Data breach fine proposals in wake of Optus, Medibank hacks not enough, say privacy advocates
Keep up with all the action at the Australian Open in our live blog
Keep across all the live scores and results from the Australian Open at Melbourne Park
For the latest flood and weather warnings, search on ABC Emergency
The government's proposal to steeply increase penalties for serious or repeated privacy breaches is welcome but more is needed to deter incidents like those at Optus and Medibank, privacy critics have warned.
Attorney-General Mark Dreyfus has introduced a bill to amend Australian privacy rules, including new fines and additional powers for the information commissioner.
"Governments, businesses and other organisations have an obligation to protect Australians' personal data, not to treat it as a commercial asset," he said when introducing the bill in parliament.
Following the Optus breach, both the government and digital rights advocates pointed to the inadequacy of current penalties in Australia for privacy breaches.
The maximum fine for serious or repeated breaches of privacy is just $2.2 million.
Under the proposed bill, penalties would skyrocket to:
The bill would also extend the reach of Australian privacy law so that it better covers overseas businesses that may interact with local data.
It proposes that a company that “carries on a business” in Australia, but doesn't collect or hold Australians’ information from a direct source in the country, must still comply with local rules.
Privacy critics are encouraged by the proposed changes, but say privacy reform must go much further to protect Australians and change corporate attitudes about data collection and management.
The increased penalties are likely to have some deterrent effect, according to Katharine Kemp, a data privacy expert at UNSW's Faculty of Law & Justice, but she says the Privacy Act must also be amended to make it clearer when companies must dispose of customer data, among other changes.
She also questioned the Office of the Australian Information Commissioner's (OAIC) ability to fully apply the harsher penalties or its new investigative powers at its current level of funding and staffing.
"In the absence of changes to the privacy principles themselves, and a properly resourced privacy regulator, you may be getting a bigger stick with no-one to swing it and not a great deal to swing it at," Dr Kemp said, referring to the 13 standards that govern the treatment of personal information under the Privacy Act.
"Things may be waiting in a queue for a long time until that power is used."
Cyber security experts say the data hack on Medibank is shaping up as far worse than the one against Optus.
Better resourcing for the OAIC has long been a priority for data protection advocates. The regulator is getting an additional $5.5 million over two years in the budget, to help fund its investigation into the Optus breach.
The ability of the OAIC to investigate breaches of privacy law and apply fines was also a concern for Anna Johnston, principal at Salinger Privacy and former NSW deputy privacy commissioner.
To apply a penalty, the regulator must apply to the Federal Court. So far, this has occurred only once, when the OAIC launched an action against Facebook over the Cambridge Analytica scandal.
Ms Johnston is concerned about the difficulty of such actions, given the debate over what a "serious or repeated" breach actually is.
Several challenges to the enforcement of privacy law remain, in her view, including that the OAIC is not funded well enough, that the OAIC can't levy fines directly, and that fines are only for serious or repeat misconduct.
"None of those three things is fixed in this bill," Ms Johnston said.
"We're hoping that broader reform will look at tidying up those rules."
A highly anticipated review of Australian privacy law by the attorney-general is in its final stages, ahead of reforms flagged for 2023.
Privacy advocates hope the upcoming reforms will do more to address the sheer amount of data companies are able to ask for and store about Australians — and in some cases, the laws that require them to do so.
Get all the latest science stories from across the ABC.
For example, Medibank has confirmed its data breach affected past and present customers and claimed that it was required by state health record laws to keep information for seven years.
"This can't be the finish line, but should be just the beginning of better privacy protections for Australians," Chandni Gupta, digital policy director at the Consumer Policy Research Center, said of the new bill.
"We need the Privacy Act to do more than just having companies keep our data safe – that is the absolute minimum."
Electronic Frontiers Australia (EFA) chair Justin Warren also welcomed the increased penalties, but pointed out the changes do nothing to compensate individuals for harm suffered following a data breach.
The EFA wants the government to introduce a tort that would allow Australians to sue for serious breaches of privacy.
"A fine paid to the government doesn't help us move house because an abusive ex now knows where we live," Mr Warren said in a statement.
"It doesn't compensate us when a company's lax data security means everyone on the internet knows our medical history.
"A fine doesn't give us our privacy back."
A privacy tort is one of many changes civil society and lawyers hope to see in proposed reforms to Australian privacy law.
In its submission to the review, the Law Council of Australia also suggested certain exemptions to the privacy rules be considered for removal.
These exemptions include the carve-out for small businesses with an annual turnover of less than $3 million, as well as political parties, which collect vast amounts of data about Australian voters.
We acknowledge Aboriginal and Torres Strait Islander peoples as the First Australians and Traditional Custodians of the lands where we live, learn, and work.
This service may include material from Agence France-Presse (AFP), APTN, Reuters, AAP, CNN and the BBC World Service which is copyright and cannot be reproduced.
AEST = Australian Eastern Standard Time which is 10 hours ahead of GMT (Greenwich Mean Time)