After the significant Optus data breach, the federal government should quickly enact legislation modelled after the General Data Protection Regulation (GDPR) of the European Union to protect Australians, says a UNSW Sydney law expert.
EU’s GDPR was lauded as the industry benchmark for safeguarding customer data because it established the strictest privacy standards ever.
On Sept 21, Optus, Australia’s second-largest telco, suffered a major data breach with potentially millions of customers’ personal information leaked by a malicious cyber-attack. Customers’ names, dates of birth, phone numbers, and email addresses may have been compromised, according to Optus.
More here: Optus data leak: When sharing is NOT caring
Tony Song, a Research Fellow for the NSW Law Society’s Future of Law and Innovation (FLIP) research stream at UNSW Law & Justice, believes the serious data breach at Optus that exposed millions of Australians to fraud should prompt a full rethink of the country’s consumer laws.
EU’s General Data Protection Regulation
A legal framework for data protection and privacy, known as the “toughest privacy and security regulation in the world,” was put into effect by the European Union (EU) on May 25, 2018.
Mr Song asserts that in addition to the GDPR’s severe and stringent penalties, which can reach hundreds of millions of dollars, it is a revolutionary law because it is the result of six years of negotiations between member states in the EU’s institutional framework, which consists of the European Parliament, European Council, and European Commission.
“I think our laws should at the very least be updated to match the EU’s GDPR, which has become something of the gold standard for data protection regulation,” Mr Song said.
“This means increasing the penalties not just for the cybercriminals, as suggested by Shadow Home Affairs Minister Karen Andrews, as this will not effectively deter bad actors, who will assume they will not get caught anyway but actually for the companies that hold, use and process all our data,” he said.
Australia is now reviewing the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Online Privacy Bill), which is largely influenced by the GDPR and the California Consumer Privacy Act of 2018. The GDPR defines an array of legal terms at length. Below are the most important ones:
Personal data – Personal data is any information relating to an individual who can be identified directly or indirectly. Names and email addresses are obviously private information. Personal data can also include location information, race, gender, biometric data, religious beliefs, browser cookies, and political attitudes. Pseudonymous data can also be included if it is pretty straightforward to identify someone from it.
Data processing — Any action performed on data, whether automatic or manual, is referred to as data processing. Collecting, recording, arranging, organising, storing, using, erasing… virtually anything is mentioned in the text.
Read about the EU’s General Data Protection Regulation
More on Australia’s bill based on the EU’s GDPR
Australia is planning changes to its privacy rules so that banks can be alerted faster-following cyber-attacks at companies. According to media reports, the federal government is considering legislation obliging businesses to notify banks if client data is hacked, allowing lenders to monitor impacted accounts for suspicious behaviour.
Increased fines: In the EU, the maximum GDPR penalty is $20 million euros or 4 per cent of the firm’s global yearly revenue. According to Mr Song, the proposed legislation would raise the maximum penalty from $2.2 million to $10 million, three times the benefit of the wrongdoing, or 10 per cent of the organisation’s turnover in the 12-month period preceding the behaviour.
Increased consumer coverage: According to the Bill, broadening the definitions of ‘personal information and ‘collection’ would better align with the GDPR’s concept of ‘personal data, or any data or information relating to an identified or identifiable person, rather than just information ‘about’ a person as it is currently defined.
The other side
The GDPR, according to Matthias Orthwein, Vice-Chair of the IBA Technology Law Committee, is the gold standard that “no one can use that other countries will think is beautiful but can’t work with it.”
According to Innocenzo Genna, Website Officer of the IBA Communications Law Committee and an EU public affairs consultant, while the regulation has been effective in raising awareness of data protection issues, regulators’ apparent reluctance to enforce breaches against internet giants, in particular, is becoming problematic.
“The reality is that so far, there have been no strong GDPR sanctions,” he says.
In Australia, the competition and Consumer Commission has proposed legislation that reflects much of what the GDPR offers. However, Angela Flannery, Working Group Coordinator of the IBA Communications Law Committee and a partner at Holding Redlich, notes that while the Australian authorities were already concerned that anything too similar to the GDPR would result in notification and consent fatigue on the part of consumers, the fact that so little enforcement action has been taken in Europe has weakened the case for aligning the Australian legislation too closely with the EU’s.
“I don’t think the Australian government is particularly enamoured with the idea that Europe put it in place first, and therefore, we should all do what the Europeans are doing, particularly as there is no data that indicates that the GDPR has improved things for consumers,’ says Flannery.
“We watch what’s happening in Europe, and there hasn’t been a significant number of cases since the GDPR. There hasn’t been a huge change in regulatory practice.”
Read more from International Bar Association here.