As we reported in a recent In Brief, the Federal Parliament is close to passing the Privacy Amendment (Enhancing Privacy Protection) Bill 2012, which represents the outcome of the first stage of the Commonwealth Government’s response to the Australian Law Reform Commission’s 2008 report on Australia’s privacy laws.
The Government has now turned its attention to the second stage, which will address the remaining 98 recommendations in the ALRC report that were not considered as part of the first stage.
One of these recommendations was that Australia should adopt a mandatory notification requirement for breaches of privacy where there is a ‘real risk of serious harm’ occurring. The Attorney-General has issued a discussion paper calling for submissions on whether a mandatory notification regime is desirable and, if so, what form such a regime should take.
The discussion paper can be found here, and responses are due by 23 November 2012.
The paper considers various models for a mandatory notification system, including the ALRC’s proposal, a binding version of the OAIC’s current voluntary data breach guidelines, and the various mandatory models either in place or being considered in various international jurisdictions including the US, EU, UK, Ireland and Canada.
The paper then invites respondents to comment on seven sets of ‘design questions’ that the Attorney-General intends to refer to when making a decision on whether and what type of legislative amendment is appropriate. The seven categories of ‘design questions’ are:
While the paper has been drafted as a request for comment, its tone suggests that the Government may still need further convincing that a mandatory breach notification regime would represent a better balance of the interests of data users and collectors than the current system, which relies on a combination of:
The paper notes that while there appears to be a fair amount of public support for mandatory breach notifications (based on the submissions to the ALRC report and the Department of Prime Minister and Cabinet’s 2011 cyber white paper), there are still concerns over the compliance burden that a mandatory notification requirement will place on industry and questions about the effectiveness of mandatory notification in curbing incidents of identity theft and giving victims the opportunity to protect themselves in the event of a privacy breach (which was raised as a key concern by the ALRC).
It is interesting to note that the paper does not contain any discussion regarding:
This may be because both of these issues have come to prominence in the intervening four years since the ALRC’s report was released.
However, given the amount of public interest surrounding the first point, and the increasing relevance of the second point due to the rapid uptake of cloud-based IT service delivery models in data-intensive businesses, it will be interesting to see what comments are made about these issues in the submissions and how the Government responds to such comments.
The content of this publication is for reference purposes only. It is current at the date of publication. This content does not constitute legal advice and should not be relied upon as such. Legal advice about your specific circumstances should always be obtained before taking any action based on this publication.