Recent events have highlighted the importance of encouraging all Australian businesses to make cybersecurity a priority, but we must ensure due consideration is given to plans to increase penalties against companies that fail to adequately protect the personal data they hold.
“The Privacy Legislation Amendment (Enforcement and Other Measures) Bill, which is currently being considered by the Australian Parliament, represents an important step towards responding to increasing concerns regarding privacy, security and data protection,” Law Council of Australia President, Mr Tass Liveris said.
“These are matters that are understandably at the forefront of minds in the wake of recent cyber incidents involving theft of personal data, and we appreciate the desire to respond in a timely manner.
“However, the Law Council has some concerns with the timeframes provided for scrutiny of the Bill noting the truncated period of consultation that has occurred, and the significance of the reforms to organisations covered by the Privacy Act.”
A key measure in the Bill is the proposed increase to financial penalties under the Privacy Act for serious or repeated privacy breaches, together with a range of information sharing measures and additional powers for the Australian Information Commissioner, some of which are retrospective in their application.
“While the additional penalties will be limited to ‘serious or repeated’ infringements, these terms are not defined in the Privacy Act and have not yet had the benefit of substantive interpretation through case law. This has the potential to create a degree of uncertainty amongst organisations covered by the Privacy Act, including some smaller organisations,” Mr Liveris explained.
“Increasingly, individuals are required to provide personal and sensitive data in order to participate in Australia’s digital economy and to access services. While the focus of a data breach under the Bill is targeted towards penalising an organisation, the impact and consequences are most acutely felt by the people whose data has been accessed, shared and compromised. The Law Council calls for an increased focus on options for improving remediation for affected persons and to ensure the framework supports victims of privacy breaches.
“We also recognise the importance of a privacy framework that primarily incentivises steps being taken to prevent data breaches, instead of reparations being made after a breach has occurred. These are matters that are being considered as part of the ongoing holistic review of the Privacy Act, which the Attorney-General has highlighted as being a priority for this year and which the Law Council has consistently welcomed. It will be important to maintain the momentum of this broader review and produce a legal and regulatory regime that is genuinely adapted for the 21st century economy, while avoiding uncertainty and unintended consequences that may arise from a fragmented approach to reform.”