A Senate committee has given the green light to the federal government’s data breach penalty laws, with the only substantive recommendation made to be considered as part of the ongoing review of the Privacy Act.
The Legal and Constitutional Affairs Legislation Committee reviewing the bill tabled its report into the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 on Tuesday evening, paving the way for the bill to pass Parliament.
The bill, which was drafted in response to the Optus data breach that exposed the personal information of almost 10 million Australians, would raise the penalty against companies for serious or repeated data breaches.
The maximum penalty would climb from $2.2 million to $50 million, three times the value of any benefit obtained through the misuse of information, or 30 per cent of a company’s adjusted turnover in the relevant period, whatever is larger.
In its report, the committee said a “broad range of stakeholders” supported stronger penalties for ‘serious’ or ‘repeated’ interferences of privacy, but that some had called for explicit definitions in the bill.
The committee agreed that “the legislation should provide more clarity about what would comprise a ‘serious interference’ and a ‘repeated interference’” due to the “proposed quantum for contraventions of this provision”.
It recommended the Attorney-General’s Department (ADG), as part of its review of the Privacy Act, “recommend amending section 13G of the Act to define the terms ‘serious interference’ and ‘repeated’ interference and that the Australian government implement such a recommendation”.
Issues with the inclusion of terms like ‘benefit’ in the penalty regime, as raised by the Business Council of Australia and the Law Council of Australia, were also identified as a concern but did not ultimately form the basis for a recommendation.
“The committee is concerned about the proposed mechanism for determining the maximum penalty for a regulated entity in the event of a data breach. In its view, the difficulty in identifying and determining the requisite ‘benefit’ has the potential to lead to perverse outcomes,” the report said.
The Business Council of Australia described the “logic of driving penalties through looking at ‘benefit’ (or, where these can’t be determined, turnover) is nonsensical” in its submission, while the Law Council of Australia said terminology had been inappropriately adopted from the Consumer Law.
Liberal senator Paul Scarr, who recommended the bill pass with the two proposed amendments, argued the “report does not go far enough in this regard” as it could result in businesses being lumped with larger penalties.
“In circumstances where a body corporate has been the subject of a cyber-attack and is found to have engaged in conduct constituting the contravention because it was (for example) wilfully reckless or grossly negligent in protecting the personal information/data, what is the benefit that the body corporate received?” he asked.
Senator Scarr also backed tiering of the penalties, as universally recommended by Australia’s technology industry groups, to ensure small to medium-sized enterprises aren’t subject to the same penalties as multinationals.
The concerns were echoed by Greens senator David Shoebridge, who said the “lack of a tiered penalty regime and the drafting of the amendments to section 13G of the Privacy Act 1988 created significant weaknesses in the privacy regime”.
He said the “benefit that corporations obtain from privacy breaches is far more ambiguous” then under competition laws, leading to ambiguities with the “proposed alternative maximum fine…where the is no benefit or the benefit is hard to determine”.
“These difficulties arise from taking provisions designed for one part of the law and unthinkingly applying them to this. There is a need for the government to closely consider these drafting issues as a matter of urgency,” he said.
The committee also gave in ‘principle’ support to the bill’s secondary purpose: to alter the “extraterritoriality provisions” so that foreign companies operating in Australia could be subject to the Privacy Act even if they do not collect or hold citizens’ data “directly from a source in Australia”.
However, it agreed with the Law Council of Australia’s argument that the “proposed provision has been too broadly drafted and must retain some connection with Australians’ information, as is the case in the European Union’s General Data Protection Regulation”.
The committee recommended that the AGD “examine the appropriateness of [the bill] providing for any additional ‘Australian link”.
Calls for a safe harbour mechanism – which garnered support from industry groups but is opposed by privacy bodies – did not result in any recommendations, but the committee said these would be considered as part of the Privacy Act review planned for release before the end of the year.
“The committee acknowledges that the AGD is aware of these suggestions, many of which are already being considered,” the report said.
“While not part of this inquiry, the committee especially notes data minimisation, safe harbour mechanisms for compliant regulated entities, compensation for identifiable harms and civil actions (such as a statutory tort for serious invasions of privacy), as particularly matters for consideration.”
Do you know more? Contact James Riley via Email.