Australians will be informed of certain breaches of their personal information under new laws being proposed by the Turnbull government, but only if the company or organisation breached turns over $3 million in revenue a year. 
The Attorney-General's Department has released an exposure draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015, which will require entities to disclose serious breaches of people's information.
The government was meant to introduce the bill into parliament before the end of the year. It left it until the last sitting day to release the draft before its likely introduction into parliament next year.
If passed, the bill will require companies to disclose a breach within 30 days if it concerns personal information and "there is a real risk of serious harm to any of the individuals" to whom the information relates.
At present, companies, federal government agencies and other Australian organisations are not required to disclose breaches by law. Nothing stops them from voluntarily disclosing a breach.
Vice chairman of the the Australian Privacy Foundation, David Vaile, said the $3 million threshold of compliance - something in the Privacy Act for some time - was "a potential problem".
"A backyard data-munging operation can now cause as much damage, and release as much data (but may be less scrupulous or well defended) than any big bank, telco or government agency," he said.
Chief executive officer of the Consumer Action Law Centre, Gerard Brody, agreed, saying that individuals should have a fundamental right to be informed of "any data breach involving personal information about them".
Ty Miller, of computer security firm Threat Intelligence, said that whether or not a breach is disclosed should not be based on how much money an organisation earns but the sensitivity and the amount of data breached.
"[Under this bill] you could have a project that is collecting millions of people's details and not have to notify anyone affected by the breach because you are not earning any money from it."
He said Australia needed some form of data breach notification scheme because there was a large number of security breaches occurring that were undisclosed.
Submissions concerning the draft bill are due by   March 4.