Update: 8 November 2023
Not long after we briefed Senator Shoebridge (details below) ahead of the Senate Estimates, where he stressed the conspicuous absence of penalties issued by the OAIC, this happened.
OAIC takes pathology company to court over data breach
The OAIC’s lawsuit against Australian Clinical Labs proves that increased pressure can drive OAIC to take action. Australians deserve a trustworthy and effective regulator.
Let’s hope this marks the beginning of an OAIC enforcement trend.
##
“Every part of the office, whether it’s FOIs [freedom of information] or prosecution for data breaches or investigation for privacy complaints, every part of your office is mired in endless delays, isn’t it?”
– Senator David Shoebridge
Biting words from an incredulous Senator David Shoebridge, who recently, in a Senate Estimate, interrogated Australia’s privacy commissioner Angelene Falk on the efficiency and effectiveness of the OAIC.
Electronic Frontiers Australia were asked to provide Senator Shoebridge with some talking points for Senate Estimates. In the hearing, Shoebridge amplified three of EFA’s most pressing concerns:
- Why do OAIC investigations take so long?
- Why have there been no penalties for 1748 data breaches reported to the OAIC since 2017?
- It’s been well over a year since OAIC began investigating the Wesfarmers Group’s use of facial biometric software. Can Australia expect a resolution soon, or is this just another example of OAIC’s chronic procrastination?
You can read the full transcript here.
So, what’s the problem?
Shoebridge pointed out that 1,748 data breaches were sent to the OAIC in just two years, with not a single penalty, asking Falk:
“Why has there not been a penalty imposed or some other kind of regulatory action in relation to data breaches, given the urgent law reform that rushed through this parliament at the end of last year and the additional powers and prosecution options given to your office? Why has nothing come of it? Has a single financial penalty been applied by your office in relation to an eligible data breach?”
Angelene Falk replied that there’d been no penalties. According to Falk, this was not indicative of OAIC missteps, but rather a “regulatory strategy” to ensure they use the right tool in the right circumstances.
This stood as a pivotal concern at the heart of EFA’s briefing. As a “regulatory strategy,” it may be reasonable in some circumstances to undertake a non-punitive approach to managing data breaches for the first 12 months of a new compliance obligation such as Eligible Data Breach Reporting, but a line must eventually be drawn.
The current ‘strategy’ cannot go on. It diminishes both the public’s confidence and trust in the OAIC as an effective regulator. There must be some real deterrent besides a mechanistic notification process to the OAIC.
Last year, the Commonwealth government expeditiously amended the Privacy Act, and increased penalties significantly. This is undoubtedly a win for any regulator. As a privacy enforcer, it’s not about just carrying a big stick; you must use it when needed.
Egregious data breaches require strict regulation and punishment.
Manufacturers of unsafe products, negligent airlines, and unhygienic restaurants can be fined for their incompetence. But when a company neglects cybersecurity and suffers an attack, no consequences?
Corporations face the consequences when their actions risk customer safety– this includes data breaches and cyberattacks on the chosen systems used to handle customer data.
We’ve seen the government move quickly when they want to. Will you back EFA as we turn up pressure on the government, connect with key decision-makers, and pen submissions that politicians can’t ignore? Support EFA today.
Image credit: iStock