Data breaches
One of the key aspects to come out of the second government response will be the issue of data breach notification, which compels organisations to inform their customers if their personal data has been compromised.
In a speech to the iappANZ in November last year, Pilgrim said his department had been alerted to 56 data breaches in the last financial year, a jump from 44 the previous year. The current Privacy Act does not require government agencies and organisations to report personal information security breaches to the Office of the Australian Information Commissioner (OAIC) or to affected individuals.
However, the OAIC says the Act requires agencies and organisations to take reasonable steps to protect the personal information that they hold, which may include notifying affected individuals and the OAIC.
“It’s important that those individuals know quickly so they can take steps to minimise the potential for identity theft or identity fraud,” Pilgrim says.
However, Clarke says the idea of data breach notification is a decade out of date and has only been brought in because the US pursued this path.
“Did this solve any problems? Of course not. All it did was to make clear that there was a problem – that’s all data breach notification is for. The idea that it’s really, really vital that you and I to get told if our credit data is being leaked from a particular data base, is all very nice, but that’s not a huge, systemic piece of progress,” Clarke says.
“What we need is obligations on these organisations to have proper protections in place and sanctions against them if they don’t.
“So the idea that we might come along 10 years later and create a data breach notification law is absolute nonsense. It’s a complete waste of space. We know that organisations leak like sieves. We don’t need a law to find that organisations leak like sieves.”
Wong believes data breaches should also have civil remedies “because currently as we stand, a person whose data has been breached can complain to the privacy commissioner ... [but] only a limited amount of damages of compensation were granted,” he says.
In the US, for example, some courts have awarded damages to the tune of millions of dollars, according to Wong.
“So definitely the US is leading in this area of data notification. We certainly haven’t seen this happen [here] because we don’t have those laws here,” Wong says.
Wong says potential data breaches could include a website like Facebook releasing an individual’s photo to the public without their permission. If their reputation was severely impacted upon and it harmed their professional life, Wong says the person should be able to seek compensation.
Websites like Google may also be in breach of privacy laws under Privacy Act reforms. The French Data Protection Authority (CNIL) has launched an investigation on behalf of all European data protection authorities on the new Google policy for aggregating information across its services, such as Gmail, Picassa, GoogleMaps and YouTube. CNIL preliminary analysis suggests that Google's new policy does not meet the requirements of the European Directive on Data Protection (95 /46/CE).
The Australian privacy commissioner also recently wrote to Google on behalf of the Technology Working Group of the Asia Pacific Privacy Authorities expressing concern that combining personal information from across different services has the potential to significantly impact on the privacy of individuals, according to Wong.
“So we have to look closely in terms of [the] individual privacy statements of the different services and see how they impact on an individual when they’re combined,” Wong says.
Holding overseas companies such as Google and Facebook accountable for privacy breaches may prove to be problematic. However, Pilgrim says overseas organisations undertaking business in Australia will be required to adhere to any new reforms in the Privacy Act, even if they do not have a physical presence in Australia.
In order to help enforce any breaches, Pilgrim says Australia is part of global forums, such as the Asia Pacific Privacy Authorities (APPA), which includes New Zealand, Hong Kong, Korea, Canada and the US, which allows privacy agencies in these countries to co-operate with each other to enact enforcement.
Pilgrim says the Asia-Pacific Economic Co-operation (APEC) privacy framework also assists in cross border privacy enforcement and under the Organisation for Economic Co-operation and Development (OECD), the Working Party on Information Security and Privacy is also looking to establish a global privacy enforcement network.
Where to from here?
Wong believes the main impact of the Privacy Act reforms on the digital environment will be dealt out in the second tranche response by the government.
Ultimately, Clarke wants to see the privacy commissioner given “real power to do real things and solve problems”, and both Wong and Clarke believe seeking civil remedies for breaches will go a long way in reforming the Act and forcing companies to be more responsible.
“Everybody makes little cock ups and the answer is you fix it, and you fix it so that you don’t make the same cock ups again,” Clarke says.
Follow Stephanie McDonald on Twitter: @steph_idg
Follow Computerworld Australia on Twitter: @ComputerworldAU