Repeat Offenders Should Face Serious Consequences.

Don’t do the crime if you can’t do the time. Image: Shutterstock

Company directors who oversee repeated and wilful privacy breaches should face the prospect of jail time, ACS, (Australian Computer Society) has said in its submission to the Australian Attorney General Department’s Privacy Act Review Report.

Responding to a proposal for creating low- and mid-tier civil penalties for breaches of the act, ACS called on the government to consider imposing severe consequences on organisations that are knowingly in breach yet accept fines as a “cost of doing business”.

“In those cases, civil penalties may not be sufficient, and we would recommend investigating criminal penalties for those who knowingly and wilfully breach privacy laws,” the submission read.

“For these entities there must be a significant penalty which a board or executive will take seriously, and directors responsible for those choices should face potential jail time for repeated offences.”

The Privacy Act review contained 116 proposals over 320 pages and took three years to deliver, spanning two different governments.

Along with a more nuanced penalty regime, the Attorney General’s Department recommended a direct right of action for people to “apply to the courts for relief” in the case of privacy breaches.

Australians are reeling after a spate of high-profile attacks on health insurer Medibank, large telco Optus, and financial services company Latitude have seen millions of sensitive records and identity documents exposed to cyber criminals.

In its review, the department noted that a direct right of action “would increase the avenues available to individuals who suffer loss as a result of an interference with privacy to seek compensation” and may “increase consumers’ bargaining power with businesses that collect and use their personal information”.

While ACS agreed “in principle” with allowing people to seek relief from the courts, it urged the government to be careful in how this is implemented so that courts and organisations aren’t “overwhelmed with cases”.

Similarly, ACS wants to see the changes aligned to cyber security expectations so that an organisation “that has undertaken reasonable steps to protect itself from cybercrime, but still falls victim to an attack” is not inundated with lawsuits unless it has breached the Privacy Act in other ways.

Closer to the GDPR

Overall, ACS said it was “in agreement with the majority of changes” in the Privacy Act review and welcomed reform work that would see Australia’s privacy laws “more in line with modern privacy statutes like the GDPR”.

Among those proposed changes is a right to erasure, which would give people the right to request organisations delete “any of their personal information”, including where data has been provided to a third party.

The government has also proposed a right to de-index certain online search results such as sensitive information, information about a child, excessively detailed information, or information that is “inaccurate, out-of-date, incomplete, irrelevant, or misleading”.

Earlier this year, a South Australian woman won a defamation case against Google after the company failed to de-index defamatory forum posts.

While ACS agrees de-indexation is a positive proposal, it warns that there could “substantial scope for abuse of the system” unless it’s clarified what is meant by information that is ‘incomplete’, ‘irrelevant’, and ‘misleading’.

In terms of automated decision-making (ADM), ACS wants to see the government lean closer to the GDPR.

The Attorney General’s Department proposed “a right for individuals to request meaningful information about how substantially automated decisions with legal or similarly significant effect are made” as part of “broader work to regulate AI and ADM”.

But ACS, which welcomed “greater transparency and explainability around automated decision-making” said it wanted to see rules around ADM “go further” to be more in line with Article 22 of the GDPR “which highlights a right to human intervention in decision-making processes if requested”.

“Companies should be required to have processes in place in cases where an automated decision is contested,” ACS said.

This article was first published in ACS Information Age