The Privacy Amendment (Notifiable Data Breaches) Bill 2016 was passed by the Australian Parliament on 13 February 2017. The Bill is the third attempt by the Australian Parliament to introduce mandatory data breach notification laws into Australia. Our previous commentary on the content of this Bill is available here.
The Bill was supported by both major political parties in the form in which it was introduced to the House of Representatives on 19 October 2016. Senator Scott Ludlam of the Australian Greens proposed a number of amendments to the Bill, but those amendments were not adopted. The substantive provisions of the Bill will come into force on the earlier of a date to be fixed by proclamation or 12 months from the day it receives Royal Assent.
Amongst the political posturing by the major parties was a comment of interest on a different area of Australian privacy law reform. Senator Penny Wong indicated that the Australian Labor Party would not be supporting the Privacy Amendment (Re-identification Offence) Bill 2016. That Bill was announced by the Attorney-General on 28 September 2016, with the intention that, if enacted, it would apply to conduct that occurred on or after the announcement (rather than from the subsequent date on which the legislation is enacted). The re-identification Bill was introduced to the Senate on 12 October 2016.
Given the potential retroactive effect of the re-identification Bill, it would be prudent for organisations regulated by the Privacy Act 1988 (Cth) to act as if that Bill was in force, at least until its political fate in the Senate is clearer. We intend to provide insights into the detail of the re-identification Bill in a forthcoming publication.