New Mandatory Data Breach Laws for Australia – what does it mean to organisations trading in Australia?

The Australian senate this week passed new laws that will require businesses and government agencies to notify the Privacy Commissioner and customers if they have experienced a data breach. A copy of the Bill can be found at the following link: http://www.austlii.edu.au/au/legis/cth/bill/padbb2016356/

 

A data breach arises where there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals, or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure.

As to the level of harm that would bring a data breach within the scope of the new legislation: A data breach is an eligible data breach where a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure.

The level at which the notification regime would be triggered was the subject of much debate in Australia. As the Explanatory Memorandum for the legislation stated ( see: http://parlinfo.aph.gov.au/parlInfo/download/legislation/ems/r5747_ems_ed12b5bb-d3b3-4a6a-9536-53bb459a00df/upload_pdf/6000003.pdf;fileType=application%2Fpdf  )

 “It would not be appropriate for minor breaches to be notified, because of the administrative burden that may place on entities, the risk of ‘notification fatigue’ on the part of individuals, and the lack of utility where notification does not facilitate harm mitigation.”

The Memorandum goes on to explore “serious harm”:

“Serious harm, in this context, could include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm that a reasonable person in the entity’s position would identify as a possible outcome of the data breach. Though individuals may be distressed or otherwise upset at an unauthorised access to or unauthorised disclosure or loss of their personal information, this would not itself be sufficient to require notification unless a reasonable person in the entity’s position would consider that the likely consequences for those individuals would constitute a form of serious harm.”

If an organisation has taken remedial action after a breach that results in a situation where it’s unlikely the incident will result in serious harm to affected individuals, it won’t be required to report the incident.

  • Organisations may need to get legal advice to assist in making judgments as to a “likely risk of serious harm” under the new provisions in circumstances where they have been subject to a data breach.

Under the new laws organisations must notify the Privacy Commissioner and affected customers “as soon as practicable” after becoming aware that a data breach has occurred.

  • Organisations should seek advice on the content and communication strategy for notifications to the Privacy Commissioner and affected customers.

The new laws will commence on a date to be fixed over the next twelve months.

Small business exception

Australian privacy legislation has a small business exception – that practically exempts many Australian businesses from the need to comply with these laws.  The laws cover most Australian Government agencies and all private sector and not-for-profit organisations with an annual turnover of more than AU$3 million.

Consequences of breach of the new legislation:

Initially the Privacy Commissioner can issue a written direction requiring an organisation to notify of the breach if they discover it has occurred.

The Commissioner may otherwise investigate any interference with the privacy of an individual, whether as a result of a complaint or on his own initiative. After investigating, the Commissioner may make a determination requiring the organisation to take certain steps. The Commissioner may commence court proceedings to enforce the determination.

The Privacy Commissioner may apply to the Federal Court or Federal Circuit Court for a civil penalty order against an organisation of up to $1.8 million where it finds a serious or repeated interference with privacy.

Mark Vincent is a Principal of Shelston IP Lawyers and advises clients on privacy law and data breach responses. Mark is a Committee Member on the international INTA Data Protection Committee for 2017 and 2018.