As we reported in a recent In Brief, the Federal Parliament is close to passing the Privacy Amendment (Enhancing Privacy Protection) Bill 2012, which represents the outcome of the first stage of the Commonwealth Government’s response to the Australian Law Reform Commission’s 2008 report on Australia’s privacy laws.
The Government has now turned its attention to the second stage, which will address the remaining 98 recommendations in the ALRC report that were not considered as part of the first stage.
One of these recommendations was that Australia should adopt a mandatory notification requirement for breaches of privacy where there is a ‘real risk of serious harm’ occurring. The Attorney-General has issued a discussion paper calling for submissions on whether a mandatory notification regime is desirable and, if so, what form such a regime should take.
The discussion paper can be found here, and responses are due by 23 November 2012.
The paper considers various models for a mandatory notification system, including the ALRC’s proposal, a binding version of the OAIC’s current voluntary data breach guidelines, and the various mandatory models either in place or being considered in various international jurisdictions including the US, EU, UK, Ireland and Canada.
The paper then invites respondents to comment on seven sets of ‘design questions’ that the Attorney-General intends to refer to when making a decision on whether and what type of legislative amendment is appropriate. The seven categories of ‘design questions’ are:
- Should Australia introduce a mandatory data breach notification law?
- Which breaches should be reported? Triggers for notification
- Who should decide on whether to notify?
- What should be reported (content and method of notification), and in what time frame?
- What should be the penalty for failing to notify when required to do so?
- Who should be subject to a mandatory data breach notification law?
- Should there be an exception for law enforcement activities?
While the paper has been drafted as a request for comment, its tone suggests that the Government may still need further convincing that a mandatory breach notification regime would represent a better balance of the interests of data users and collectors than the current system, which relies on a combination of:
- mandatory data security obligations (which provide an incentive to prevent privacy breaches);
- the Information Commissioner’s voluntary breach notification guidelines (which the Government considers to be operating effectively); and
- various non-legal incentives that encourage an appropriate level of notification (such as the incentive to protect reputation).
The paper notes that while there appears to be a fair amount of public support for mandatory breach notifications (based on the submissions to the ALRC report and the Department of Prime Minister and Cabinet’s 2011 cyber white paper), there are still concerns over the compliance burden that a mandatory notification requirement will place on industry and questions about the effectiveness of mandatory notification in curbing incidents of identity theft and giving victims the opportunity to protect themselves in the event of a privacy breach (which was raised as a key concern by the ALRC).
It is interesting to note that the paper does not contain any discussion regarding:
- the Government’s recent proposals in relation increased data retention obligations for ISPs; or
- the potential impact that failing to implement a mandatory notification law may have on cross-border data transfers with jurisdictions that do have such laws.
This may be because both of these issues have come to prominence in the intervening four years since the ALRC’s report was released.
However, given the amount of public interest surrounding the first point, and the increasing relevance of the second point due to the rapid uptake of cloud-based IT service delivery models in data-intensive businesses, it will be interesting to see what comments are made about these issues in the submissions and how the Government responds to such comments.