Foreign tech giants have warned that Labour’s privacy law, which increases fines for data breaches, appears to “overreach” by targeting their overseas customers.
Digital Industry Group Inc (Digi), which represents Meta, Google and Twitter, the Business Council and the Tech Council of Australia, have warned of the “inadvertent drafting error” in an inquiry examining the emergency bill.
Some stakeholders are also challenging penalties of $50 million or more by calling for more protections against data breach provisions, including taking reasonable steps to secure data.
Attorney-General Mark Dreyfus proposed the new privacy bill in the wake of the Optus data breach, calling for its passage in 2022 to force companies to do more to protect customer data, a concern of strengthened by the breach at Medibank.
The bill increases fines for serious or repeated data breaches from $2.2 million to whichever is higher: $50 million; three times the value of any benefit obtained from the misuse of the information; or 30% of a company’s adjusted turnover.
It also amends the jurisdiction of the Privacy Act to ensure that foreign organizations carrying on business in Australia must comply with obligations under the act. This applies even if they do not collect or hold Australians’ information directly from a source in Australia.
The provision appears designed to prevent legal disputes such as Facebook’s claim to the high court that it cannot be held liable for data breaches linked to the Cambridge Analytica scandal because it is “conducting business in Australia”.
Digi told the Senate Legal and Constitutional Affairs Committee inquiry that he supports “enhanced penalties for serious offences”.
But he said the law appeared to mean “if an offshore corporation carries on business in Australia providing services to Australian end users, then the Australian Privacy Act will also apply to that corporation’s handling of information about users in any other jurisdiction where its services are available”.
“It is not clear why Australian laws seek to regulate the management of personal information that is not directly related to Australia or Australians.”
The BCA submitted that this appeared to be “an inadvertent drafting error” that meant a US company with Australian users could be liable for how it handles its users’ data overseas.
The BCA called for an amendment so that the bill “does not extend to the regulation of information not directly related to Australia or place Australian laws in direct conflict with laws in other jurisdictions”.
The Tech Council said an amendment should specify that “personal information collected or held must relate to an individual located in Australia”.
In its submission, the Attorney-General’s department said the jurisdiction provision was necessary because “as technology evolves, it may be difficult to establish that foreign organizations collect or hold personal information directly from Australia”.
“For example, they may collect personal information from a digital platform that does not have servers in Australia and transfer it to other overseas entities for processing and storage.”
The Australian Information Industry Association warned that “disproportionately heavy penalties” could be a “disincentive to good corporate behavior and the transparency around data breaches that this can lead to, including cooperation with governments”.
He called for “safe harbor” provisions so that businesses that reported breaches in a timely manner and implemented improved cyber security “in good faith” and “with due care” should not be subject to penalties.
The Australian Institute of Company Directors agreed that the current penalty regime is “inadequate”, but called for “a reduction in the proposed maximum penalties, in particular 30% of the turnover maximum”.
It called for the introduction of a safeguard or safe harbor based on a company taking “reasonable steps” to secure data.
The Council of Small Business Organizations of Australia said the penalties would be “the harshest in the world” and proposed “a different penalty regime depending on the type of entity”.
The bill will be debated in parliament this week, before the committee reports on November 22 – allowing the government to try to pass it in the final sitting for two weeks.