I agree with each of the three recommendations of the committee detailed in the report.
In relation to the review of the Privacy Act 1988 (the Privacy Act) referred to in paragraph 3.4, I support the consideration by the Attorney General’s Department of the matters referred to in paragraph 3.5.
There is an additional matter which, in my view, should be the subject of a recommendation; namely, the drafting of the maximum penalty provision.
I note the discussion in the report in relation to the increase in maximum penalties and the structure of the maximum penalties proposed to be inserted in section 13G for body corporates. In my view, the report does not go far enough in this regard. Numerous stakeholders have raised concerns with respect to the drafting of this section and rightly so.
For ease of reference, I quote the proposed wording:
(3) The amount of the penalty for [a serious or repeated interference of privacy] is an amount not more than the greater of the following:
(a) $50,000,000;
(b) if the court can determine the value of the benefit that the body corporate, and any related body corporate, have obtained directly or indirectly, and that is reasonably attributable to the conduct constituting the contravention – 3 times the value of that benefit; and
(c) if the court cannot determine the value of that benefit – 30% of the adjusted turnover of the body corporate during the breach turnover period for that contravention.
The proposed wording is problematic for a number of reasons:
(a)
It presupposes that there has been some benefit generated through the conduct constituting the contravention (it refers to ‘the benefit’ in paragraph (b) rather than ‘any benefit’). However, in circumstances where a body corporate has been the subject of a cyber-attack and is found to have engaged in conduct constituting the contravention because it was (for example) wilfully reckless or grossly negligent in protecting the personal information/data, what is the benefit that the body corporate received? There is no readily identifiable benefit. (It is noted that one could possibly attempt to construct a ‘benefit’ based on the additional cost that the body corporate would have incurred had it had in place sufficient protections to prevent the hack, but this is a somewhat torturous exercise, and it is not clear that the term ‘benefit’ is intended to cover such cost savings).
(b)
The issue in paragraph (a) leads to the observation that the maximum penalty clause makes no distinction between circumstances where a body corporate may be the subject of a cyber-attack and therefore an unwilling participant in the privacy breach, as opposed to a body corporate that is a willing participant (or actively initiates) a privacy breach for financial benefit.
(c)
There is a potentially precipitous escalation of the maximum penalty to 30 per cent of adjusted turnover which could be disproportionate because there is an issue of calculation of the benefit.
(d)
There is no tiering of the penalty to account for the spectrum of body corporates (based on size and purpose) that could be subject to the penalty which means that a small to medium sized enterprise/charity is subject to the same maximum penalty as a very large multinational company which should have the most sophisticated cyber defences available.
Recommendation
Given the amount by which the existing penalty is proposed to be increased, it is strongly recommended that the maximum penalty clause be reconsidered to address the above issues.
Senator Paul Scarr
Deputy Chair