At last. The Australian Government has passed its mandatory breach notification legislation. But, just how effective will it be?
After three attempts, the Australian Government has finally passed the Notifiable Data Breach amendments to the Privacy Act. However, it seems the negotiated political compromises may well have softened its impact!
Legal experts previously criticised the draft legislation for lack of certainty and strength. They also warned that like any other legislation, the data breach notification legislation requires unambiguous language, supported by tough penalties to ensure impact.
Elsewhere in the world, the EU was able to get all member states to agree (relatively quickly) to unambiguous laws and very tough penalties. Even the US managed to navigate through the maze of lobbying by “special interest” groups. By comparison, it seems that Australia’s effort may well disappoint.
While expert lawyers will be the best judges of the Australian legislation’s wording and penalties, it seems clear that a lot of cases will be fought in the courts before the ‘rubbery’ wording is tested and organisations can come to rely upon the specific wording and intent of the legislation.
Even when putting aside the lack of clarity in the legislation’s wording, it’s clear that the financial penalties for non-compliance are relatively weak. In comparison to the EU and UK penalties, the maximum of AU$1.8m may not be enough of an incentive for larger businesses to adopt best practice.
Mandatory Breach Notification Laws Pass Lower House
Technology industry groups have welcomed the passing of long-awaited mandatory data breach notification laws through the House of Representatives, but fears remain in business circles about unintended consequences.
The bill passed through the lower house with bipartisan support on Tuesday, having been on the government’s agenda since early 2015, meaning organisations will have to reveal if their systems are compromised by cyber attack or technical failings.
President of tech industry peak body The Australian Computer Society Anthony Wong said the bill was a “critical step forward in the elevation of data protection and cyber security issues” at the enterprise level.
Under the proposed laws, if an organisation subject to the Privacy Act incurs an “eligible data breach”, it will have to alert the Australian Information Commissioner and the people whose data has been compromised.
Eligible breaches are those in which there is unauthorised access, disclosure or loss of personal information held by an entity and that access, disclosure or loss is likely to result in “serious harm to any of the individuals to whom the information relates”.
While some will say that any legislation is better than none, the purpose of the Notifiable Data Breaches amendments to the Privacy Act was to provide more robust protection for stakeholders and the economy overall. One may be forgiven for thinking that the agreed amendments have been weakened from the outset.
For far too long, Australia has been behind the curve when it comes to clamping down on bad data security practices; with the agreement on mandatory breach notification legislation lagging behind the majority of other major economies.
The benefits of strong federal governance in corporate law, and workplace and employment regulations are obvious, as has been their role in strengthening the Australian economy. Mandatory data breach notification legislation was the Australian government’s opportunity to highlight the importance of information in this age of the digital economy.
Strong data breach and notification laws are equally essential in the 21st century and signify to other countries that Australia is a safe place in which to do business.