The Information Commissioner has called for the updating of the national Privacy Act, including the introduction of mandatory data breach laws, to cope with the impact of technology on the privacy of Australians.
In a submission on the government’s Issues Paper investigating changes to the Privacy Act (PDF) the Commissioner said recent developments in technology mean that additional ways of protecting individuals’ privacy should be considered in Australia.
“[The OAIC] considers recent developments in technology mean that consideration should be given to providing for additional ways of protecting individuals’ privacy in Australia,” the submission reads.
“In addition to legislative amendments to enhance privacy regulation to include entities and practices not currently covered by the Privacy Act, mandatory data breach notification could be introduced which would assist in minimising the impact and damage of breaches — it would ensure that privacy breaches are investigated and that individuals are made aware when a breach may have compromised their personal information.”
The submission also argues that privacy breaches can now occur in an increased number of ways and the potential scale of breaches has also increased over time as has the potential impact of and damage caused by privacy breaches.
“In addition, there is uncertainty as to how the Privacy Act applies to personal information submitted via the internet by individuals in Australia to an overseas organisation,” the submission reads. “Further… the Privacy Act is limited in the protection it offers to the acts or practices of agencies and organisations covered by the Act.
“As well as providing exemptions for a number of entities, acts and practices, the Privacy Act is limited to protecting information privacy. It does not, for example, protect invasions of bodily or territorial privacy. Technological developments have similarly increased the scope and methods by which these other types of privacy may be invaded, and the potential impact and damage caused by such invasions.”
In its submission (PDF), Telstra argued that the existing powers of the Australian Privacy Commissioner together with other legislative measures provide a sufficient level of protection to individuals whose privacy has been breached.
The telco argues that the introduction of a statutory cause of action for privacy could create uncertainty as to what conduct may give rise to a cause of action resulting in a reluctance to disclose information, as well as the potential for interference and conflict with existing and established laws and processes.
According to law firm Clayton Utz, a new cause of action would allow an individual to sue another individual, organisation or government entity for a serious invasion of privacy.
According to Telstra, the introduction of the cause of action could also have an adverse impact on freedom of communication in Australia both in relation to the media and at an individual level, and place Australian media businesses at a disadvantage relative to their overseas internet counterparts. Such a move could also discourage online businesses from having assets or a physical presence in Australia, and a large range of privacy claims amongst individuals and against businesses and governments.
In its submission (PDF), Optus said it was alarmed by the prospect of the implementation of a statutory cause of action.
“Optus is highly concerned by the (likely unintended) adverse consequences which would arise if the government was to implement a Statutory Cause of Action at this juncture, especially without first conducting a full Regulatory Impact Assessment,” the submission reads.
“Optus would make the point that it is supportive of Privacy law reform; however, at this stage it is unable to support the introduction of a Statutory Cause of Action for Serious Invasion of Privacy.”
Follow Tim Lohman on Twitter: @Tlohman