Avoiding a country that cries 'data breach'

Australia needs to reconsider the Privacy Alerts Bill. While it sounds good in theory, it will ultimately lead to a situation where companies err on the side of caution and spam data breach notifications, diluting their intended impact.

RMIT University’s Mark Gregory says I “doth protest too much” about the Privacy Alerts Bill 2013. I think there’s good reason to protest about it. It’s a bad piece of legislation.

All legislation needs to be considered and thought through, and this bill has not been. As a lawyer who’s helped shape privacy law here and overseas, I can tell you that knee-jerk law is dangerous and can lead to consequences that directly contradict the purpose of the legislation.

Take the UK cookies law – it was a good idea in theory to require businesses to gain consent from consumers before using of cookies – but the reality was that the consent notification merely caused an annoyance for consumers and disabling cookies significantly impacted the customer online experience – so much so that subsequent guidance backed away from absolute requirement for consent.

Yes, I may represent the interests of marketers, but I’m also a consumer who thinks the protection of consumer information is paramount. But this legislation as it stands doesn’t offer much in the way of benefits to either business or consumers.

If this law passes in its current form you will see that consumers will be flooded with data breach notifications as there is no clarity around what a ‘real risk of serious harm’ means under the legislation.

Without such clarification, organisations will err on the side of caution and send a constant stream of notifications to consumers. And this will quickly become annoying. It will be like the boy who cried wolf: consumers are likely to switch off so they are not paying attention when it does matter.

And it won’t be a picnic for the government either. The regulator will find that they will be overrun with data breach notifications to investigate and the Privacy Commissioner has already said that he doesn’t have the resources to investigate them all, so what will happen then?

To give you an idea of the paper mountain that awaits Timothy Pilgrim and his staff -- in a recent speech, Attorney General Mark Dreyfus cited a report from McAfee claiming 21 per cent of Australian businesses had suffered data breaches. In 2012, there were 2,141,280 businesses trading in Australia. That means the Privacy Commissioner can expect to be investigating 449,669 potential data privacy breaches once mandatory positive reporting takes effect.

This is unworkable -- for consumers, government and business!

Another issue is that business will have to put in place very costly systems to ensure they are compliant. This new regulation has come at a time when companies are already grappling with a whole new series of privacy laws that will come into effect in March 2014.

Those compliance costs have to be made up somewhere and you can bet they will be passed on to consumers, which won’t make them very happy.  

I believe the Privacy Alerts Bill 2013 will have economic consequences for the country at a time of relative weakness in the wider economy. Business will be stifled and consumers will have to pay higher prices. It’s not a win-win.

As I’ve said to many people, we have guidelines on data breach notifications and they are working well. There is no evidence of a failure in the system that justifies creating a heavy-handed reporting regime.

What I’m asking for is for government to undertake a proper consultation with business and organisations like ADMA so we can come up with a solution that meets the needs of consumers so they feel reassured and also helps business and the economy.

I have written to the Leader of the Opposition in the Senate, the Hon Eric Abetz and to members of the Senate Legal and Constitutional Affairs Committee, to voice my concerns and I’ll be keeping a watching brief on it when Parliament resumes.

Seriously, why not let business get to grips with the new Privacy Act because that’s already complex enough?  Let’s get that right and then we can look at what else needs to be done.

This piece was published in reply to Mark Gregory’s ‘Can data breach notification laws survive the election?’.  

Jodie Sangster is CEO of the Association for Data-driven Marketing and Advertising. You can follower her on Twitter at @jodiesangster.

Related Articles