The laws governing how Australians are protected from harm caused by data breaches and the widespread collection of personal information are still in dire need of change even if the government’s latest bill is a step in the right direction, privacy advocates have warned.
On Wednesday the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 passed the lower house and is set to cruise through the senate following a committee review.
The amendments, introduced in the wake of the Optus breach, increase penalties for serious data breaches to $50 million or 30 per cent of the company’s turnover and repeal the need for organisations to have an “Australian link” in order to be covered by the Privacy Act.
In its submission to the review committee, Digital Rights Watch said it welcomed the legislation but warned that band-aid solutions are “not nearly comprehensive enough to establish meaningful, long-term privacy protections for everyday people”.
“Data breaches are just one of many possible privacy-related harms that can arise when people’s personal information is collected, used, stored and shared inappropriately or unlawfully,” Digital Rights Watch said.
“Given that the Bill does not make any meaningful changes to the Australian Privacy Principles, this Bill alone will not address the long-standing gaps and issues, but rather increase the punitive measures for serious or repeated breaches under the current Act”.
Anna Johnston, founder of consultant firm Salinger Privacy, likewise said the bill was adequate in its current state – going as far as saying it “should be passed as soon as possible” – but said she doesn’t want to see the government rest on its laurels and accept small legislative changes as ‘good enough’ amidst the current public reckoning of poor Australian data privacy standards.
“Tinkering with penalties and enforcement powers alone will not improve the overall level of privacy protection for Australians,” Johnston wrote.
“The successful passing of this bill should not provide an excuse for the government to lose momentum in terms of the wider review of the Privacy Act.”
The government has committed to “an overhaul of the Privacy Act next year”, Attorney General Mark Dreyfus said on Wednesday.
“Significant privacy breaches in recent weeks have shown existing safeguards are outdated and inadequate.”
Good cyber security shouldn’t be punished
While most submissions were broadly supportive of the privacy changes, a trio of associations has argued that the laws should be amended to grant leniency for organisations that can prove they tried their best to mitigate against data breaches.
Groups representing local technology companies and IT professionals are calling for the incoming laws to recognise that sometimes breaches happen despite all attempts at mitigating the risk.
“There is a danger that companies that are doing all the right things still get compromised,” the Australian Computer Society (ACS) said in its submission to the senate committee reviewing the privacy bill.
“We do not believe equal penalties should apply to those organisations.
“Instead, we would argue for the development of a government-endorsed voluntary certification scheme that would provide assurances to courts, insurers, customers and partners that a company had undertaken reasonable steps to protect customer data and prevent breaches.”
A certification scheme, which ACS referred to as a “trust mark”, could borrow from existing frameworks including international standards and Australia's own Essential Eight maturity model so long as it struck the right balance between efficacy and applicability.
“The burden of compliance should not be so great as to discourage companies from even trying, but not so minimal as to be a box-ticking formality with no real value,” ACS said.
In agreement was the Australian Information Industry Association (AIIA) and the Tech Council of Australia which both included safe harbour provisions in their submissions about the Privacy Act amendments.