On 7 November 2022 the AICD made a submission to the Senate Legal and Constitutional Affairs Committee on the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (the Bill) that would make amendments to the Privacy Act 1988 (Privacy Act).
The AICD in the submission recognised the significant public concern with recent large scale data breaches and the momentum this has provided for regulatory reform. The AICD also agreed that the current penalty regime for serious and repeated breaches of the Privacy Act is inadequate. However, AICD is concerned that without amendment, the proposed penalty regime in the Bill has the potential to disproportionately punish Australian businesses that have experienced a crippling cyber security incident and broadly disincentivise the reporting of data breaches and cooperation with key regulators.
The AICD made the following key points in the submission:
- consideration of the Bill be paused until the Privacy Act Review has made its recommendations and the Government has responded;
- the introduction of a defence or safe harbour based on ‘reasonable steps’ where unauthorised disclosures of personal information as a result of criminal activity would not necessarily give rise to a breach of the Privacy Act;
- clarification of the substantive underlying obligations that would lead to a civil penalty under section 13G of the Privacy Act, so that organisations are clear on the steps they should take to comply with the Privacy Act requirements; and
- amendments to the penalty provisions of the Bill that are based on similar provisions in the Competition and Consumer Act 2010. The concept of ‘benefits’ and penalties linked to turnover is inappropriate in the context of the Privacy Act where the business in many cases also suffers significant financial loss and/or reputational impact.
Already a member?
Login to view this content