The Australian Information Industry Association (AIIA) has cautioned the Albanese Government against a “heavy-handed or exclusively punitive response” to recent high-profile data breaches.
The bill, which has passed the lower house, would increase fines for serious or repeated privacy breaches to “not more than the greater of $50 million, three times the value of any benefit obtained through the misuse of the information, or, if the value of the benefit obtained cannot be determined, 30 percent of a company’s domestic turnover in the relevant period.”
The AIIA questioned both the arbitrary nature as well as the quantum of increases in penalties, which it warned could have unintended consequences. It is calling on the Government to introduce a safe harbour provision in privacy legislation.
The AIIA suggested that “if businesses engage in timely reporting and act in good faith in implementing data and cyber security frameworks with due diligence, there should be a legislative mechanism to quarantine such organisations from these penalties”.
This would encourage transparency and willingness to resolve major data breaches and seek assistance in doing so, according to the AIIA. In its view, government and legislation should focus on incentivising help-seeking and reporting behaviours by businesses subject to data breaches.
Data breaches can sometimes be unavoidable, the AIIA argued, which is why it wants a well-developed privacy and penalty regime that encourages good behaviour and provides support.
“That is why we want the Government and industry to work together to uplift cyber security and data governance across all sectors,” stated AIIA chief executive officer Simon Bush.
“Rather than punishing businesses acting in good faith for being the subject of attacks and breaches, some of which may be beyond their control or instigated by sophisticated actors, we want to see the government work to implement best-practice data security and work with industry to uplift cyber security across the board.”
The AIIA stated that several submitters have said “that under the current law entities can find it difficult to determine what security controls are reasonable in their circumstances.”
More clarity about when penalties apply is needed, in the AIIA’s view.
In 2019, the ACCC recommended in its Digital Platforms Inquiry Final Report that privacy penalties should mirror the maximum penalties available under the Australian Consumer Law (ACL). The Government referenced this recommendation when explaining the increase under the Privacy Legislation Amendment, the AIIA pointed out.
When that report was initially released, the maximum penalties under the ACL were $10 million and 10 percent of turnover.
“The Privacy Act review currently underway is the most appropriate vehicle for dealing with powers and penalties needed for privacy protections in a cohesive and coordinated way. As yet, we don’t know whether SMEs will be included in Australia’s privacy regime once the Privacy Act is updated. This is an important decision that will have a significant impact on many organisations,” Bush said.
“Working to build greater capabilities, by upskilling and elevating data practices, is the best way forward for Australia. This starts with growing the skills of Australia’s ICT workforce. Our members tell us regularly that hiring staff skilled in cyber security is one of the most in-demand ICT skills, but this is also one of the leading skills our members tell us they are unable to adequately source in Australia.”
Last week, at the Department of Finance’s Data and Digital Ministers’ Meeting (DDMM), a resolution was passed to develop a National Strategy for Identity Resilience where jurisdictions work to protect Australians from identity-related theft.
“The items on the agenda of the first meeting since the DDMM reconvened – including digital inclusion and data sharing – are evidence of its importance,” Bush stated.
“Proactive, strategic and nationally coordinated work on digital identity and data security will serve the mission to better securing the personal information of Australian citizens. The nation will benefit from this kind of collaboration and strategic thinking on identity and data.”
“The Albanese Government has been responsive to industry recommendations to date, including the AIIA’s call for reconvening the Data and Digital Ministers’ Meeting which met last week, and we hope this will continue,” Bush said.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
