover in the relevant period.

A combination of factors will be taken into account to determine penalties, including the number of people affected, nature of leaked data, consequences of a breach and how “reckless” companies have been.

The proposed laws would make other changes to the Privacy Act to give the Australian Information Commissioner additional powers to act on data breaches.

The laws would give the Commissioner and the Australian Communications and Media Authority “greater information sharing powers” to monitor any misuse of compromised data.

They would also ramp up notification requirements to ensure companies properly ­reported what information had been stolen.

A review of the Privacy Act by the Attorney-General’s Department is expected to be completed this year and result in recommendations for further reforms.

Originally published as Companies face harsher penalties for customer data breaches