Should consumers know when their privacy is breached?

ACCAN logoLast week, Parliament passed a bill containing several amendments to privacy law. Among other things, the law gives Privacy Commissioner Timothy Pilgrim more powers, including the right to seek civil penalties for serious privacy breaches.

The Commonwealth Attorney-General’s Department is now consulting with various groups in regards to  a more controversial provision left out of the bill requiring companies to notify customers in the case of a data breach.  Both the Office of the Australian Information Commissioner (OAIC) and the Australian Communications Consumer Action Network (ACCAN) have made submissions in support of a data breach notification law.

Several high-profile cases of unauthorised access to personal information have taken place in recent years, but many more are thought to go undisclosed. This law would require an organisation to notify affected individuals and the Privacy Commissioner when personal information was disclosed to or obtained by unauthorised parties through, for instance, hacking attacks or the loss of storage devices containing customer records.

ACCAN’s submission argues that “for data breaches business has an obligation to inform both affected individuals and the Privacy Commissioner, and that there should be a penalty or sanction for those who do not comply with a legislative requirement to notify.”

Exactly what would constitute a data breach worthy of reporting is still an issue of debate.  The OAIC stated that notification should be triggered if the breach “gives rise to a ‘real risk of serious harm’ to an individual.”  ACCAN sought a broader trigger in its submission, worried that ‘serious harm’ would be difficult to define.  However, ACCAN said it recognises “the concerns of ‘notification fatigue’ if notifications are made for too wide a range of events, and agree[s] that an excessively broad definition might contribute to this fatigue.”

Opponents of the measure argue that mandatory breach notifications would lead to ‘unnecessary alarm’  and that ‘consumers will tune out if every minor incident is reported’.  However, ACCAN argues that “hiding relevant information from consumers is not an appropriate basis for managing consumer concern.”

ACCAN also stated that it is important “that the costs associated with compliance with a mandatory data breach notification requirement should not be passed on to consumers”, and that “a public register of breaches should be maintained by the Commissioner.”