Tuesday, September 16, 2008

Australian Commission Proposes Data Breach Notification, Other Changes to Privacy Act

This posting was written by Tom Long, Editor of CCH Privacy Law in Marketing.

The Australian Law Reform Commission (ALRC) has recommended sweeping changes to Australia's privacy laws—including the addition of breach notification requirements—in a report released August 11. The 2,700-page report, entitled “For Your Information: Australian Privacy Law and Practice,” was the culmination of a research and consultation exercise conducted over two years.

"Although the federal Privacy Act is only 20 years old, it was introduced before the advent of supercomputers, the Internet, mobile phones, digital cameras, e-commerce, sophisticated surveillance devices and social networking websites—all of which challenge our capacity to safeguard our sensitive personal information,” ALRC President Professor David Weisbrot said. “The Privacy Act has worked pretty well to date, but it now needs a host of refinements to help us navigate the Information Superhighway."

Privacy Principles

The report recommends simplifying and streamlining the Privacy Act and related laws, as well as amending the Act to prescribe a single, uniform set of Privacy Principles to apply to all federal government agencies and the private sector.

A key proposal by the ALRC calls for government agencies and business organizations to be required to notify individuals—and the Privacy Commissioner—when there is a risk of serious harm occurring as a result of a data breach.

According to the ALRC, the Privacy Commissioner's complaint-handling procedures need to be strengthened, and federal courts should be empowered to impose significant civil penalties for serious or repeated breaches of the Privacy Act.

Private Cause of Action

In addition, Australian federal law should provide for a private cause of action for individuals who have suffered serious invasions of privacy, the report said. Courts should be empowered to tailor appropriate remedies, such as an order for damages, an injunction, or an apology. The ALRC's recommended formulation sets a high bar for plaintiffs, having due regard to the importance of freedom of expression and other rights and interests.

The report also calls for improvements to Australian laws and regulations on cross-border data flows, health privacy, and children's privacy. In particular, intensified efforts to educate young people about privacy issues are necessary, the ALRC said.

The full text of the report is available here at the Austrlian Law Reform Commission website.

No comments: