Foreign tech giants have warned Labor’s privacy bill increasing penalties for data breaches appears to have overreached by applying Australian privacy law to their overseas customers.
Digital Industry Group Inc (Digi), which represents Meta, Google and Twitter, the Business Council and Tech Council of Australia, have warned about the problem to an inquiry examining the urgent bill.
Some stakeholders are also pushing back against penalties of $50m or more by calling for more defences to data breach provisions, including that they took reasonable steps to secure data.
The attorney general, Mark Dreyfus, proposed the new privacy bill after the data breach at Optus, calling for its passage in 2022 to force companies to do more to protect customer data, a concern fortified by the breach at Medibank.
The bill increases penalties for serious or repeated data breaches from $2.2m to whatever is higher: $50m; three times the value of any benefit obtained through the misuse of information; or 30% of a company’s adjusted turnover.
It also amends the jurisdiction of the Privacy Act to ensure foreign organisations that carry on a business in Australia must meet the obligations under the act. This applies even if they do not collect or hold Australians’ information directly from a source in Australia.
The provision appears designed to prevent legal disputes like Facebook’s claim in the high court that it cannot be held liable for data breaches connected to the Cambridge Analytica scandal because it is “carrying on business in Australia”.
Digi submitted to the Senate legal and constitutional affairs committee inquiry that it supports “strengthened penalties for serious breaches”.
But it said the bill appeared to mean “if an offshore corporation carries on business in Australia through providing services to Australian end users, then the Australian Privacy Act would also apply to that corporation’s handling of information about users in any other jurisdiction where its services are available”.
“It is not clear why Australian laws seek to regulate the management of personal information that has no direct connection with Australia or with Australians.”
The BCA submitted this appeared to be “an unintended drafting error” that would mean a US company with Australian users could be liable for how it handles its overseas users’ data.
The BCA called for an amendment so that the bill “does not extend to the regulation of information with no direct connection to Australia or potentially put Australian laws in direct conflict with laws in other jurisdictions”.
The Tech Council said an amendment should specify that “the personal information collected or held must relate to an individual located in Australia”.
In its submission the attorney general’s department said the jurisdiction provision was needed because “with the evolution of technology, it can be difficult to establish that foreign organisations collect or hold personal information directly from Australia”.
“For example, they may collect personal information from a digital platform that does not have servers in Australia, and transfer it to other entities overseas for processing and storage.”
The Australian Information Industry Association warned that “disproportionately severe penalties” could be a “disincentive to good corporate behaviour and transparency around data breaches that this may lead to, including cooperation with governments”.
It called for “safe harbour” provisions so that businesses that reported breaches in a timely way and implement improved cybersecurity “in good faith” and “with due diligence” should not be subject to penalties.
The Australian Institute of Company Directors agreed the current penalty regime is “inadequate” but called for a “a reduction in the proposed maximum penalties, particularly the 30% of turnover maximum”.
It called for the introduction of a defence or safe harbour based on a company taking “reasonable steps” to secure data.
The Council of Small Business Organisations of Australia said the penalties would be “the toughest in the world” and proposed “a different penalty regime which is dependent on the entity type”.
The bill is due to be debated in parliament this week, before the committee reports back on 22 November – allowing the government to attempt to pass it in the final sitting fortnight.
• This article was amended on 9 November 2022 to clarify Digital Industry Group Inc’s position and correct an error introduced during editing.