A Labor senator this week re-introduced proposed legislation governing mandatory notifications for companies suffering a data breach, in an attempt to resurrect a bill which failed to pass before the last federal election.
Tasmanian Labor Senator and parliamentary secretary to the Shadow Attorney-General Mark Dreyfus Lisa Singh introduced to the bill into the Senate for a first reading yesterday.
The bill seeks to require entities which believe a serious data breach has occurred (involving personal, credit reporting, credit eligibility, or tax file number information) to notify the Privacy Commissioner and individuals affected as soon as possible.
Affected organisations could also be forced by the Commissioner to publish a statement on their website and potentially in media outlets detailing the breach, the information affected and actions individuals should take in response.
The Privacy Commissioner would also be able to seek penalties of up to $340,000 for individuals or $1.7 million for organisations who repeatedly or seriously offend.
Small-scale offenders could be fined up to $34,000 for individuals and $170,000 for organisations.
The Coalition Government has not committed to a position on the bill, but did not vote against it in the House of Representatives last time around. It has previously expressed support for mandatory data breach notification as a concept.
The Labor Party expressed confidence the bill would get voted through the Senate, thanks to the support of the Greens, but expected the House of Representatives to be more difficult.
Drefyus said in a statement to iTnews the Coalition lacked a “clear legislative agenda” in the area, while Singh said Australians had a right to know when their privacy had been breached.
“By introducing the Privacy Alerts Bill, which the government supported in opposition, Labor is giving the Government the opportunity to support this important privacy measure,” Dreyfus said.
“This law will alert consumers to breaches of their privacy, so that they have the opportunity to change passwords or cancel their credit card."
The previous bill received unconditional support from a parliamentary committee investigating the issue, but Coalition senators at the time held concerns about the lack of definition for the terms “serious breach” and “serious harm”, and warned against regulatory overload.
The bill proposes to amend the Privacy Act with two new provisions:
- “Serious data breach” - which outlines the circumstances in which an entity would have committed a serious data breach;
- and “Notifying serious data breaches” - which outlines the circumstances in which an entity must notify of a serious data breach and to whom it must do so.
The office of Attorney-General George Brandis did not respond to request for comment by the time of publication.