The AIIA is a not-for-profit organisation aimed at fuelling Australia's future social and economic prosperity through technological innovation. Its call comes on the heels of the Privacy Legislation Amendment (Enforcement and Other Measures Bill) 2022, currently working its way through the Australian parliamentary process.
The bill states it "would amend three Commonwealth Acts to increase penalties for serious or repeated interferences with privacy, enhance the Australian Information Commissioner’s enforcement powers, and provide the Commissioner and the Australian Communications and Media Authority with greater information sharing powers."
The bill comes in response to a spate of recent high-profile data breaches among Australian organisations such as Optus and Medibank and seeks to increase penalties to the greater of $50 million, 30% of turnover, or three times the value of any benefit obtained through the misuse of information.
|
However, the AIIA has made a submission to the Senate's Legal and Constitutional Affairs Committee questioning the arbitrary nature and quantum of penalty increases, stating these could have unintended consequences. Further, the AIIA calls on the Government to implement a safe harbour provision in its privacy legislation, protecting businesses from penalties if they can demonstrate good faith and due diligence in reporting, including by implementing best-practice cyber security frameworks.
The AIIA states this would ensure the system encourages transparency and willingness to resolve major data breaches, and to seek assistance in doing so.
It is the AIIA's position that focusing on incentivising help-seeking and reporting behaviours by businesses who have been subject to data breaches is the proper response by Government and legislation.
The problem is, the AIIA states, data breaches can be the result of actors so sophisticated that a breach may well be unavoidable, thus a well-developed privacy and penalty regime ought to be encouraging good behaviour and providing support, instead of being heavy-handed and exclusively punitory.
AIIA CEO Simon Bush said, “All Australians have been concerned with the recent cyber-attacks on major Australian businesses. We rightly have high expectations of organisations who have our data. That is why we want the Government and industry to work together to uplift cyber security and data governance across all sectors. Rather than punishing businesses acting in good faith for being the subject of attacks and breaches, some of which may be beyond their control or instigated by sophisticated actors, we want to see the government work to implement best-practice data security and work with industry to uplift cyber security across the board.
“The Privacy Act review currently underway is the most appropriate vehicle for dealing with powers and penalties needed for privacy protections in a cohesive and coordinated way. As yet, we don’t know whether SMEs will be included in Australia’s privacy regime once the Privacy Act is updated. This is an important decision that will have a significant impact on many organisations.
“Working to build greater capabilities, by upskilling and elevating data practices, is the best way forward for Australia. This starts with growing the skills of Australia’s ICT workforce. Our members tell us regularly that hiring staff skilled in cyber security is one of the most in-demand ICT skills, but this is also one of the leading skills our members tell us they are unable to adequately source in Australia.
The Albanese Government has been responsive to industry recommendations to date, including the AIIA’s call for reconvening the Data and Digital Ministers’ Meeting which met last week, and we hope this will continue," Bush said.