Australia’s banks, together with AWS and other industry lobby groups, have reacted with alarm at a government proposal to substantially increase penalties for large or repeated privacy breaches, following a spate of high-profile incidents.
The changes, if passed, could see companies fined the greater of $50 million or 30 percent of turnover.
Businesses that could face these penalties want more prescriptive guidance for the circumstances under which they would be sought.
There are also calls for a “safe harbour” or similar consideration of mitigating factors by the courts when determining a penalty amount.
The Australian Banking Association (ABA) – which counts the ‘big four’ banks and other major institutions as members – expressed concern that the Australian proposal “differs from the maximum penalties in other jurisdictions with similar economy-wide privacy legislation.”
“For a large organisation in Australia, increasing the penalty to 30 percent of adjusted turnover during a breach turnover period of three years, for example, would equate to practically the entire group turnover in a year and go to billions of dollars,” it said in a submission to parliament. [pdf]
The ABA warned that a “lack of clarity” over how and when penalties might be applied could “dampen innovation, and create an environment that hinders consumers and organisations making lawful and ethical use of data.”
It sought more granular definitions of “key concepts and terms in legislation, including ‘turnover’, ‘relevant time period’, and ‘serious’ or ‘repeated’ interference with privacy.”
The ABA also sought a “safe harbour or defences which expressly address when an entity has made reasonable efforts to ‘do the right thing’ by complying with standards for data security and protection.”
A safe harbour would allow companies to avoid fines if they met certain privacy requirements or standards.
Outside of a specific safe harbour, the ABA asked that courts be given leeway to take into account compliance “with recognised standards for security” or “robust privacy frameworks in place” at a breached entity, how quickly the breach was disclosed, and “whether an entity worked in good faith with … relevant authorities to remediate the breach.”
AWS – which is so far one of the few organisations to make a submission outside of an industry lobby – said [pdf] penalties “must be adequate to protect Australians’ personal information and promote effective deterrence” but “should not impose undue hardship on an otherwise responsible entity that already undertakes robust privacy and security practices”
“Entities should have the opportunity to demonstrate that they have taken appropriate security and organisational measures to protect personal information if an interference occurs, and these factors should be taken into consideration,” the cloud provider said.
“The bill should ensure due consideration is given to any aggravating or mitigating factors.”
Mitigating factors, according to AWS, are the same as those raised by AWS, with the exception of “whether the entity has provided the affected individual(s) with remedies.”
AWS argued that penalties “should also be proportionate to the harm caused to individuals by an interference with privacy.”
The Australian Information Industry Association (AIIA), a major technology industry group, backed calls for a safe harbour provision.
It also said that “the arbitrary nature as well as the quantum of increases in penalties … could have unintended consequences”.
“A safe harbour from penalties for businesses that can demonstrate good faith and due diligence in reporting, including by implementing best-practice cyber security frameworks, would ensure that the system encourages transparency and willingness to both resolve major data breaches and seek assistance in doing so,” the AIIA said.
“A focus on incentivising help-seeking and reporting behaviours by businesses subject to data breaches should be the focus of government and any legislation.”
The parliamentary inquiry has a very truncated reporting date of November 22.