The law on the notification of data breaches in Australia looks set to change. The Privacy Act 1988 does not currently require companies that suffer a data breach to notify the Australian Information Commissioner (“Commissioner“) or affected individuals. While organisations are encouraged to do so by the Commissioner’s Data Breach Notification Guide (2014), and in practice many organisations choose to do so as a matter of good practice and business transparency, notification remains voluntary.
The Privacy Amendment (Notifiable Data Breaches) Bill 2016 (“Bill“) was introduced to the House of Representatives for debate on 19 October 2016. The Bill marks a third attempt by Australia’s legislature to introduce a general data breach notification law. If passed, we will have five national data breach notification laws of comprehensive application in the Asia Pacific region.
The move towards a mandatory data breach notification requirement reflects a global trend. Forty-seven US states have notification requirements. Mandatory notifications will be introduced in the EU as part of the General Data Protection Regulation. In the Asia-Pacific region, India, the Philippines, South Korea and Taiwan all have mandatory data breach notification laws on a more or less comprehensive basis. The developments in Australia reflect growing concerns over cyber security, as reflected in the Telstra Cyber Security Report 2014, which reported that nearly one quarter of businesses surveyed had suffered a security incident in the preceding 12 months, and 60% had in the preceding five years. Meanwhile the average business cost of a breach has been estimated at AU$2.64 million or AU$142 per lost or stolen record (Ponemon Institute, 2016). Reports like these have kept the drive for a mandatory breach notification regime on the legislative agenda in Australia for a number of years now. The Bill will now be debated in Parliament with expectations that it will pass by year end.
Substantive provisions of the Bill
The Bill requires agencies and organisations subject to the Privacy Act 1988 (“APP entities”) to notify the Commissioner and affected individuals in the event of an “eligible data breach”. The Bill also applies to recipients of tax file number information, credit reporting bodies and credit providers.
Importantly, the Bill will not apply to small businesses with a turnover of less than AU$3 million, which account for around 94% of Australian businesses. The Bill will also not apply in respect of breaches that are notifiable under the My Health Records Act 2012.
Eligible data breaches
The notification obligation will arise in respect of “eligible data breaches” which are deemed to occur where:
- there is unauthorised access to or unauthorised disclosure of personal information, or loss of personal information in circumstances where unauthorised access to or disclosure of the information is likely to occur; and
- such access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates. The “serious harm” test is based on the standards of a reasonable person.
The notification threshold is similar to the “real risk of serious harm” test applied in the current Data Breach Notification Guide. While this standard is arguably no different from “likely to result in serious harm”, the latter is intended to be more objective since it requires a straightforward probability assessment of whether serious harm is more likely than not to occur.
Serious harm can include financial harm (e.g. fraud), physical harm (e.g. risk to personal safety), psychological harm or reputational harm. According to the Explanatory Memorandum on the Bill, however, the distress or worry caused by unauthorised access, disclosure or loss of data would not trigger the need to notify, unless a reasonable person would consider that the level of that distress or worry constitutes “serious harm”.
The assessment of whether an eligible data breach has occurred is to be undertaken by the APP entity, taking into account a number of matters such as the type and sensitivity of information disclosed, the security measures in place, the persons who have obtained or could obtain the information, and the nature of the harm caused.
The Bill draws a distinction between circumstances where there are (i) reasonable grounds to believe an eligible data breach has occurred (in which case the event is notifiable), and (ii) reasonable grounds to suspect an eligible data breach may have occurred.
Where the APP entity merely suspects that an eligible data breach has occurred, it must carry out a “reasonable and expeditious assessment” within 30 days to determine whether an eligible data breach is likely to have occurred.
Method and timing of notification
The Bill requires notification to be made in writing to the Commissioner “as soon as practicable” after becoming aware of the breach. Affected individuals are to be separately notified or, where this is not practicable, notified by the APP entity issuing a public statement.
There are certain exemptions from the need to notify, the most notable being where the APP entity takes effective remedial action before any serious harm occurs. This exemption can apply in respect of all or some of the information disclosed, accessed or lost. The remedial action must be effective enough that, once it has been taken, a reasonable person would conclude that serious harm is not likely to result from the breach.
Effect of notification
It is important to note that the occurrence of an eligible data breach will not automatically amount to a breach of the law. An APP entity may have complied with all its obligations yet may still have suffered a breach, whether due to human error, a technology glitch, a vendor, or a malicious hack. However, the notification of a data breach is likely to lead to two things: (i) negative publicity; and (ii) scrutiny from the Commissioner (and possibly other regulators) who will want to understand how the breach occurred, whether it could have been avoided, and what the APP entity will be doing to prevent a recurrence.
Failure to notify an eligible data breach would amount to an interference with the privacy of an individual under the Privacy Act. This gives the Commissioner the power to investigate and provide remedies. In serious cases, a civil penalty would be imposed by the court on application by the Information Commissioner. Fines of up to AU$360,000 for individuals and AU$1.8 million for companies may be imposed.
Implications of the Bill
Pressure for a breach notification law was initially applied by the Commissioner in 2013 in response to a new data retention regime requiring telecommunications companies to retain certain customer data for up to two years (and enable law enforcement access to that data). The Bill represents the third attempt to introduce a breach notification law. A number of obligations in the Bill have, in response to industry feedback, been diluted since the publication of a disclosure draft in December 2015, to which the Australian government received forty-seven sets of public comments. For example, the disclosure draft would have required notifications to be made where the APP entity ought reasonably have been aware of a data breach, in addition to circumstances in which the APP entity has knowledge of a breach.
The Bill, if passed, will mark a significant step towards accountability for data handling practices in Australia. However, some critics have raised concerns that the Bill does not go far enough, particularly given the fact that APP entities are required to self-assess not only the seriousness of data breaches, but also the efficacy of their remedial action. While the Government considers the maintenance of harm threshold necessary to prevent so-called “notification fatigue” (when everything is notified, regardless of how trivial), the threshold could conceivably create a large ‘grey area’ where it will be possible to justify either outcome. What amounts to “serious harm” will be open to much debate and will no doubt need to be clarified as experience under the new law develops. Courts will need to interpret this in the context of real life circumstances before this measure can be understood with any degree of certainty.
If the Bill is passed, its provisions will come into force on a fixed date or a year after it receives Royal Assent.
The wider Asia-Pacific landscape
The introduction of a mandatory data breach notification law to Australia will further raise the stakes for data protection compliance in the Asia-Pacific region. Breach notifications laws drive better public awareness of compliance failures and generate a step change in terms of reputational risk.
Businesses operating in the region need to evaluate their policies and procedures with a view to ensuring that rising compliance standards can be met, now and in future.