Key legislation to introduce mandatory data breach notification laws has failed to make it through parliament, despite numerous claims that it is long overdue.
The issue had been expected to come before parliament on Thursday; however, on a day of changes within the government, the Privacy Amendment (Privacy Alerts) Bill 2013, which refers to the notification laws, was not debated. Although the second reading of the Bill was noted in the Senate Notice Paper for the last day of the sitting, parliament never got around to raising the issue for debate, with the daily summary missing any mention of the Bill.
Previously, it had been thought that the government would have until June to pass the legislation, as this would be the last time that parliament would sit before a September election. However, as the writs for an election have not yet been issued, and with a recent change in prime minister and Cabinet, it is possible that the issue could come up for debate if the election date is moved and parliament sits again.
The Legal and Constitutional Affairs Legislation Committee had recommended that the Bill be passed. It had already seen passage through the House of Representatives earlier this year in May, and was first introduced to the Senate in June.
At that time, Australian Communications Consumer Action Network (ACCAN) CEO Teresa Corbin criticised the delays, saying that notifications aren't difficult to provide, and that consumers have a right to know when their privacy has been breached.
"It's simply unfair on Australian consumers that it is taking this long to introduce this requirement. It's a business' responsibility to protect their customers' private information; it's as simple as that," she said in a statement.
In 2011, attorneys-general from the US, the UK, Canada, and New Zealand also urged Australia to consider notification legislation as one of the most pressing issues the country should tackle.
Breach notification laws were one of 295 recommendations that the Australian Law Reform Commission (ALRC) made in 2008 as part of its review of the Privacy Act. It had been placed into a second tranche of recommendations to be put before parliament, the first tranche passing through the lower house in September last year. The supported recommendations in the first tranche are due to take effect in March 2014, and include measures such as increasing the privacy commissioner's powers.
The data breach notification legislation, however, appears to have been brought out of the second tranche as a matter of urgency.
In July last year, now-former assistant commissioner of compliance Mark Hummerston from the Office of the Information Commissioner bet that mandatory data breach notifications would be introduced in late 2013, with an interim period for organisations to prepare.
His prediction matched the timing of the Bill being introduced to the lower house, and Attorney-General Mark Dreyfus' suggestion in May this year that the government would include an "appropriate period for the introduction of this legislation".
Dreyfus had told journalists that it is "a fairly simple piece of legislation", a stark contrast to then-Cabinet secretary Joe Ludwig, who told ZDNet in 2010 that this is "a complex area of law".