There has been a mixed reception from business to a draft government bill that would implement a mandatory data breach notification scheme.
The government in in December released an exposure draft of a bill to implement a data breach notification regime.
The government had committed to the introduction of such a scheme as part of its response to concerns about the mandatory data retention scheme for telcos, which began operation in October.
The release of the exposure draft late in the year represented backtracking by the government, which had originally committed to legislating a scheme in 2015.
The scheme outlined in the draft would oblige businesses to report a “serious data breach” to the Australian Information Commissioner and notify individuals whose data is affected by a breach.
A “serious breach” involves personal information, credit reporting information, or tax file information being subject to unauthorised access or disclosure and putting those individuals affected at “real risk of serious harm”.
In submissions to a consultation on the exposure draft, the Australian Industry Group (Ai Group) and the Association for Data-driven Marketing and Advertising (ADMA), as well as its associated organisations the Institute of Analytics Professionals of Australia (IAPA) and the Australian Interactive Media Industry Association of Australia (AIMIA), indicated that they did not see the need for such a scheme.
“There has been no evidence provided to establish that there is an imperative for the proposed provisions,” ADMA’s submission argued.
“The Office of the Australian Information Commission (OAIC) has had voluntary breach notification guidelines in place for some time and, as far as we are aware, there is no evidentiary basis that establishes the need for the legislation.”
The Digital Industry Group Incorporated (DIGI), whose members include Google, Twitter, Facebook, Yahoo! and Microsoft, said that it believes that “the current voluntary notification scheme is working well”.
In a similar vein, the Interactive Games and Entertainment Association that the current regime of the Australian Privacy Principals (APP) and voluntary notifications to the OAIC “is sufficient and fit-for-purpose”.
The Australian Information Industry Association (AIIA) said it supports in principle a mandatory serious data breach notification scheme but the draft bill’s regulatory impact statement (RIS) and associated discussion paper had not fully explored alternatives to the scheme.
“If the overall aim is to protect consumer information and empower consumers to take action when a breach occurs, there are a number of ways to achieve this short of a mandatory reporting scheme. The current options in the RIS go from do nothing, a mandatory scheme or industry codes as a middle ground,” the group’s submission stated.
In contrast, Macquarie Telecom’s submission argued that “the creation of a compulsory data breach notification process is warranted and timely.”
“This is a logical flow on from the mandatory data retention requirements to ensure that the huge amount of data collected under that regime is adequately protected and, if it is breached, people are made aware of the breach and can take steps to minimise any harm,” the company argued.
Similarly, Microsoft said it was supportive of the bill, saying it “strikes an appropriate balance between protecting the privacy of individuals, without imposing an overly administrative burden on Australian Privacy Principal Entities”.
PayPal also backed in principle the legislation of a notification scheme.
Telstra said it supported the Attorney-General’s Department’s efforts to translate the current “voluntary guidelines into a legislative instrument”.
Why so serious, breach?Most of the submissions offered substantial proposals for reworking the draft bill. In particular the definitions of a “serious breach” and “serious harm” were addressed in a number of submissions.
“The Bill defines a ‘serious data breach’ as one that creates a ‘real risk of serious harm’ to affected individuals,” ADMA’s submission stated.
“In turn, a ‘real risk’ is defined as being ‘not a remote risk’. Given that ‘remote risk’ is not defined this type of circular definition is not helpful.
“Although the definitions are drawn from the current voluntary regime enshrining such vague definitions in legislation will only serve to drive business to adopt an overly cautious approach to reporting which in turn is likely to result in notification fatigue… In addition, the increased regulatory burden will result in a corresponding increase in the cost of doing business – a cost that will ultimately be borne by the consumer.”
Other language in the bill frequently addressed in submissions states that organisations must notify in cases where they “ought reasonably to be aware” that a breach has occurred, and that a notification must be issued “as soon as practicable after the entity becomes so aware, or ought reasonably to have become so aware”.
“The concept of ‘ought reasonably to have become so aware’ adds complexity to determining when to notify and
to the application of the legislation,” Telstra said.
“In our view, the concept should be removed and reliance should simply be placed on the question of whether an entity that is aware of an issue has sufficiently reasonable grounds to believe there has been a serious data breach.”
The telco noted that organisations that are “willfully blind” may be subject to penalties under APP 11.
All public submissions are available from the website of the Attorney-General’s Department.