AIIA urges Government to reconsider increases in data breach penalties as part of wider Privacy Act review: penalties regime needs to not discourage good behaviour.

Australia’s peak body for innovation technology, the Australian Information Industry Association (AIIA), is calling on the Albanese Government to take a positive, collaborative approach to the complex issue of data and cyber security, cautioning against the adoption of a heavy-handed or exclusively punitive response to recent high-profile data breaches.

The AIIA position is based on its submission made to the Senate’s Legal and Constitutional Affairs Committee which is considering the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022.

In its submission, the AIIA questioned both the arbitrary nature as well as the quantum of increases in penalties, which could have unintended consequences, and called on the Government to introduce a safe harbour provision in privacy legislation. A safe harbour from penalties for businesses that can demonstrate good faith and due diligence in reporting, including by implementing best-practice cyber security frameworks, would ensure that the system encourages transparency and willingness to both resolve major data breaches and seek assistance in doing so. A focus on incentivising help-seeking and reporting behaviours by businesses subject to data breaches should be the focus of government and any legislation.

Data breaches can be the result of sophisticated actors so a breach may be all but unavoidable, so a well-developed privacy and penalty regime needs to encourage good behaviour and provide support. Penalties have their place but there should be clarity for when these would apply.

In 2019, the ACCC recommended in its Digital Platforms Inquiry Final Report that privacy penalties mirror the maximum penalties available under the Australian Consumer Law (ACL), a recommendation the Government has referenced in explaining the quantum of increase under the Privacy Legislation Amendment. However, at the time that report was released, those maximum penalties under the ACL were $10m and 10% of turnover, significantly below the $50m and 30% of turnover to which the Government has recently sought to increase penalties.

AIIA CEO Simon Bush said: “All Australians have been concerned with the recent cyber-attacks on major Australian businesses. We rightly have high expectations of organisations who have our data. That is why we want the Government and industry to work together to uplift cyber security and data governance across all sectors. Rather than punishing businesses acting in good faith for being the subject of attacks and breaches, some of which may be beyond their control or instigated by sophisticated actors, we want to see the government work to implement best-practice data security and work with industry to uplift cyber security across the board.

“The Privacy Act review currently underway is the most appropriate vehicle for dealing with powers and penalties needed for privacy protections in a cohesive and coordinated way. As yet, we don’t know whether SMEs will be included in Australia’s privacy regime once the Privacy Act is updated. This is an important decision that will have a significant impact on many organisations.

“Working to build greater capabilities, by upskilling and elevating data practices, is the best way forward for Australia. This starts with growing the skills of Australia’s ICT workforce. Our members tell us regularly that hiring staff skilled in cyber security is one of the most in-demand ICT skills, but this is also one of the leading skills our members tell us they are unable to adequately source in Australia.

The Albanese Government has been responsive to industry recommendations to date, including the AIIA’s call for reconvening the Data and Digital Ministers’ Meeting which met last week, and we hope this will continue,” Mr Bush said.

At last week’s Data and Digital Ministers’ Meeting (DDMM), a resolution was passed to develop a National Strategy for Identity Resilience whereby jurisdictions work together to protect Australians from identity-related theft.

“The items on the agenda of the first meeting since the DDMM reconvened – including digital inclusion and data sharing – are evidence of its importance. Proactive, strategic and nationally coordinated work on digital identity and data security will serve the mission to better securing the personal information of Australian citizens. The nation will benefit from this kind of collaboration and strategic thinking on identity and data,” Mr Bush concluded.

The AIIA is a not-for-profit organisation aimed at fuelling Australia’s future social and economic prosperity through tech innovation and remains committed to working with all levels of Government to secure Australia’s digital future.

— ENDS

For Media Enquiries:

Michael Banks

M: 0418 862 545

E: michael.banks@thrivepr.com.au

About AIIA

The Australian Information Industry Association (AIIA) is Australia’s peak representative body and advocacy group for those in the digital ecosystem. Since 1978 AIIA has pursued activities to stimulate and grow the digital ecosystem, to create a favourable business environment for members and to contribute to Australia’s economic prosperity. We do this by delivering outstanding member value by providing a strong voice of influence; building a sense of community through events and education; enabling a network for collaboration and inspiration; developing compelling content and relevant and interesting information.