Privacy commissioner pushes for powers

Australian Privacy Commissioner Timothy Pilgrim has said that proposed changes to privacy legislation will provide him with greater powers to force organisations to do something about their security in the wake of data breaches, but in the meantime he still has his hands tied.

Australian Privacy Commissioner Timothy Pilgrim has said that proposed changes to privacy legislation will provide him with greater powers to force organisations to do something about their security in the wake of data breaches, but in the meantime he still has his hands tied.

At a panel held by the International Association of Privacy Professionals this morning, Pilgrim said that when an individual complained to the office, he could force companies to compensate the individual for the breach of their data, but admitted that the commission's current powers weren't sufficient when the office of the commissioner opened its own investigation into a data breach.

"I can use the powers available to me to require the organisation to provide information about what it's done, what steps it's taken to resolve it and what actually happened, but because [the investigation has] been opened in the absence of an individual complaint, currently I don't have any remedy powers. I can't force the company to do anything at the end of the day," he said.

Even when a user brings a complaint to the commissioner, there is currently nothing to stop a company from ignoring the commissioner's advice and continuing to leak information.

A 2008 report by the Australian Law Reform Commission, which recommended a total of 295 changes to Australia's privacy framework, recommended that the privacy commissioner be given additional powers.

The government split the 295 recommendations into two tranches, with the increased powers to the commissioner falling within the first tranche of 197 recommendations. A Senate committee is currently considering draft legislation, and is due to release a report on its findings in September.

Pilgrim was sceptical that the government would be able to adhere to that date.

"We're yet to see whether that timetable will be able to be met, given we haven't seen a couple of pieces of the legislation released at this stage."

However, he stopped short of criticising the government's handling of it, stating that in fairness, it was a complex task in terms of not only the number of recommendations, but also in terms of consultation.

Former federal deputy privacy commissioner and Pacific Privacy Consulting principal, Nigel Waters, was not so forgiving, saying that the government has dragged its feet on the issue. He also said that previous privacy commissioners hadn't made enough use of the limited powers they had.

"There are gaps in the powers and sanctions and the enforcement regime that need to be filled, but we've been disappointed with the vigour with which successive privacy commissioners have exercised their existing powers, and we think they could have been more proactive, particularly in actually taking complaints through to formal determinations," he said.

However, both agreed that there was a pressing need for the introduction of data breach notification laws.

A recommendation to implement data breach notification laws has been sorted into the second tranche of recommendations to be dealt with by the government, which is only scheduled to occur once the first tranche of recommendations has been worked into legislation.

Waters said that Australia had no excuse not to implement data notification laws, due to the large overseas experience available from similar laws currently in place in the US and the UK. He also argued that data breach notifications should be brought out of the second tranche of privacy recommendations, like the recommendation to have a statutory right to privacy that privacy minister Brendan O'Connor brought forward for examination last week.

When contacted by ZDNet Australia, a spokesperson for Brendan O'Connor said that data breach notification laws would continue to be reviewed in the second tranche, and not brought forward. This is despite the fact that it had been recommended for consideration during a recent meeting between attorneys-general from Australia and four other countries.

Former chief operating officer of the Australian Federal Police and Smartnet principal James Kelaher said that data breach notification laws shouldn't be tied to privacy laws, and needed to be considered under separate legislation if they were to gain any traction.

"Because of the significant delay in the updating of Australia's privacy legislation, any new privacy issue that is brought on to the table nationally stirs up all of the other issues that have been left unresolved, and we may well find that we go around and around in circles and fail to deal with data breaches as we have with a number of other things," he said.

Kelaher considered that the more sensible approach would be to mirror existing regimes, such as Occupational Health and Safety (OHS).

"It should be seen as quite a straightforward and technical subject, much like you might consider food safety or OHS, where the regime is about the potential risk. Organisations, both government and private sector, need to act to minimise those risks," he said.

"If they fail to do so, then they're in breach of that particular legislation. If they fail to do so in such a way which indicates negligence or a breach of duty of care, then the sanctions extend to criminal sanctions. That kind of regime, with which businesses and governments are already familiar with in Australia, is the kind of data breach regime that Australia should be considering."

Between 2010 and 2011, the privacy commissioner heard of 56 voluntary data breach notifications occurring, up from 44 the year before. In addition, it conducted 59 investigations.