Privacy Amendment (Privacy Alerts) Bill 2013: Compulsory Data Notification Raises Business Concerns

Recently we reported on the federal government's proposed laws requiring businesses and government agencies to notify people when a data breach affecting their privacy occur, the Privacy Amendment (Privacy Alerts) Bill 2013 (currently before the senate at second reading stage 17 June 2013). SmartCompany and other sources have reported that the Bill has drawn criticism from the Association for Data-driven Marketing and Advertising (the ADMA) and its CEO Jodie Sangster who have accused the federal government of rushing through the Bill, which they say "will impose more regulation on Australian business".

To recap the Bill proposes to amend the Privacy Act 1988 (the Act) by introducing mandatory data breach notification provisions for agencies and organisations that are regulated by the Act. The changes proposed by the Bill are proposed to commence immediately after the amendments to the Act contained in the Privacy Amendment (Enhancing Privacy Protection) Act 2012 on 12 March 2014.

On its website the ADMA reports that . . ."CEO Jodie Sangster lambasts Australian Government for plans to impose mandatory data breach notifications on top of coming privacy laws and claims they threaten Australian business prosperity." The ADMA's chief executive says that: "the Bill, which is on track to become law in a matter of days, was 'ill-considered'".

Key criticisms are that the legislation comes at a time when both large and small businesses are already grappling with the most extensive changes to privacy legislation seen in the last 10 years and that now the government intends to impose even more legislation without properly considering the impact on business.

“If the Government is going to make any changes to the current regime it needs to go through proper consideration and consultation. Businesses have enough on their plate trying to prepare for new privacy laws coming into effect in a matter of months. Let’s get that right and then we can look at what more needs to be done. What’s the big rush?"

If passed, the Bill will require businesses to report to the Federal Privacy Commissioner the possibility of any "serious harm", which could come from a data breach. According to ADMA CEO Jodie Sangster, "clear and comprehensive guidelines on data notification breaches" already exist and "are working well".

Also questioned by the ADMA is "the lack of clarity around what ‘serious harm’ [means], especially given the threat of of fines up to $1.7 million for non-compliance: “There is a danger that businesses will err on the side of caution and over-report data breaches.”

In response to claims by the Federal Attorney General citing a report from McAfee claiming 21 percent of Australian businesses had suffered data breaches the ADMA CEO Sangster responds by noting,  "that more than 2.1 million businesses were trading in Australia last year, meaning the number of potential data privacy breach investigations could reach 450,000 – an unworkable figure for businesses, consumers and the regulator".

It will be interesting to see how business copes with the new provisions and if the problems envisaged will require even further legislative intervention.

Sources:

• ADMA slams federal government for Privacy Amendment Bill (Smart Company)

• ADMA criticises government plans for compulsory data breach notification (ADMA website)

• Data Breaches Notification: Serious Breaches Affecting Privacy: New Federal Laws

TimeBase’s Intellectual Property Point-in-Time service guarantees accurate, current and convenient access to IP legislation at any date. Contact us for a free trial.