As Australia Marks Anniversary of Privacy Act Changes, Enforcement Actions Might Follow

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Murray Griffin

March 13 — As Australia marks the first anniversary of major changes to the country's privacy law, a lawyer March 13 said that the nation's privacy commissioner will focus in the coming year much more heavily on compliance.

Sydney-based DLA Piper Partner Alec Christie also told Bloomberg BNA that businesses operating in Australia would likely soon face a mandatory obligation to notify of data breaches.

The government is attempting to steer through Parliament a bill requiring Internet service providers to store metadata for two years, he said.

Mandatory data breach notification is “certainly something they are talking about to sweeten the metadata bill,” by demonstrating there will be suitable safeguards, Christie said.

104 Voluntary Breach Notifications

March 12 marked the first anniversary of the effective date of changes to the federal Privacy Act 1988, which included a new set of privacy principles and expanded powers for Privacy Commissioner Timothy Pilgrim.

The amendments, however, didn't include mandatory data breach notification as recommended by the Australian Law Reform Commission in its 2008 review of the nation's privacy law. The government said at the time that mandatory data breach notification would be dealt with in subsequent legislation.

In August 2014, the Office of the Australian Information Commissioner revised its guidance on data breach notification to account for amendments to the framework privacy law. The guide strongly recommended breach notification but didn't require it.

In the year since the changes to the law took effect, the commissioner's office received 104 voluntary data breach notifications and recorded a 43 percent increase in privacy complaints, according to a March 12 statement by the office.

“Over the last year we have focused on working with business, government agencies and the wider community to ensure that everyone has the tools and information they need to understand and implement the changes,” Pilgrim said in the statement.

Enforcement on the Horizon

Christie said the commissioner had worked hard to promote the overhauled Privacy Act over the past year.

“I think there is certainly more awareness and appreciation of privacy obligations at the big end of town and among those people who deal with information as their core business,” he said.

But in other parts of business, there is still a widespread misconception that privacy isn't important or that companies can't be fined for privacy breaches, he said.

Those businesses could be in for a rude shock, according to Christie.

“I see this year that has just gone, with a couple of exceptions, as the privacy commissioner pushing the education barrow,” he said.

“I see the next 12 months as the—for want of a better word—the ‘punishment 12 months,’ ” Christie said. The commissioner “is now going to punish people that haven't learnt the lesson.”

Random Audits

Christie said that the privacy commissioner in February told a conference that he would be conducting random audits of 21 organizations to check whether their online privacy policies comply with the overarching Australian Privacy Principle 1, which requires the open and transparent management of personal information.

Although the organizations to be audited are yet to be named, they are bound to include some major companies, Christie said.

He added that the privacy commissioner had already shown a willingness to exercise his new powers to conduct own-motion investigations and said the commissioner's reports of these investigations had already evolved to provide much more direct appraisals of what mistakes had been made.

Christie said that the introduction of mandatory breach notification, if it occurs, would inevitably result in many more breaches being reported and becoming public.

Many organizations still take advantage of their right not to report data breaches, while some companies that do report breaches to the commissioner have still been able to keep them out of the public eye, Christie said.

Once there is mandatory notification, “it is all going to be public,” he said.

To contact the reporter on this story: Murray Griffin in Melbourne at correspondents@bna.com

To contact the editor responsible for this story: Katie W. Johnson at kjohnson@bna.com

The Feb. 11 speech by Pilgrim announcing the 21 forthcoming audits is available at http://www.oaic.gov.au/news-and-events/speeches/privacy-speeches/privacy-governance.