Australia’s technology industry groups have called on the federal government to include safe harbour provisions in privacy legislation designed to impose significantly higher penalties on organisations for serious data breaches.
They have also recommended a tiered penalty regime in order to ensure smaller fines apply to less severe infringements, much like the approach adopted by the European Union’s General Data Protection Regulation.
A senate inquiry is currently scrutinising the Privacy Legislation Amendment (Enforcement and Other Measures) Bill, which would raise the maximum penalty for serious or repeated data breaches to ensure “Australian privacy laws remain fit for purpose in a globalised world”.
The bill proposes lifting the maximum penalty from $2.22 million to $50 million, three times the value of any benefit obtained through the misuse of information, or 30 per cent of a company’s adjusted turnover in the relevant period, whatever is larger.
It also would alter “extraterritoriality provisions” so that foreign companies operating in Australia could be subject to the Privacy Act even if they do not collect or hold citizen data “directly from a source in Australia”.
But while supporting the intentions of the bill, all three industry groups have pushed back against the one-size-fits-all penalty regime and proposed additional mechanisms that give organisations the benefit of the doubt.
The Australian Information Industry Association (AIIA) said it is concerned about the “quantum of the proposed increases in penalties and the disincentives to good corporate behaviour and transparency around data breaches that this may lead to”.
“The bill as introduced exceeds that of the strictest regimes found on the global stage, with the maximum penalties being increased by a factor of more than twenty,” the AIIA said in its submission to the inquiry.
The penalty regime, although consistent with other recent changes applying to breaches of consumer law, would be significantly higher than those proposed in Online Privacy Bill exposure draft in October last year.
AIIA has recommended that a safe harbour mechanism be embedded in the legislation to “quarantine such organisations from these penalties” if they “engage in timely reporting and act in good faith in implementing data and cyber security frameworks with due diligence”.
The group said safe harbour provisions adopted Ohio, Utah and Connecticut in the United States allowed organisations to demonstrate their cyber security policies followed one of several frameworks, and could serve as a “useful model for the government”.
“The concepts of due diligence and good faith are essential; government must ensure that privacy penalties and legislation are sensitive, not blunt, to these factors, especially where actors are sophisticated and circumstances are out of all reasonable control of the subjects of breaches,” it said.
The Australian Computer Society (ACS) said a government-endorsed “voluntary certification scheme that offers limited safe harbour under the Privacy Act” could provide the answer, as long as it is “not so minimal as to be a box-ticking formality with no real value”.
The scheme would work like ‘pink slips’ do for road worthiness, the ACS said, by providing “assurance to courts, insurers and partners that a company had undertaken reasonable steps to protect customer data and prevent breaches”.
While the specifics of such a scheme would require consultation with businesses, it said “such action might include the use of standards-based trust marks based on recognised frameworks” such as the government’s Essential Eight cybersecurity controls.
“ACS has no objection to harsh penalties for organisations that fail to do everything they can to protect their customers’ data, especially for those companies that make the cynical calculation that the cost of compliance with cyber security principles exceeds the risk-adjusted liability of a breach.
“However, there is a danger that companies that are doing all the right things still get compromised. We do not believe equal penalties should apply to those organisations.”
ACS also called for a “tiered penalty regime and much clearer (and explicit) models for calculating penalties”, arguing the “current one-size-fits-all legislation over-punishes small companies and under-punishes large, distorting incentives for companies of all size”.
“Large companies will potentially see that the cost of compliance with cyber principles is greater than the liabilities of a breach, and decide that budget is better reserved for dealing with the fallout rather than ensuring no breach occurs.
“Small companies, the least able to afford complex cyber security, are conversely potentially completely destroyed by a breach.”
This position is shared by the Tech Council of Australia, which said in its submission that the proposed penalties “should be proportionately applied” like the tiered approach to maximum penalties the General Data Protection Regulation (GDPR) adopts.
The group also backed the inclusion of a safe harbor regime to give organisations “increased certainty over what constitutes ‘reasonable steps’ to protect personal information under the Privacy Act.
“A safe harbor model could provide more balance to the legislation by retaining the large ‘stick’ of increased penalties, while also providing organisations with a ‘carrot’ to avoid the worst of these penalties if they meet certain conditions,” it added.
The committee reviewing the bill is expected to hand down its report on November 22 — just two weeks after submissions closed — to allow for swift passage. The AIIA noted that the “tight reporting timeframes” would make genuine consideration of the bill “challenging”.
Do you know more? Contact James Riley via Email.