Privacy law reforms are being expedited in the wake of Australia’s largest data breach, with tougher penalties, data retention limits and anti-fraud measures expected to be revealed ahead of wider changes.
Attorney General Mark Dreyfus on Wednesday flagged the three areas as likely proposals from the current review of the Privacy Act, foreshadowing the measures will be brought forward ahead of the overall finding from the two-year review expected at the end of the year.
Last month’s Optus data breach which saw the personal information of nearly 10 million customers compromised had underscored the need to overhaul the “outdated” legislation, Mr Dreyfus told the National Press Club on Wednesday.
“I’m sorry to say I fear that this will not be the last data breach in Australia’s history,” he said.
“We need to have better information sharing when the data breach has happened. Before that we need to have higher penalties to provide a better incentive to make sure it doesn’t happen in the first place.”
The Communications minister has already changed regulations to allow Optus to temporarily share customer identifiers with banks and government agencies to reduce the risk of subsequent fraud.
Announced last week, the regulation change took effect on Monday, several weeks after the breach occurred and needed several ministers and industry stakeholders working together.
Mr Dreyfus said the process had been “quite cumbersome”.
“It required regulations to be made on Telecommunications Act by the minister for Communications, and we would like to think that it’s possible to devise a way to get that done quicker,” he said.
The Attorney General said a third reform to be expedited as a result of the Optus breach would likely target companies holding personal information without a legitimate reason.
“Why is it that companies feel that they need to have and keep so much information in the first place? Because if they didn’t keep so much information for so long, the consequences of a data breach wouldn’t be so serious,” Mr Dreyfus said.
The review of Australia’s privacy laws was launched in December 2019 following the competition watchdog’s landmark report on digital platforms, which made a number of recommendations for reforms to the Act.
Instead of backing these recommendations, the former Coalition government opted to launch another review into the wider Privacy Act, which has attracted significant interest throughout a protracted consultation process.
After announcing the review, it took nearly a year to launch an issues paper, then another year for a discussion paper. Together the papers received 372 public submissions, many calling for significant reforms.
A final report was originally planned to be with government by late 2021.
Mr Dreyfus, who has committed to finalising the review by the endo of the year, revealed on Wednesday that the former government never set a target date to complete the review.
“The former government commenced a review of the Privacy Act and that’s all it did. The review started, work was done by excellent officers in the Attorney General’s department… but there was no indication of when this Privacy Act review was to be completed,” he said.
Do you know more? Contact James Riley via Email.