As the federal government announces its $230 million cybersecurity strategy, legislation that would let people know when their personal data has been hacked will not pass before the election — again.
After promising to bring on mandatory data breach notification legislation for more than a year, the government appears poised to finally introduce a bill in budget week. It is one of 27 pieces of legislation — including the budget appropriation bills — listed to be introduced into the winter sitting of Parliament beginning in May. But given Prime Minister Malcolm Turnbull has already indicated he intends to go to the Governor-General sometime between Opposition Leader Bill Shorten’s budget reply speech on May 5 and May 11 to dissolve both houses of Parliament and bring on a double dissolution election for July 2, it is unlikely that the legislation will pass before the election.
The exposure draft of the legislation, released by the government late last year, would require companies and organisations to inform people affected by a compromise of their personal data if there were a real risk of serious harm posed by the release of the information. For example, if a person’s credit card details, identification details, passwords or other information were leaked or obtained fraudulently. At the moment, companies report to the Privacy Commissioner on breaches on a voluntary basis, and while many companies have improved their reporting over the past few years, there are still incidents where companies, such as the online shopping site Catch of the Day, wait years before letting customers and the Privacy Commissioner know that a breach has taken place.
The legislation has received a mixed response from industry and government. The Department of Immigration and Border Protection isn’t clear on whether secrecy provisions in its draconian Border Force Act would prevent it from complying with the legislation. The Australian Industry Group said it wasn’t convinced of the need for the legislation because existing privacy law was sufficient, and it would place a burden on businesses to report to government every time they had a data breach.
The ABC (yes, the national broadcaster) and the Insurance Council of Australia argued that businesses should only be required to report if there is a threat of physical or financial harm, because under the current proposal, psychological and emotional harm can vary from person to person.
Telstra, which itself has been victim to a number of data breaches — but has informed the public and the Privacy Commissioner in the past — has argued that the threshold for businesses to report breaches is far lower than it would like.
While the government can introduce and pass legislation to repeal the Road Safety Remuneration Tribunal in just one day, this will be the second time mandatory data breach notification legislation has been introduced and not passed. The last time was by the former Gillard-Rudd government in 2013.