Federal Government to expedite 3 reforms to the Privacy Act in light of the Optus data breach

October 13, 2022 |

At a speech at the National Press Club the Attorney General, Mark Dreyfuss, announced 3 privacy reforms before a more comprehensive amendment of the Privacy Act.  Those reforms are:

  • tougher penalties,
  • data retention limits and
  • anti-fraud measures

Each of the above reforms are welcome.  Legislating them outside of a broader and more comprehensive amendment to the Privacy Act is not best practice by any means.  Legislating tougher penalties is long overdue but increasing penalties when the legislation is going to be amended within 12 months has little practical impact.  A case brought today would not be resolved within 12 months based on the current state of the Federal Court list.  Data retention limits is at the core of privacy regulation so in essence a very significant amendment is being inserted into the middle of a compromised piece of legislation.  Anti fraud measures is quite a curious catch all term that can mean significant amendment or not much at all.

This development has been reported by innovationaus in Optus breach to bring forward 3 privacy law reforms: Dreyfus which provides:

Privacy law reforms are being expedited in the wake of Australia’s largest data breach, with tougher penalties, data retention limits and anti-fraud measures expected to be revealed ahead of wider changes.

Attorney General Mark Dreyfus on Wednesday flagged the three areas as likely proposals from the current review of the Privacy Act, foreshadowing the measures will be brought forward ahead of the overall finding from the two-year review expected at the end of the year.

Last month’s Optus data breach which saw the personal information of nearly 10 million customers compromised had underscored the need to overhaul the “outdated” legislation, Mr Dreyfus told the National Press Club on Wednesday.

“I’m sorry to say I fear that this will not be the last data breach in Australia’s history,” he said.

“We need to have better information sharing when the data breach has happened. Before that we need to have higher penalties to provide a better incentive to make sure it doesn’t happen in the first place.”

The Communications minister has already changed regulations to allow Optus to temporarily share customer identifiers with banks and government agencies to reduce the risk of subsequent fraud.

Announced last week, the regulation change took effect on Monday, several weeks after the breach occurred and needed several ministers and industry stakeholders working together.

Mr Dreyfus said the process had been “quite cumbersome”.

“It required regulations to be made on Telecommunications Act by the minister for Communications, and we would like to think that it’s possible to devise a way to get that done quicker,” he said.

The Attorney General said a third reform to be expedited as a result of the Optus breach would likely target companies holding personal information without a legitimate reason.

“Why is it that companies feel that they need to have and keep so much information in the first place? Because if they didn’t keep so much information for so long, the consequences of a data breach wouldn’t be so serious,” Mr Dreyfus said.

The review of Australia’s privacy laws was launched in December 2019 following the competition watchdog’s landmark report on digital platforms, which made a number of recommendations for reforms to the Act.

Instead of backing these recommendations, the former Coalition government opted to launch another review into the wider Privacy Act, which has attracted significant interest throughout a protracted consultation process.

After announcing the review, it took nearly a year to launch an issues paper, then another year for a discussion paper. Together the papers received 372 public submissions, many calling for significant reforms.

A final report was originally planned to be with government by late 2021.

Mr Dreyfus, who has committed to finalising the review by the endo of the year, revealed on Wednesday that the former government never set a target date to complete the review.

“The former government commenced a review of the Privacy Act and that’s all it did. The review started, work was done by excellent officers in the Attorney General’s department… but there was no indication of when this Privacy Act review was to be completed,” he said.

Leave a Reply

Verified by MonsterInsights