On 3 December 2015, the Australian Government finally released its exposure draft for the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015. Publication of the accompanying discussion paper, which, among other things, compared the proposed scheme with schemes in other jurisdictions, commenced a four-month public consultation period that is set to conclude on 4 March 2016.
The draft bill will apply to entities that are currently bound to the Australian Privacy Principles (APPs) in the Privacy Act 1988. These entities are known as ‘APP entities’, and include most Australian government agencies and private-sector organisations with an annual turnover of AU$3 million (US$2.2 million) and above.
Under the draft bill, a breach is deemed serious if it results in a ‘real risk of serious harm’ to the affected individual. Moreover, according to the published document, a serious data breach would be deemed to have occurred following the loss of any:
- personal information
- credit reporting information
- credit eligibility information
- tax file number information.
Data breach notification is currently only mandatory in the event of unauthorised access to e-health information under the My Health Records Act 2012. The proposed regime therefore demonstrates the Australian Government’s resolution to combat serious data security breaches.
A global survey of in-house lawyers recently revealed that more than one-third of corporate counsel in Australia have experienced a data breach. However, only once breach notification becomes mandatory will the details of breaches be highlighted and therefore adverse consequences, such as financial loss or identity theft, will be avoided.
From a compliance perspective, personal data leakage (such as the leakage of personal contact numbers, credit records or tax file information) should never be neglected, as it can potentially have very serious implications, such as identity theft, illegal dealings of personal information, e-fraud and even kidnapping through personal data obtained from illegal channels. The draft bill therefore aims to enlarge the scope of Australia’s 1988 Privacy Act by strengthening law enforcement against companies and government agencies that are held accountable for security loopholes.
Under the draft bill, entities are entitled to have 30 days to determine whether the notification threshold has been reached. A failure to notify will expose that entity to the Privacy Commissioner’s existing enforcement powers, including civil penalties of up to AU$1.7 million (US$1.22 million) for serious or repeated breaches. This means that small and medium enterprises and others can no longer ignore the serious consequences that can result from operational-level information disclosure, as Australian citizens will no longer pay the bill for companies’ wrongdoings.
The new provisions should help nationwide entities realise the seriousness and significance of data security across a range of important areas, such as network security, communications security and personnel security. Furthermore, as the term ‘serious data breaches’ also applies to entities or organisations engaged in offshore information transfer, the new laws should also enhance the ability to monitor that data.
The draft bill is actually not the first time that the Australian Government has sought legislative solutions to the challenge of securing nationwide data compliance – several attempts were previously made by the Labor Party when it was in power in 2013 and 2014, both of which regrettably ended in failure. So it should come as no surprise that the Australian Government is prioritising this issue once again, particularly after the embarrassment of the accidental disclosure of personal details of world leaders at the G20 summit in Brisbane in 2014 by the country’s Department of Immigration.
Comparison with international schemes
Mandatory data breach notification laws apply in the European Union (including in the United Kingdom) and 47 American states (many of which have implemented schemes based to some extent on Californian legislation that commenced in 2003). Canada has also passed a mandatory data breach notification law which is yet to commence.
New Zealand and the United States have announced an intention to introduce mandatory data breach notification laws. For New Zealand, mandatory data breach notification would replace an existing voluntary scheme, while the draft United States legislation would replace the variety of existing state data breach notification laws that apply to private-sector organisations.
The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data also state that notice to an authority of a data breach is necessary where there is a significant security breach affecting personal data. The OECD recommends that member countries (including Australia) comply with the Guidelines, but they are not mandatory.
The following table compares the draft Australian bill with existing or proposed mandatory data breach notification schemes in other jurisdictions. In summary, the table shows that the scheme in the draft Australian bill:
- has a higher notification threshold than schemes in many other jurisdictions, in that notification would only be required in serious cases (which would help avoid the risk of individuals experiencing ‘notification fatigue’ and would also help businesses avoid unnecessary administrative costs)
- would be simpler than many actual or proposed schemes in other jurisdictions, in that it does not contain a two-tier scheme (i.e. where some kinds of breaches must only be notified to a regulator, and other kinds to both the regulator and affected individuals)
- would be equally as flexible as schemes in other jurisdictions which recognise that data breaches involving adequately-encrypted information will pose a lesser risk of harm to affected individuals.
Source: Australian Government Attorney-General’s Department
Implications for the compliance industry
Enforcing the Privacy Act with the Privacy Amendment (Notification of Serious Data Breaches) Bill marks a tremendous step forward for Australia in terms of privacy protection. The long-awaited bill finally signals the authorities’ resolve to improve the unsatisfactory status quo.
For small and medium enterprises in particular, there is an urgent need to ensure a thorough understanding of the spirit of the proposed law and its gradual implementation through company-wide top-to-bottom supervision.
Compliance training on data breaches should be mandatory for all personnel so they gain better knowledge of how to avoid data breaches at an operational level using contractual provisions, policy development, technology enhancement and proper monitoring systems.
Once serious breaches occur, enterprises are obligated to take responsive and effective remedies in accordance with the amended bill. This constitutes a series of tests for both public bodies and private businesses to work out a legal and satisfactory solution within the ‘golden’ 30 days.
Companies must also conduct due diligence on their third parties for reputational concerns and liabilities, particularly data service providers. It is reasonable to expect third parties to have a minimum level of compliance in place.