The Communications Alliance has joined the Association for Data-driven Marketing and Advertising (ADMA) in criticising the federal government’s proposed mandatory data breach notification law, saying that the legislation will come at a cost to industry and that there was not enough consultation.
The <i>Privacy Amendments (Privacy Alerts) Bill 2013</i> has had two readings in Parliament. It was originally expected to come into effect in March 2014 if passed alongside the Australian Privacy Principles. The bill will require government agencies and private organisations to notify customers of serious data breaches relating to personal, credit reporting, credit eligibility or tax file number information as they occur.
However, the bill has been referred to a Senate Legal and Constitutional Affairs Legislation Committee. ADMA anticipates that it could pass early next week given the government controls the committee.
Communications Alliance CEO John Stanton pointed out that the telecommunications industry is already investing “significant resources” to implement the measures in the <i>Privacy Amendment (Enhancing Privacy Protection) Act 2012</i> which come into effect in March 2014.
This Act will give privacy commissioner Timothy Pilgrim more powers, including the right to seek civil penalties in the case of serious breaches of privacy.
The legislation also permits the commissioner to conduct assessments of privacy performance for both Australian government agencies and private companies.
“It is regrettable that concerns regarding the tight timeframe to review the Bill, lack of consultation with industry and requests for a delay to implement proposed measures appear to have been dismissed by government,” he said in a statement.
Stanton also said the Alliance has concerns that organisations will not have the right to appeal a direction by Pilgrim to publish a data breach notification.
“It is only reasonable that an entity should have an opportunity to have a right of reply, particularly in circumstances in which the commissioner may be acting according to misinformation,” he said.
He added that moving from a voluntary data breach notification guide to mandatory legislation will result in additional costs to business, including legal counsel, associated with ensuring compliance with a mandatory scheme.
On June 18 ADMA CEO, Jodie Sangster, told CMO Australia that compulsory data breach reporting will impose more layers of regulation on Australian businesses, potentially causing administrative overload and impeding their ability to be globally competitive.
“This is ill-considered law,” she said. “It comes at a time when businesses large and small are already grappling with the most extensive changes to privacy legislation seen in the last 10 years. And now the government intends to impose yet more legislation without even considering the impact on business.”
Follow Hamish Barwick on Twitter: @HamishBarwick