On 3 December 2015 the Australian Government released an exposure draft of its long-awaited mandatory data breach notification bill (the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015). If passed, the bill would require private sector organisations and Federal government agencies to notify the Federal Privacy Commissioner and affected individuals of serious data breaches.
The exposure draft of the bill, explanatory memorandum, Regulatory Impact Statement and a Discussion Paper are available here. Submissions can be made until 4 March 2016.
The draft bill retains a number of structural similarities to the draft bills previously proposed by the opposition Labor party in 2013 and 2014, and includes a revised formulation of the “real risk of serious harm test” that was recommended by the Australian Law Reform Commission in 2008 and is currently used in the voluntary notification guidelines issued by the Australian Privacy Commissioner. The differences between the draft bill and its predecessors are largely incremental in nature, and do not alter the essential elements of the regime.
There is significant public support for, and broad political consensus on, the introduction of a mandatory notification requirement in Australia. While the timeline for implementing the proposed regime following consultation is not yet finalised, it appears that it is only a matter of time before data breach notification requirements become law in Australia.
WHAT YOU NEED TO KNOW ABOUT THE PROPOSED NOTIFICATION REGIME
Who does it apply to?
- The notification requirement will apply to any entities that are bound by the Australian Privacy Act 1988 (Cth) – this includes Federal Government agencies, and most private sector organisations with an annual turnover that exceeds $3 million.
- Foreign companies that deal directly with Australian consumers, or who process personal information on behalf of Australian businesses, will also be bound by the new requirements (as the Privacy Act has broad extra-territorial application).
- Australian companies that send personal information offshore under APP 8.1 will be responsible for giving notice of breaches committed by the offshore recipients of the information.
What is the trigger for the notification requirement?
- The notification requirement applies where there are “reasonable grounds” to believe that a “serious data breach” has occurred. The bill also allows the Government to prescribe specific categories of data that automatically trigger the notification requirement. None have been prescribed as yet, although the explanatory memorandum contemplates that this power may be used to protect “particularly sensitive information such as health records”.
- A breach is “serious” if it gives rise to a “real risk of serious harm” to the affected individual (based on a range of factors including the sensitivity of the information and whether the information is protected by security measures). The explanatory memorandum contemplates that the Privacy Commissioner will provide further guidelines on interpreting the “real risk of serious harm” test. “Harm” is given a broad definition, and includes physical, psychological, emotional, reputational, economic and financial harm.
- The phrase “reasonable grounds” is not defined in the draft bill, and the explanatory memorandum provides only limited guidance (it notes that reasonable grounds will “vary depending on the circumstances”).
- Where an entity suspects but is not certain that a serious data breach has occurred, the entity has up to 30 days to conduct reasonable investigations to determine whether notification is required.
- It is important to note that the notification obligation and time periods are triggered when the entity “ought reasonably to be aware of” the data breach, or when the entity actually became so aware (whichever occurs first).
Who must be notified?
- Where notification is required, the entity must notify the Privacy Commissioner and take reasonable steps to notify the affected individuals of the following matters:
- the identity and contact details of the entity;
- a description of the breach and the “reasonable grounds” upon which the entity believes the breach occurred;
- the kinds of information involved in the breach; and
- recommended steps for the individual to take in response to the breach.
- If it is not practicable to notify the affected individuals, the entity can satisfy the notification requirement by publishing a statement with the above information on the entity’s website and otherwise taking reasonable steps to publicise the statement.
What are the penalties for non-compliance?
- A failure to notify will expose the entity to the Privacy Commissioner’s existing enforcement powers (including civil penalties of up to $1.7 million for serious or repeated breaches). However, these powers are discretionary and a breach would not automatically trigger specific penalties.
ANALYSIS – IMPROVEMENTS ARE EVIDENT, BUT CHALLENGES STILL REMAIN
One key area of improvement under the new bill is the greater emphasis placed on establishing “reasonable grounds” for determining that a “serious data breach” has occurred before deciding to notify. This is an issue of critical importance, as it marks the line between notifiable and non-notifiable breaches.
Accurate information can be difficult to come by in the immediate aftermath of a data breach incident, and assessments of the scale and severity of a data breach incident often evolve rapidly as new information becomes available.
There are significant potential pitfalls for entities in choosing to notify individuals or publicising information before the entity has the full picture. In light of this, the introduction of an “assessment period” of 30 days to allow the entity to more fully investigate the breach seems sensible.
It’s interesting to note that, under the current drafting, the Commissioner needs to be satisfied that “reasonable grounds” exist before he can assert that the notification obligation applies. It’s not yet entirely clear how the Commissioner will apply this requirement when reviewing an entity’s handling of a data breach incident, given that risk assessments are often conducted under time pressure and with limited information.
The introduction of data breach notification requirements would significantly strengthen Australian privacy laws, and would bring Australia in line with a range of other jurisdictions that have already implemented, or are in the process of implementing, data breach notification laws (such as the EU and certain US states).
The implications for Australian businesses (and foreign businesses conducting business in Australia) are likely to be significant and far-reaching. Australian companies that use off-shore data processing services are particularly likely to be impacted.