Australian organisations remain divided over the issue of data breach notification laws, leaving the Department of the Prime Minister and Cabinet with mixed signals over what to do in regards to planning a strategy for Australia's digital future.
The need for data breach notification laws has been long debated, with the recommendation for such legislation proposed by the Australian Law Reform Commission in 2008. Such legislation would place a legal requirement on organisations to inform its users in the event of a data breach.
As part of the cyber discussion paper (PDF), the Australian Government raised the question of how the reporting of data breaches should be handled and encouraged.
Optus felt that the existing method of promotion and general awareness of the Office of the Australian Information Commissioner's (OAIC) voluntary data breach notification guidelines would be sufficient, although it did state that the OAIC could set out clear information as to when those guidelines come into place. Telstra appeared to partially agree, stating that breaches should continue to be voluntarily reported, but legislation to support such reporting should be examined.
The OAIC, which also covers the Australian Privacy Commissioner, disagreed with the telcos' partial approach and stated in its submission that it continued to stand by its recommendation for mandatory data breach notifications. It also stated that it was reviewing its voluntary guidelines for handling breaches.
The Internet Industry Association (IIA), which represents both Optus and Telstra, also took a similar view as the telcos, but reasoned that establishing laws to force breach notification could be at the detriment to local industries.
"Take for example an e-commerce site hosted in the United Kingdom with Australian customers," its submission read. "The creation of mandatory breach laws here may not be enforceable against such companies rendering the regime either meaningless or disadvantageous to Australian-based companies who are forced to comply. This in turn may create an incentive to host offshore undermining the policy intent."
The IIA recommended a "collaborative industry-led approach using a code-based framework (possibly co-regulatory)" to solve the issue of breach notifications.
However, the Australian Privacy Foundation (APF) said in its submission that hiding behind issues of jurisdiction only fostered a culture of "avoiding 'difficult cases'" and the reality was that Australian law in many cases already had the ability to reach beyond local borders.
"For example, such an extraterritoriality is clearly anticipated in s.7 of the Spam Act 2003 (Cth), it is found in s.5B of the Privacy Act 1988 (Cth) and can be implied from s.67 of the Australian Consumer Law (Schedule 2 of the Competition and Consumer Act 2010 (Cth))," APF's submission read.
"A sober-minded consideration of the real state of things show that the problem is not so much found in the reach of Australian law. Rather the problem stems from a lacking willingness, and in some cases capacity, to enforce that law in relation to foreign-based parties.
"One does not have to dig particularly deep to be struck by the inadequacy of how Australian conflict of laws rules treat consumers. For example, while European e-consumers are afforded protection through the right to sue, and be sued, in their country of domicile, no similar protection is provided to Australian e-consumers."
The Australian Information Security Association's submission followed a similar vein of thought, stating that Australia should introduce laws for mandatory reporting and use the lessons learned from other countries that have already done so as guidance.
There were also a number of submissions that appeared to be sitting on the fence, while obviously aware of the issue.
Electronic Frontiers Australia did not take any sides, but instead highlighted the importance for a discussion for laws protecting those that discover data breaches.
"Customers who discover security problems should be protected. Whether this means we need legislative protection for security whistleblowers etc is a question that should be investigated, but it clearly demonstrates that some major institutions have very poor understanding of appropriate policy to maintain security."
Additionally, the Attorney-General's Department, while acknowledging that the topic of data breach notifications was previously recommended as an issue raised by the Quintet of Attorneys-General, did not explicitly list it as a priority area that the Cyber White Paper should consider.