A number of important things have happened in privacy law in the last month or so.  Here's a quick update in case you missed them during the holiday season.

  1. Mandatory data breach notification is coming

The Commonwealth Government has issued an exposure draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015.

The Bill would amend the Privacy Act 1988 to require notification to the Privacy Commissioner and the affected individuals if an entity subject to the Privacy Act experiences a "serious data breach" – i.e. a breach that results in a "real risk of serious harm" to any affected individual. 

A non-exhaustive list of factors must be considered when determining if there is a real risk of serious harm, including whether the information is protected by security measures (such as encryption) and the steps the entity has taken or will take to mitigate the harm.  "Harm" can include emotional harm and harm to reputation as well as economic harm. 

The Government's intention is that the mandatory notification regime would commence 12 months after the Bill receives royal assent.

Submissions on the draft Bill can be made until 4 March 2016.

  1. AAT decision narrows the definition of "personal information"

The Commonwealth Privacy Commissioner created a stir in May last year when he determined that certain metadata Telstra held about an individual (journalist Ben Grubb) was "personal information" which Telstra therefore had to provide to Mr Grubb on request – see our article here.

Telstra appealed the determination to the Administrative Appeals Tribunal of Australia.  This was an independent merits review of the Privacy Commissioner's determination.

The metadata in question was generated by Telstra's systems and included mobile network location information about Mr Grubb's phone (even when not engaged in a call) as well as data about mobile network cells through which calls to or from him were sent.

The AAT held on 18 December 2015 that this metadata was not "about" Mr Grubb but was about the way in which Telstra delivers calls or messages.  It therefore was not "personal information" since a key element of the definition of "personal information" is that the information is "about" an individual.  The AAT applied a simple, common-sense approach: is the information about an individual, or about something else?  In this case the metadata was information about the services Telstra provided to Mr Grubb, but not about him.

While this matter relates to a now-superseded definition of "personal information" in the Privacy Act 1988, it sheds important light on the way the current definition is likely to be interpreted.  It will help to calm perceptions that "personal information" had become too broad a concept.

Note that legislative changes in relation to mandatory metadata retention by telecommunications and internet service providers, which took effect in October 2015 and were not applicable to the Grubb case, broaden the definition of "personal information" in relation to the metadata that is required to be retained.  If that legislative regime had applied, it is possible the AAT would have come to a different decision.

  1. European privacy laws to be strengthened

Progress continues to be made in Europe towards the implementation of the EU General Data Protection Regulation.  An "informal text" of the Regulation, published on 17 December 2015, would significantly strengthen privacy protections for individuals.  For example, it includes the following requirements:

  • most data breaches will be required to be reported to the relevant regulator within 72 hours after the affected entity becomes aware of the breach;
  • if the breach presents a "high risk to the rights and freedoms of individuals" the breach must also be notified to the individuals;
  • individuals will have the right to opt out of the use of their personal information for direct marketing;
  • individuals will have a "right to be forgotten", i.e. the right to ask entities to delete information about them; and
  • fines for breach will be up to €20 million or in some cases, up to 4% of a company's annual worldwide turnover.  These potentially massive fines are presumably intended to ensure that privacy compliance is taken very seriously!

The Regulation still needs to be voted upon by the European Parliament in the coming months.Once officially adopted, it will apply in EU member states after two years.

These developments are important because in the medium term, they will likely influence how Australian privacy laws develop.  There will also be a direct impact on Australian entities located outside the EU that offer goods or services to individuals in the EU, or that monitor the behaviour of such individuals – the Regulation will apply to the information processing activities of such entities.