The chief of the Association for Data-driven Marketing and Advertising (ADMA) has lambasted Federal Government plans to impose compulsory data breach notifications as a threat to the prosperity of hundreds of thousands of Australian businesses.
The data breach notification bill, officially known as the Privacy Amendments (Privacy Alerts) Bill 2013, had its first reading in parliament last month. If passed, it was originally expected to come into legislative effect in March 2014 alongside the Australian Privacy Principles. The bill will require government agencies and private organisations to notify customers of serious data breaches relating to personal, credit reporting, credit eligibility or tax file number information as they occur.
ADMA however anticipates the bill could be referred to a Senate Committee later this week and could pass early next week given the government controls the committee.
ADMA CEO, Jodie Sangster, claimed compulsory data breach reporting will impose more layers of regulation on Australian businesses, potentially causing administrative overload and impeding their ability to be globally competitive.
“This is ill-considered law,” she said. “It comes at a time when businesses large and small are already grappling with the most extensive changes to privacy legislation seen in the last 10 years. And now the government intends to impose yet more legislation without even considering the impact on business.
“Not only are there significant new compliance requirements under the recently adopted Privacy Law, under this new law businesses will face mandatory breach reporting.”
According to Sangster, the industry already has clear and comprehensive guidelines on data notification breaches that are working well, and that companies have been responsive to these. She also questioned the lack of clarity around what ‘serious harm’ meant, especially given the threat of up to $1.7 million fines for non-compliance.
“There is a danger that businesses will err on the side of caution and over-report data breaches,” she continued.
In a recent speech, Attorney General Mark Dreyfus cited a report from McAfee claiming 21 per cent of Australian businesses had suffered data breaches. Sangster noted more than 2.1m businesses were trading in Australia last year, meaning the number of potential data privacy breach investigations could reach 450,000 – an unworkable figure for businesses, consumers and the regulator.
“There is no evidence of systemic failure to justify this kind of proactive reporting regime,” Sangster claimed. “If the Government is going to make any changes to the current regime it needs to go through proper consideration and consultation. Businesses have enough on their plate trying to prepare for new privacy laws coming into effect in a matter of months. Let’s get that right and then we can look at what more needs to be done. What’s the big rush?
“This will have negative economic consequences for the country at a time when the Government should be looking to support business and boost the wider economy,” she added.