Two years after promising “tough” new penalties for data breaches, the government is still yet to actually introduce the reforms, despite acknowledging at the time that the current scheme “falls short”.
In March 2019, Attorney-General Christian Porter and then-Communications Minister Mitch Fifield unveiled a new penalty regime under the Privacy Act, in the wake of the Facebook and Cambridge Analytica data scandal.
The government said it would increase the current maximum penalty for a data breach from $2.1 million to $10 million, or 10 per cent of the company’s annual domestic turnover.
The reforms would also see the Office of the Australian Information Commissioner (OAIC) with new infringement notice powers with new penalties of up to $63,000 for companies and $12,600 for individuals who fail to assist to resolve a breach.
A spokesperson for the Attorney-General’s department said draft legislation for the reforms would be released for consultation in May, after it was initially promised in the second half of 2019.
In Senate Estimates on Tuesday, representatives from the Attorney-General’s department said this delay was due to the focus on COVIDSafe and “other priorities”.
This is despite the draft legislation being promised well before the onset of the COVID-19 pandemic.
At the time, the federal government said that the “existing protections and penalties for misuse of Australians’ personal information under the Privacy Act fall short of community expectations”. These protections and penalties are still in place now, two years later.
Shadow assistant minister for cybersecurity Tim Watts criticised the delay, pointing to the fact the OAIC is still yet to seek a financial penalty for a data breach under the current scheme.
“In typical Morrison government fashion, despite tough talk and media fanfare these reforms were announced but never delivered,” Mr Watts said.
“The Attorney-General has acknowledged the problem but two years on has failed to get on with the job of making the necessary changes.”
At a Senate Estimates hearing on Tuesday night, Attorney-General’s deputy secretary Sarah Chidgey said the legislation had now been “substantially” drafted ahead of its release in the coming months.
“The team that works on the legislation and the Privacy Act review has also dealt with other priorities, for example the COVIDSafe legislation. That took quite a significant effort to deal with some of those issues,” Ms Chidgey told the Senators.
The department is undertaking a significant review of the Privacy Act following the competition watchdog’s digital platforms inquiry. The review was launched in late 2019. Submissions to this review have been used to inform the data breach penalties legislation, the department said.
The final report from this review is expected to be handed to the government by October.
Australian Information Commissioner Angelene Falk said she would welcome the increase in her powers to match those of the Australian Competition and Consumer Commission, and in the Europe Union’s General Data Protection Regulation (GDPR).
It’s fair to say that the GDPR does contain additional rights and obligations and it’s to that end that I’ve made a submission to the government’s review of the Privacy Act and made some recommendations that we ought to consider some of those international developments,” Ms Falk said at Estimates.
“I welcome changes and improvements to the regulatory toolkit that I currently have and I’m looking forward to the legislation that goes to these matters and the progress of the review that more broadly is being conducted by the department.”