Organisations worry breach-notification laws rushed, overpowered

The debate into whether Australia needs mandatory privacy/data breach-notification legislation is well underway, with the Attorney-General's Department previously calling upon the public to have their say on whether new laws are required. A number of privacy groups and advocates have supported the need for such legislation, but other parties are concerned that recent changes to the privacy landscape may mean that the potential legislation is overkill.

Yesterday, the Office of the Australian Information Commissioner (OAIC), which houses the functions of the Privacy Commissioner, released its submission alongside those of the Australian Communications Consumer Action Network (ACCAN) and Privacy Victoria (PDF). The Australian Privacy Foundation also released its submission over the weekend. All four privacy and consumer rights advocates support the introduction of legislation that would see Australians notified if their personally identifiable information is exposed in a breach.

However, other parties have issued caution toward introducing such legislation. In particular, the Law Council of Australia wrote in its submission that although it previously supported the introduction of mandatory privacy/data breach-notification legislation, it is no longer the right time to introduce changes, considering that the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 passed through parliament on Thursday.

"We suggest that the effectiveness and consequences (both intended and unintended) of those amendments should be experienced and properly considered before further amendments are made," Law Council of Australia secretary-general Sally Walker wrote in the organisation's submission.

The amendments include provisions to increase the Privacy Commissioner's powers in investigations that it has initiated. These powers mean that the Privacy Commissioner can force organisations that experience a breach to do something about it. Previously, the Privacy Commissioner could investigate and make recommendations as to what the organisation should do, but it had no way of requiring the organisation to take action.

The ability to hand down enforceable undertakings is also augmented by the Privacy Commissioner's new ability to issue civil penalties to organisations that experience a breach, and either fail to take reasonable steps to protect the information entrusted to them, or fail to adequately respond.

Walker wrote that these powers may be sufficient enough that mandatory notification legislation would be unnecessary, but that no one could really know for sure until the new laws are in place and sufficient time has elapsed to determine how effective they are. The new powers bestowed on the Privacy Commissioner are due to come into effect in March 2014.

Until the new privacy amendments have been tested and analysed, Walker wrote that the Law Council considers the existing voluntary scheme to be appropriate.

The Insurance Council of Australia's submission (PDF) agreed, pointing to the OAIC's own annual reports that show, at least in the insurance industry, that there are minimal privacy complaints, and although there has been a general increase, this is more likely to be due to an increase in privacy awareness.

At the moment, private organisations that fall under the Privacy Act are required to comply with 10 National Privacy Principles. Similarly, most government agencies comply with 11 Information Privacy Principles. But the recent amendments to the Privacy Act mean that these will be replaced with a unified set of Australian Privacy Principles to reduce confusion and enhance privacy.

Like the Law Council's submission, the Insurance Council points to the Australian Privacy Principles as an improved and clearer means of encouraging responsible breach disclosure. Even though the principles still do not legally require a breached organisation to notify affected individuals, when combined with the Privacy Commissioner's new powers, the Insurance Council considers them to be sufficient to address any failures to notify the public.

However, the current voluntary arrangements were deemed insufficient by the many of the privacy advocates. ACCAN wrote in its submission that despite the explosion in reports of breaches in the media, "various estimates suggest that the vast majority of breaches go unreported."

ACCAN believes that in the future, even more personal information will be at risk, and that this presents a significant need for mandatory notifications.

The OAIC, in its submission, does not directly tackle the issue of whether the Australian Privacy Principles will be sufficient to better encourage organisations to responsibly report when they have been breached. However, it does state that establishing mandatory breach notifications would clear any doubt that an organisation may have on whether to provide notifications.