Response to the Commonwealth of Australia Attorney General's Discussion Paper on Mandatory Data Breach Notification (October, 2012)

Abstract

This submission contends that a mandatory data breach notification scheme should be implemented in Australia, initially via the Privacy Act, as suggested by the ALRC and outlined in the Discussion Paper. However, whilst mandatory data breach notification schemes are extremely useful at highlighting the extent of problems, these schemes do not have the regulatory tools to remedy the problems that they uncover. Moreover, the utility of implementing a data breach notification scheme via the Privacy Act is likely to diminish over the medium to long term given the limits of notification as a consumer remedy and the conceptual conflict at the heart of data breach notification regimes. In order to maximise the potential outcomes of a mandatory data breach notification scheme, the purpose of data breach notification should be considered within a much wider ambit – the protection of critical information infrastructure protection. This requires a revisioning of the purpose of notification in conjunction with the development and implementation of new regulatory structures to coordinate remedial responses. An Australian mandatory data breach notification should therefore be viewed in a comprehensively different perspective that regards different levels of social activity and a re-evaluation of the scheme’s role. The revision moves beyond the limited application of individual rights and shifts regulatory focus to the societal interests that pertain to the protection of personal information and the infrastructures of information exchange. An Australian mandatory data breach notification scheme could therefore provide a transitory passage that attempts to take regulation from the identification of a significant problem (e.g. inadequate information security of personal information that requires notification) eventually to a potential solution (e.g. the implementation of effective security measures and competent monitoring).