Privacy watchdog pushes back on cyber enforcement restraints

Proposed legal protections for businesses that share information with the government cyber responders during an attack should not stand in the way of future enforcement action by regulators, according to Australia’s privacy watchdog.

In a submission to a parliamentary inquiry into cybercrime, the Office of the Australian Information Commissioner urged the government to design the proposed ‘limited use obligation’ so that it “does not preclude regulatory action in the public interest”.

The limited use obligation, flagged in last year’s cybersecurity strategy, would prevent information shared with Australian Signals Directorate and the National Cybersecurity Coordinator during the early stages of a cyber incident from making its way into the hands of other agencies.

The scheme has been proposed to provide comfort to businesses, who are “increasingly reluctant to share detailed and timely cyber incident information” with the government, according to a recent consultation paper.

A non-legislative mechanism for ASD is also being explored as an interim measure, which the government is exploring separately with industry on an “accelerated timeframe”, according to the consultation paper.

Unlike a fully-fledged safe harbour provision, which the government considers “out of step with public expectations”, the limited use obligation “would not impact other regulatory or law enforcement actions, or provide an immunity from legal liability”.

ASD director-general Rachel Noble has previously backed legal protections to help the government receive up-to-the-minute information, while the Business Council of Australia has lent its support to reduce the amount of time businesses spend ‘vetting’ information shared with government.

But the proposed change has the OAIC concerned as it and other regulators like the Australian Competition and Consumer Commission will no longer be able to use the information as part of an investigation or compliance activity.

“The OAIC’s view is that any such obligation needs to be developed carefully and subject to clear boundaries so that regulatory activity in the public interest is not impeded,” it said in the submission published on Monday.

“In particular, it is important that any confidentiality obligations do not impede the current reporting obligations under the OAIC’s NDB scheme nor subvert the OAIC’s regulatory role.

“Ultimately, entities must comply with their legal obligations under the Privacy Act, including their NDB reporting obligation and the obligation to take reasonable steps to protect their data under Australian Privacy Principle 11.”

In November, the OAIC commenced legal action against Australian Clinical Labs (ACL), the ASX-listed company that owns Medlab Pathology, over a data breach that exposed the personal information of 223,000 Australians.

The Information Commissioner alleges that ACL breached section 13G of the Privacy Act, including APP 11, by “failing to take reasonable steps” to protect the personal information of millions of Australians.

The OAIC has urged the government to ensure the new limited use obligation is “carefully designed in consultation with regulators so that it does not preclude regulatory action in the public interest or impact any legislative reporting requirements”.

“While the OAIC appreciates the importance of immediate collaboration and information sharing between affected entities… there is a need to balance the facilitation of industry cooperation during an incident with the ability of regulatory agencies to enforce laws and deter non-compliance at an appropriate time,” it said.

Do you know more? Contact James Riley via Email.

Leave a Comment