A major rewrite of Australia’s 40-year-old privacy laws could cost big businesses thousands of dollars per customer and would likely mean big, expensive overhauls of how they structure and store data to comply.
The reforms come after damaging cyberattacks on Optus and Medibank revealed the Office of the Australian Information Commissioner’s lack of powers to force standards.“The Privacy Act is no longer fit for purpose, and does not adequately protect Australians’ privacy in the digital age,” Attorney-General Mark Dreyfus told parliament on Thursday., appeared in Federal Court seeking redress and to force Medibank to de-identify and delete data that is no longer required.
“Plaintiff class action law firms will warmly embrace this proposal,” he said. The OAIC will need beefing up to cope and is “struggling under the weight of freedom of information review requests and notifiable data breaches”. Andrew Sheridan, Optus’ vice president of regulatory affairs, said the company supported the proposals in principle, and wanted to work through issues related to appropriate use of customers’ data. A spokeswoman for Medibank said it was supportive of the review and was looking at the proposals. Microsoft and Google did not respond to requests for comment.