Under the proposed changes, companies involved in serious or repeated breaches could face penalties of a minimum $50m – compared to the current $2.2m cap.

Penalties could also take the form of 30 per cent of a company’s adjusted turnover for the relevant period or three times the value of any benefit obtained through the misuse of information, potentially costing companies hundreds of millions of dollars.

Attorney-General Mark Dreyfus said recent major data breaches at companies, including Optus and Medibank, had shown current measures to be insufficient.

“It’s not enough for a penalty for a major data breach to be seen as the cost of doing business,” Mr Dreyfus said in a press statement.

“When Australians are asked to hand over their personal data they have a right to expect it will be protected.”

Legislation will be introduced to parliament next week to increase maximum penalties that can be applied under the Privacy Act 1988.

The proposed changes would not be retrospective meaning they could only be applied to future breaches.

Previously, penalties were targeted at companies that failed to meet obligations of notifying the government when there was a breach of their customer data.

A combination of factors will be taken into account to determine penalties, including the number of people affected, nature of leaked data, consequences of a breach and how “reckless” companies have been, according to Mr Dreyfus.

“It’s designed to make companies think . It’s designed to be a deterrent so that companies will protect the data of Australians,” he said.

Cyber Partner at McGrathNicol Advisory, Darren Hopkins, said the changes were not unexpected but added government and businesses could be taking a more unified approach to stopping hacks before they happened.

“What we were hoping to see — penalties are one part of this — but what should businesses be doing to actually improve their cyber security so it doesn’t happen,” Mr Hopkins said.

“Where are the guidelines around improvements or expectations of businesses to meet certain levels?

“What should they be doing to actually make the issue go away, as opposed to if you have a mistake or something happens, you get fined.”

Mr Hopkins also pointed out that many of the victims of cyber attacks were small to medium sized businesses for which a minimum $50m fine would be catastrophic.

The bill will also provide government entity, the Australian Information Commissioner, with greater information gathering and sharing powers to help resolve privacy breaches.

A review of the Privacy Act by the Attorney-General’s Department is expected to be completed this year and result in further recommendations to better protect Australians’ information.

“I look forward to support from across the parliament for this bill, which is an essential part of the government’s agenda to ensure Australia’s privacy framework is able to respond to new challenges in the digital era,” Mr Dreyfus said.