(Feb. 15, 2017) On February 13, 2017, the Australian Senate voted to pass the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Parliament of Australia website). The House of Representatives had passed the bill on February 7, 2017.
The Office of the Australian Information Commissioner (OAIC) currently has a voluntary notification system for data breaches and has published best practice guidance on handling them. (OAIC, Data Breach Notification – A Guide to Handling Personal Information Security Breaches (Aug. 2014).)
Background
The establishment of a data breach notification requirement was recommended by the Australian Law Reform Commission (ALRC) in its 2008 report titled For Your Information: Australian Privacy Law and Practice (ALRC Report 108 (Aug. 2008)). The Parliament has since enacted amendments to the Privacy Act 1988 (Cth) to implement many of the Commission’s recommendations, but these did not include a mandatory notification system for data breaches. (See Kelly Buchanan, Australia: New Privacy Law Comes into Effect, GLOBAL LEGAL MONITOR (Mar. 21, 2014).) The previous government had introduced legislation on this issue in 2013, but it failed to gain sufficient support prior to the election that year. (Privacy Amendment (Privacy Alerts) Bill 2013, Parliament of Australia website.)
The current government again took up the issue in 2015, following a report by the Parliamentary Joint Committee on Intelligence and Security, which recommended the “introduction of a mandatory data breach notification scheme.” (Parliamentary Joint Committee on Intelligence and Security, Advisory Report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, at xxv (Feb. 27, 2015); Press Release, George Brandis & Malcolm Turnbull, The Australian Government has Responded to the Inquiry of the Parliamentary Joint Committee on Intelligence and Security (PJCIS) into the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 (Mar. 3, 2015), Attorney-General for Australia website.) In December 2015, the Attorney-General’s Department released a discussion paper and exposure draft of a serious data breach notification bill for public comment. (Serious Data Breach Notification, ATTORNEY-GENERAL’S DEPARTMENT (last visited Feb. 13, 2017).) The resulting bill was introduced in the Parliament in October 2016.
The Explanatory Note for the 2016 bill recognizes international developments since the ALRC’s report, including that “[i]n the United States, 47 states, the District of Columbia and three territories have implemented mandatory data breach notification” and a national standard had been proposed by President Obama in January 2015. In addition, ”the European Union has introduced regulations that mandate data breach notification. In May 2014, New Zealand announced plans to introduce a two-tier mandatory data breach notification scheme. On 16 June 2015, Canada passed legislation to introduce a national mandatory data breach notification scheme.” (Privacy Amendment (Notifiable Data Breaches) Amendment Bill 2016: Explanatory Note 9 (George Brandis) (Oct. 2016).)
Features of the Bill
The 2016 bill amends the Privacy Act 1988 (Cth) (Federal Register of Legislation) “to introduce mandatory data breach notification provisions for agencies, organisations and certain other entities that are regulated by the Privacy Act.” (Explanatory Note, supra, at 2. ) Under the amendments, organizations must report an “eligible data breach” to the OAIC and notify affected customers immediately. An eligible data breach occurs “where personal information held by an entity is subject to unauthorised access or unauthorised disclosure and a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the personal information relates.” (Id. at 59; Privacy Amendment (Notifiable Data Breaches) Bill 2017, sch 1 item 3, inserting new section 26WE(2), Parliament of Australia website.)
There is an exception for situations where the entity takes remedial action before the access or disclosure results in serious harm. (Privacy Amendment (Notifiable Data Breaches) Bill 2017, sch 1 item 3, inserting new section 26WF.) Other exceptions relate to law enforcement-related activities and the application of secrecy provisions in other laws. (Id. sch 1 item 3, inserting new sections 26WN & 26WP.)
The bill specifies that the statement to the OAIC must include a description of the data breach, the kinds of information involved, and recommendations for steps that those affected should take in response to the incident. (Id. sch 1 item 3, inserting new section 26WK.) Affected individuals must then be notified of the contents of the statement. (Id. sch 1 item 3, inserting new section 26WL.) The OAIC may also direct an entity to provide notification of an eligible data breach that it believes to have occurred. (Id. sch 1 item 3, inserting new section 26WR.) A failure to notify that is found to constitute a serious interference with privacy under the Privacy Act 1988 (Cth) can be penalized with a fine of up to AU$360,000 for individuals and AU$1.8 million for organizations (about US$274,560 and US$1.37 million, respectively). (Id. sch 1 item 2, inserting new section 13(4A); Privacy Act 1988 (Cth) s 13G; Crimes Act 1914 (Cth) ss 4AA & 4B, Federal Register of Legislation.)
The amendments will come into effect one year after the bill receives Royal Assent, during which time the OAIC will be working with businesses and agencies to prepare for the commencement of the notification system. (Press Release, Timothy Pilgrim, Mandatory Data Breach Notification (Feb. 13, 2017), OAIC website.)