There was significant concern amongst stakeholders and witnesses regarding the structure of the proposed new penalty regime. While there was near universal support for increasing the maximum penalty to up to $50 million, the lack of a tiered penalty regime and the drafting of the amendments to section 13G of the Privacy Act 1988 created significant weaknesses in the privacy regime.
The proposed model that seeks to link the maximum penalty for breaches to the benefit received through the privacy breach was modelled from competition law. There is common sense in linking maximum penalties to the benefit received when the offense in question is a breach of competition laws. When corporations engage in practices to manipulate markets or engage in other anti-competitive conduct the returns can be in the billions of dollars. For this reason, a maximum fine in the tens of millions of dollars would be ineffective.
In the privacy space, the benefit that corporations obtain from privacy breaches is far more ambiguous. For many entities there is a net loss from privacy breaches, think for a moment of the reputational damage currently being done to Optus and Medicare from their data breaches. It appears that in neither of these cases was the privacy breach intentional, the ‘benefit’ if there was one was historic underinvestment in cyber security.
It is not clear from the drafting if the ‘benefit’ is the net benefit received. It is also not clear how the proposed alternative maximum fine, of up to one-third of the annual turnover, will be engaged where there is no benefit or the benefit is hard to determine. These difficulties arise from taking provisions designed for one part of the law and unthinkingly applying them to this. There is a need for the government to closely consider these drafting issues as a matter of urgency.
As noted above, the proposed increase to a maximum $50 million penalty is broadly supported, including by the Greens. However, by removing the existing penalty and having only a one-size-fits-all offense with a maximum penalty of $50 million leaves the regulator with only one button to push, the nuclear button with a potentially financially disastrous fine. As the majority of contributors to the inquiry made clear, there is a need for a far more nuanced approach with tiered penalties. For that reason, there would be real benefit in agreeing to the larger maximum fine for serious or repeated breaches then keeping the existing penalty for lesser breaches which are not necessarily serious or repeating.
When it comes to resourcing, it was abundantly clear from this inquiry that the Office of the Australian Information Commission is seriously underfunded. As the Commissioner noted in her evidence, her UK equivalent regulator has 10 times the staff. The Commissioner also noted that the $5.5 million obtained to undertake her investigation into just one breach, the Optus breach, fairly represented what a complex investigation would cost. So it is fair to ask how the office will properly investigate the raft of other data breaches already seen, not least Medibank.
With a total budget of just over $33 million annually, from which all of the FOI and privacy work must be undertaken there is an obvious lack of practical capacity for the OAIC to undertake any more than one serious privacy breach investigation at a time. This lack of financial capacity is even clearer when you consider that the FOI work is already chronically delayed and underfunded causing year long delays in resolving reviews. The end result may well be that the Parliament agrees to tougher penalties but the government starves the regulator of the funds to ever seriously enforce them. That at best is a pyrrhic victory for data security.