No rush on Privacy Alerts bill

It looks like plain sailing for the Australian Government’s mandatory data breach notification legislation, under consideration by the Senate Legal and Constitutional Affairs Committee late last week after being “rushed” into Parliament by the Gillard Government.

The ‘Privacy Alerts’ bill deals with the tricky issue of businesses being compelled to inform customers in the event their private data is no longer held securely. By later today we might have a good idea of whether it will pass.

Lobbyists in recent days have complained the bill was ‘rushed’, but neglected to give the issue the relevant historical context.

Mandatory data breach notification was recommended on the back of comprehensive research by the Australian Law Reform Commission back in 2008. What little argument the industry has offered on the subject was in the year or so immediately following. Most commentators at the time agreed it was “about time” for such a law. The Rudd Government held back.

The ‘Privacy Alerts’ bill, as first revealed in Secure Computing magazine, is one of several bits and pieces of legislation the current ALP Government has resurrected in recent months. Resigned to an expected defeat in the upcoming election, the Gillard administration clearly intends to spend its final months dusting off policies previously considered sound, but too politically sensitive.

It's likely that due to the links the Coalition Government maintains with Australia’s corporate elite - among them those that have the most to lose from regulation - such a bill won’t have a life beyond October unless it is passed now.

After five years of relative silence, those parties opposed to the legislation - telcos and direct marketers - have hit the panic button. Both the Australian Direct Marketing Association and Australia’s Comms Alliance have complained at the eleventh hour that there was not enough industry consultation for this bill.

This idea of such a policy has been on the table for five years. All would agree Australian business doesn’t need further regulatory burden beyond what it already endures, but the immediate cost of compliance should also be weighed up against long-term gains. ‘Privacy Alerts’ will force organisations to harden systems and sharpen processes, bringing the customer’s needs into clear focus.

Beyond ‘not enough industry consultation’ and appealing to the Australian distaste for ‘red tape’, I haven’t yet heard a compelling argument from these lobby groups as to why the bill is problematic. I’d welcome a more constructive discussion - but right now it feels “too little, too late.”

Without more constructive arguments, the lobby groups opposed to this bill are more or less conceding their own failure to be proactive on this matter over the past five years.

At a recent roundtable on the subject, CSOs at large Australian organisations offered some constructive criticism.

Could the ‘Privacy Bills’ Act lead to an increase in petty class actions and other forms of lawsuit aimed at organisations the Privacy Commissioner deems to have committed a ‘serious breach’? Is there a further legal instrument the Parliament could balance against this bill to place reasonable limits on the extent of such action? Should those organisations that have complied with the Privacy Alerts bill as best they can be offered a form of safe harbour?

I’d be interested in your thoughts.