At the same time, the 1.6 million Australian users of Sony PlayStation might be reassured that the Privacy Commissioner is on the job, investigating whether Sony in Australia, despite an apparent system failure, did everything reasonably practicable to safeguard their personal information.
But nothing has changed since the last big privacy invasive blow up a year ago-Google's street view- revealed a legal framework with plenty of holes still in need of attention:
- No public or private organisation in Australia has an obligation at law to notify those affected by any breach of privacy standards. Sony took days to admit publicly there was a problem. The ALRC recommended mandatory notification of a significant breach in 2008. The Privacy Commissioner says we need such a law. The Minister for Privacy and Freedom of Information Brendan O'Connor in today's Sydney Morning Herald says a such a system now ''appears necessary." But when?
- The Information Commissioner has no powers to impose or seek penalties if an own motion investigation finds a breach of privacy principles in the Sony PlayStation case or any other. As the Privacy Commissioner noted most recently after finding Vodafone breached privacy standards. He will no doubt say the same thing when he completes an investigation of Dell. And Sony. The minister's predecessor Senator Ludwig said the Government intended to do something about this in October 2009. He repeated it in July last year. Still for action mid 2012?
- Those affected probably have limited legal rights regardless of the loss or damage. The broader issue of a statutory cause of action for a serious unwarranted breach of privacy was recommended years ago, is yet to be considered by the government, and is listed as a second phase privacy reform issue to be considered in 2012.
- Doubts remain whether Australian law adequately covers protection of personal information collected from Australians by a company operating in this country and held overseas. This is but one of the "first phase" reform issues arising from the Government's draft revised privacy principles that a Senate committee has been looking at since mid 2010.
“We’re acting to ensure that our privacy laws are robust in changing circumstances, but Australians also need to take responsibility for their actions, particularly online.”