Wednesday, May 25, 2022

Australian privacy law changes could shake business: Lawyer

SYDNEY – Australian businesses with lax security are about to be rudely awakened by tough new privacy laws which will unveil previously hidden data breaches, says one of the country’s lawyers.

“Online retailers not subject to significant regulation will be the ones hardest hit; their assumptions that a bit of security is enough will be tested,” said Lyn Nicholson, special counsel to the Melbourne-based law firm Holding Redlich.

“We haven’t had big data breaches in Australia and it is easier for companies to keep people quiet,” she said.

But recent proposed amendments to the Privacy Act include a range of sweeping new powers allowing the Privacy Commissioner to enforce the mandatory reporting of new data breaches.

“Industry will react when someone has a big breach and is served a large fine,” said Nicholson.

The changes could see Australia heading down the U.S. path where data breaches attract hefty fines and civil action, according to Nicholson.

She said the turning point will be after the prosecution of a high-profile privacy breach.

“I don’t expect the Privacy Commission to start handing out draconian fines, but infringement penalties could be followed by civil action. Australians are not as aware as Americans of their privacy rights, but this will change when the new laws settle in.”

An Australian Law Reform Commission (ALRC) discussion paper detailing 301 privacy reforms is expected to go to parliament in June after it was delayed past its March 31 deadline. The reforms will be mandated after the paper and submissions have been discussed in parliament, which industry experts say will be no earlier than 2009.

Businesses can already be dealt harsh fines for data breaches under a clause in the Trade Practices Act. The clause can be enforced similar to the case against online apparel retailer Life Is Good, which was ordered by the U.S. Federal Trade Commission (FTC) in January to undergo external security audits for the next 20 years.

The FTC alleged the company stored credit card information indefinitely on its computers, without using proper encryption software or sufficient access controls. The FTC also claimed the company violated federal law by allegedly making security claims on its Web site that were false.

Parliament will most likely pass the general provisions of the new privacy laws first, followed by components pertaining to sensitive records and credit reporting.

The Act will be based on the best parts of the U.S. and U.K. laws coupled with industry codes of conduct such as those used in New Zealand, according to Nicholson.

The reforms will likely give the Privacy Commissioner new powers to amend legislation to facilitate emerging technologies including biometrics, data warehousing of customer information and high profile breaches of sensitive data.

Andrew Hayne, deputy director of policy for the Office of the Privacy Commissioner, said the codes are designed to add specificity to the current Act which has been attacked for its weak non-specific structure.

“The requirement [for notification of privacy breaches] should not be an unreasonable burden on business and it should not result in alarmous [sic] notification,” Hayne said.

The reforms will merge Australia’s dualist IPP and NPP privacy laws, which mandate similar policies for federal and state organizations, into a single act to reduce complexity.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.