Technology is no longer the new frontier; it’s not an ungoverned or unregulated place. As COVID has demonstrated, digital technologies are now core to our economy and society, and governments are responding with increased regulation and oversight.
While sensible and targeted regulation is supported by the sector, we are now at the point where the regulatory frameworks are becoming tangled.
Duplication and overlap are emerging, and overzealous laws are being implemented by policy makers with little to no understanding of the complexities inherent in the digital ecosystem.
The Department of Prime Minister and Cabinet’s website proclaims that “COAG has agreed” that regulatory processes should among other things:
- Establish a case for action before addressing a problem
- Look at a range of options to be considered including self-regulatory and co-regulatory and non-regulatory approaches
- Benefits outweigh the costs and be proportional
- Consult effectively with affected stakeholders
These principles, however, are not being followed by the federal government.
The government regularly uses the national security trump card to overrule consultative processes, at times failing to establish a business case or undertake a cost benefit analysis, and the regulatory response has not always been proportional.
In the past 12 months we have had reviews and new laws covering the tech sector from: the Online Safety Commissioner, the Department of Home Affairs, the Attorney’s General department, Treasury, the Office of the Australian Information Commissioner, the Digital Transformation Agency and the Australian Cyber Security Centre.
Allow me to highlight just one example of the current duplicative cyber-incident reporting obligations.
The Notifiable Data Breaches Scheme under the Privacy Act requires companies to report to the Office of the Australian Information Commissioner (OAIC) on breaches of personal information, irrespective as to whether it is the result of a cyber incident or human error.
The recently amended Security of Critical Infrastructure Act 2018 also requires regulated companies to report cyber incidents to the Australian Cyber Security Centre (ACSC), even if the incident is not related to personal information. However, should the cyber incident impact personal information, they would need to report both the ACSC and the OAIC.
These two reporting requirements leverage two different forms of reporting that need to go to two different agencies with two different reporting timeframes associated with them.
With increased regulation comes increased business (and director) risk of non-compliance, increased business costs and controls required to comply with mandatory reporting regimes, and barriers for investment and expansion – for example changes to foreign investment laws making it harder for Australian companies to access capital to expand.
What we need is an agency or process inside government that sits across all the tech regulators for the sector to ensure lack of duplication and align reporting processes. This is especially the case in cyber security policy which is a high area of government regulatory activity.
Home Affairs is currently briefing industry on the government’s proposed ransomware incident reporting obligation.
This will apply to all Australian businesses with annual revenues of more than $10 million, which will be required to report a ransomware incident to the ACSC within either 12 or 72 hours depending on its severity. This regulation will apply to every business in Australia not just tech companies.
The tech sector is being subject to more regulation and not less – that is the reality. Government must refer to its own principles on the introduction of regulatory processes and work with industry when issues arise – and also look for non-regulatory responses first rather than default to pulling the regulatory trigger without understanding the impacts.
Simon Bush is General Manager for Policy and Advocacy at the Australian Information Industry Association (AIIA).
Do you know more? Contact James Riley via Email.