Digital Identity Blog

Thought leadership for cybersecurity, fraud and digital channel professionals

Does Australia’s New Law Setting Privacy Breach Fines of $1.1 Million Have Real Teeth? Or Is It Just Flapping Its Gums?

By ThreatMetrix
ThreatMetrix®, The Digital Identity Company®, is the market-leading cloud solution for authenticating digital personas and transactions on the Internet. Verifying more than 20 billion annual transactions supporting 30,000 websites and 4,000 customers globally through the ThreatMetrix Digital Identity Network®, ThreatMetrix secures businesses and end users against account takeover, payment fraud and fraudulent account registrations resulting from malware and data breaches.
Follow ThreatMetrix ThreatMetrix's Most Recent Posts:

A new Australian law gives the Australian Privacy Commissioner the power to issue million-dollar fines to government agencies and companies for serious and repeated privacy breaches.

Commonwealth Attorney-General Nicola said the law, which takes effect in fifteen months, is the most significant change to privacy laws in more than twenty years and gives privacy commissioner Timothy Pilgrim the power to investigate companies and government agencies, in the same way he currently can individuals.

Pilgrim told the Sydney Morning Herald, “I can get written undertakings and if they’re not complied with, I can get them enforced through the courts and where there is a serious or repeated breach, go to court to ask civil penalties (up to $1.1 million) be imposed on them.”

Pilgrim will also be able to require companies to develop privacy codes for new technologies that collect customers’ personal information, “If there is no one in the industry to do so I will be able to impose (codes) … this is the way the act is being developed in a technology-neutral way.”

While the new law may sound tough, the opinion of Australian Privacy Foundation’s policy committee chair Nigel Waters is that it will make little difference to people’s privacy protections because it doesn’t provide a right to have a complaint determination made.

“The Commissioner has had the power under the (Privacy) Act since 1988 to make a determination which sets out whether he thinks laws have been broken and to produce remedies … the problem is successive commissioners have only made nine (determinations) in 23 years.”

“Without a determination the complainant can’t appeal to the courts. We’ve had thousands over the years denied the right to know what the commissioner thinks about their complaints and to challenge them if they don’t agree.”

Pilgrim’s response was that most complaints were resolved privately.

Whatever the case, the law also has implications for customers’ personal data. Now, credit card companies will be able to record and provide banks with customers’ repayment histories. If a loan that’s in default hasn’t been paid off in two weeks, the credit provider is permitted to give that information to banks.

And, under the new law, companies will now be responsible for the way their customers’ personal information is handled by their offshore counterparts.

In brief, changes made by the new law are:

– Companies are allowed to give customers’ personal information to offshore counterparts, such as call centers, but are responsible for the way the call centers deal with the information.

– Credit providers may give customers’ repayment histories to other organisations if a loan hasn’t been paid back two weeks after default.

– Companies are required to give people an easy “opt-out” from direct marketing material, regardless of whether personal information was collected initially for direct marketing or for a secondary use.

By ThreatMetrix Posted