On 3 December 2015 the Australian Government released an exposure draft of its long-awaited mandatory data breach notification bill (the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015). If passed, the bill would require private sector organisations and Federal government agencies to notify the Federal Privacy Commissioner and affected individuals of serious data breaches.
The exposure draft of the bill, explanatory memorandum, Regulatory Impact Statement and a Discussion Paper are available here. Submissions can be made until 4 March 2016.
The draft bill retains a number of structural similarities to the draft bills previously proposed by the opposition Labor party in 2013 and 2014, and includes a revised formulation of the “real risk of serious harm test” that was recommended by the Australian Law Reform Commission in 2008 and is currently used in the voluntary notification guidelines issued by the Australian Privacy Commissioner. The differences between the draft bill and its predecessors are largely incremental in nature, and do not alter the essential elements of the regime.
There is significant public support for, and broad political consensus on, the introduction of a mandatory notification requirement in Australia. While the timeline for implementing the proposed regime following consultation is not yet finalised, it appears that it is only a matter of time before data breach notification requirements become law in Australia.
Who does it apply to?
What is the trigger for the notification requirement?
Who must be notified?
What are the penalties for non-compliance?
One key area of improvement under the new bill is the greater emphasis placed on establishing “reasonable grounds” for determining that a “serious data breach” has occurred before deciding to notify. This is an issue of critical importance, as it marks the line between notifiable and non-notifiable breaches.
Accurate information can be difficult to come by in the immediate aftermath of a data breach incident, and assessments of the scale and severity of a data breach incident often evolve rapidly as new information becomes available.
There are significant potential pitfalls for entities in choosing to notify individuals or publicising information before the entity has the full picture. In light of this, the introduction of an “assessment period” of 30 days to allow the entity to more fully investigate the breach seems sensible.
It’s interesting to note that, under the current drafting, the Commissioner needs to be satisfied that “reasonable grounds” exist before he can assert that the notification obligation applies. It’s not yet entirely clear how the Commissioner will apply this requirement when reviewing an entity’s handling of a data breach incident, given that risk assessments are often conducted under time pressure and with limited information.
The introduction of data breach notification requirements would significantly strengthen Australian privacy laws, and would bring Australia in line with a range of other jurisdictions that have already implemented, or are in the process of implementing, data breach notification laws (such as the EU and certain US states).
The implications for Australian businesses (and foreign businesses conducting business in Australia) are likely to be significant and far-reaching. Australian companies that use off-shore data processing services are particularly likely to be impacted.
We recommend that businesses should start preparing for the introduction of notification requirements by ensuring that they have appropriate operational procedures (and contractual rights) to identify, assess and manage data breaches when they occur.
The content of this publication is for reference purposes only. It is current at the date of publication. This content does not constitute legal advice and should not be relied upon as such. Legal advice about your specific circumstances should always be obtained before taking any action based on this publication.