Attorney-General Christian Porter announced the government would introduce bigger penalties on tech companies in March 2019 following revelations Facebook had been collecting personal user data and selling to political consulting firms without prior consent.

The proposed increases would see companies repeatedly breaching privacy laws fined up to $10 million for offences, increasing from the current $2.1 million penalty.

But Attorney-General Department deputy secretary Sarah Chidgey said it had been occupied by more pressing matters in the two years since it was announced.

"The team that works on the legislation and Privacy Act review has also dealt with other priorities, for example, the COVIDSafe legislation," Ms Chidgey said on Tuesday evening.

"That took quite a significant effort to deal with some of those issues."

Labor senator Kim Carr asked why there had been no action taken in the years since and whether Australia was falling behind the rest of the world in terms of privacy protections.

Ms Chidgey hit back at the criticism, adding an exposure draft had been "substantially" drafted and would be released "shortly".

"There has been a lot of work on it," Ms Chidgey said, defending the department's work.

"We've used submissions we've received through the Privacy Act review also to better inform the development of that exposure draft."

READ MORE:

Labor's cyber security spokesperson Tim Watts said it was time to start delivering on the promises it made.

"In typical Morrison government fashion, despite tough talk and media fanfare these reforms were announced but never delivered," Mr Watts said.

"The Attorney-General has acknowledged the problem but two years on has failed to get on with the job of making the necessary changes."

It is alleged that Facebook collected data through the This Is Your Digital Life app but data from friends of those who downloaded were also captured. It then sold the data to a third-party firm who used it for political profiling.

It included user data containing birth dates, current cities, liked posts and friend lists.

Around 310,000 Australians were exposed in the Facebook data breach but millions more were affected around the world.

In March 2020, Information Commissioner Angeline Falk took action against the tech media giant, alleging serious and repeated contraventions of Australia's privacy laws.

"We consider the design of the Facebook platform meant that users were unable to exercise reasonable choice and control about how their personal information was disclosed," Ms Falk said in a statement last year.

"Facebook's default settings facilitated the disclosure of personal information, including sensitive information, at the expense of privacy.

"We claim these actions left the personal data of around 311,127 Australian Facebook users exposed to be sold and used for purposes including political profiling, well outside users' expectations."

Each breach carries a maximum penalty of $1.7 million, which could result in Facebook being sued for more than $500 billion should the action succeed.

The social media site responded by pointing it had since made a number of changes to give users more power over the information they share with the site.

"We've made major changes to our platforms, in consultation with international regulators, to restrict the information available to app developers, implement new governance protocols and build industry-leading controls to help people protect and manage their data," a Facebook spokesperson said.