The Australian legislature recently passed the country’s first data breach notification law after several years of failed attempts. The law, which will apply only to companies with over $2.3 million in annual revenue, will require covered entities to notify the Australian Privacy Commissioner and affected individuals of certain data breaches. The law specifies that it applies when an overseas entity is holding information on behalf of a covered entity.
The law will apply only to what it deems “eligible” breaches. Namely, those where a reasonable person would conclude that there is likely a risk of “serious harm” to an affected individual after the unauthorized access or disclosure of personal information. An Explanatory Memorandum accompanying the legislation explained that serious harm “could include serious physical, psychological, emotional, economic, and financial harm” while merely being distressed would be insufficient to constitute an actionable breach. Notice is not required (it is not a breach) if the company is able to take action to stop serious harm before it occurs.
The law will be enforced by the Privacy Commissioner, who may seek civil penalties of up to $1.8 million as well as requiring offending companies to take remedial steps. The law is expected to come into effect within the next year, although a precise effective date has not yet been set.
TIP: This new law is a reminder that regulators around the world are increasingly concerned about data breaches impacting their citizens. Multinational companies that operate a global breach notice plan will want to review this new law prior to its implementation to determine its impact on their notice obligations.