Technology industry groups have welcomed the passing of long-awaited mandatory data breach notification laws through the House of Representatives, but fears remain in business circles about unintended consequences.
The bill passed through the lower house with bipartisan support on Tuesday, having been on the government’s agenda since early 2015, meaning organisations will have to reveal if their systems are compromised by cyber attack or technical failings.
President of tech industry peak body The Australian Computer Society Anthony Wong said the bill was a “critical step forward in the elevation of data protection and cyber security issues” at the enterprise level.
Under the proposed laws, if an organisation subject to the Privacy Act incurs an “eligible data breach”, it will have to alert the Australian Information Commissioner and the people whose data has been compromised.
Eligible breaches are those in which there is unauthorised access, disclosure or loss of personal information held by an entity and that access, disclosure or loss is likely to result in “serious harm to any of the individuals to whom the information relates”.
“As we transition to a digital economy, now more than ever the focus must be on ensuring Australia captures the opportunities of the information age, while protecting the rights of the individual,” Mr Wong said.
“In an era of big data, the protection and privacy of personal information must be a primary consideration in the planning and construction of large scale ICT systems, not an afterthought.”
Mr Wong said the laws would give individuals that share their information with businesses and government greater confidence, and would raise awareness of the threats of lax security.
“To deliver on the promise of this new legislation it is critical to recognise that cybersecurity is a collective responsibility, relevant at all levels of an organisation,” he said.
Companies that are affected by the legislation included businesses with over $3 million in turnover, smaller firms that handle sensitive information and most government agencies.
The concept of a mandatory data reporting scheme first emerged in 2008 when the Australian Law Reform Commission reviewed Australia’s privacy laws and recommended its introduction.
In 2013 such a scheme was recommended by the Parliamentary Joint Committee on Intelligence and Security, and then again was recommended in February 2015 by the committee in response to the inquiry into the data retention bill.
At the time the government committed to implement mandatory data breach notification rules by December 2015, but this was pushed back when the first draft only became available for public consultation by that date.
Cyber security advisor Rachel Falk told The Australian Financial Review last month that she supported the legislation because it was important for organisations to be transparent about customer data, but that it was important that people did not become “over-sensitised” to breaches.
“It’s important that mandatory data breach notification serves a purposes… but it’s not about scaring the horses, it needs to be measured disclosure,” she said.
“All of us as consumers should always be concerned about how our valuable data is being used.”
Last year the Australian Industry Group said in response to the draft legislation that it could not understand why a scheme was needed at all.
“Ai Group understands the reasons why the bill has been drafted but we are not convinced of the need for the bill,” it said
The business group argued that there were already privacy laws in place and that the legislative requirements could pose “an unreasonable compliance burden on businesses”.
The Association of Data-driven Marketing and Advertising also came out against the bill, saying there was no evidence for its need and that voluntary breach notification guidelines had been effective.
It also said that the bill had the potential to cause “notification fatigue”.