In brief: The Federal Government, in a surprising and highly significant move for companies in Australia, has committed to enacting a mandatory data breach notification scheme before the end of 2015, which will apply to all Australian companies currently subject to the Privacy Act. The proposal is not limited to telecommunications service providers and will represent a significant new compliance burden and increase the overall cost to companies of handling data security incidents. Partner Gavin Smith (view CV), Senior Associate Valeska Bloch and Lawyer Isabelle Guyot report.
HOW DOES IT AFFECT YOU?
The Parliamentary Joint Committee on Intelligence and Security (PJCIS) released its report into the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 (Cth) (the Data Retention Bill) on 27 February 2015. The Data Retention Bill contains the Government's controversial proposals on the mandatory retention of so-called 'metadata' by telecommunications services providers for two years and has been the subject of much public debate.
The Committee's report recommends a number of amendments to the regime, but also includes a bi-partisan recommendation that the Data Retention Bill should be passed by Parliament. The Federal Attorney-General and Communications Minister have released a swift response to the report supporting all recommendations made by the PJCIS and are calling on the Parliament to pass the Bill.
Assuming the recommendations of the PJCIS are accepted by Parliament, all entities subject to the Australian Privacy Principles in thePrivacy Act 1988 (Cth) (the Privacy Act) are likely to be made subject to a new mandatory data breach notification scheme.
In addition, telecommunications service providers, which are subject to the Data Retention Bill, will also be subject to certain additional privacy-related requirements to:
- comply with the Australian Privacy Principles or binding rules developed by the Australian Privacy Commissioner, even if they are not usually bound by the Privacy Act because their turnover is less than $3 million per annum;
- provide individuals with access to the data retained under the data retention regime; and
- encrypt data retained for the purposes of the regime.
The latter two requirements will increase the already high overall cost to telecommunications service providers of implementing the Government's data retention scheme.
In October 2014, the Federal Government introduced the Data Retention Bill with the aim of preventing the 'further degradation of the investigative capabilities of Australia's law enforcement and national security agencies'1 by requiring telecommunications service providers to retain a specified set of telecommunications data for two years. The Data Retention Bill was referred to the PJCIS on 21 November 2014 for its consideration and the PJCIS report was publicly released on 27 February 2015.2
The report makes 39 recommendations, encompassing amendments to improve oversight of the scheme, prevent scope creep by placing fundamental aspects of the regime into the Data Retention Bill rather than regulation, clarify the scope and operation of the Data Retention Bill, including the content of the proposed data set, restrict access to the data, and implement stricter privacy and security controls. The Government has indicated that it will support all of the PJCIS recommendations.3
Proposals for a mandatory data breach notification scheme have been in discussion since before the Data Retention Bill was announced. The PJCIS recommended in its 2013 Report of the Inquiry into Potential Reforms of Australia's National Security Legislation that any mandatory data retention legislation include a mandatory data breach notification scheme.4 Similarly, during the PJCIS inquiry into the current Data Retention Bill, the Privacy Commissioner, Australian Law Reform Commission and the Law Institute of Victoria, among others, all supported the introduction of a mandatory data breach notification scheme, either specific to the Data Retention Bill or on a broader scale encompassing all entities subject to the Privacy Act.
Conveniently, there is currently a private member's Bill before the Senate. The Privacy Amendment (Privacy Alerts) Bill 2014 (thePrivacy Alerts Bill) proposes to amend the Privacy Act to introduce mandatory data breach notification provisions for entities regulated by the Privacy Act. The Privacy Alerts Bill was introduced by Senator Lisa Singh on 20 March 2014, but its passage has since stalled following initial opposition by the Attorney-General's department.
TELECOMMUNICATIONS SERVICE PROVIDERS
In addition to the recommendation to introduce a mandatory data notification scheme, the report also recommended other specific privacy and security obligations to be applied to the telecommunications service providers that will be the subject of the data retention regime. These recommendations are aimed at remedying some of the concerns of the public, the Privacy Commissioner and civil liberty groups about the protection of individuals and the associated increased security risks that may arise because of the large amounts of data that will be stored by telecommunications service providers under the scheme.
In particular, the report recommends that the Data Retention Bill be amended to:
- require all service providers to be compliant regarding retained data with the Australian Privacy Principles or binding rules developed by the Australian Privacy Commissioner (ie to require compliance from small providers with an annual turnover of less than $3 million that are not currently bound by the Australian Privacy Principles);
- clarify that individuals have the right to access their personal telecommunications data retained by a service provider under the data regime (consistent with the model applying under the Privacy Act);
- require service providers to encrypt and secure telecommunications data that has been retained for the purpose of the regime (with standards to be developed by the Implementation Working Group in conjunction with the Communications Access Co-ordinator, although there will also be some flexibility in this obligation, and approaches to encryption may be addressed by service providers through their Data Retention Implementation Plan; and
- clarify that no customer passwords, PINs or other like information are to be retained under the scheme.
Further, the report recommends that the explanatory memorandum to the Data Retention Bill clarify:
- the requirements for service providers with regard to retention, de-identification or destruction of data once the two-year retention period has expired; and
- that web-browsing histories or other destination information, for either incoming or outgoing traffic, are not required to be retained.
The Government has stated that it supports all of the PJCIS recommendations.
Debate on the Data Retention Bill is due to commence in the House of Representatives this week and it now appears that the Data Retention Bill will receive bipartisan support in Parliament. It is thus likely (once amended to reflect the PJCIS recommendations and the Government's response) to be passed in both Houses. The introduction of a mandatory data breach notification scheme that applies across the board, and not specifically limited to the Data Retention Bill, will require amendments to be made to the Privacy Act. This will either see the current Privacy Alerts Bill passed, or separate amending legislation introduced this year.
As a number of legal, privacy and regulatory issues may arise for you and your teams when managing data, we have developed some tips you might find useful: