Australia is getting closer to joining the growing list of countries with a mandatory data breach notification scheme. We are currently witnessing a significant increase in countries debating and/or enacting legislation requiring entities to notify serious data breaches to supervisory authorities and frequently also affected individuals. Businesses need to respond to this trend by implementing incident response plans (ideally on an international scale) and reflecting notification requirements in controller/ processor contracts.
We previously summarised the key legislative proposals, and in this post, we provide a high-level overview of the proposed Australian scheme in its international context.
Who Do The Notification Requirements Apply To?
The mandatory notification provisions will apply to Australian Federal Government agencies, most private sector entities with an annual turnover of more than $3 million and foreign companies that carry on business in Australia.
What Is The Trigger For Notification?
The trigger for notification will be "reasonable grounds" to believe that a "serious data breach" has occurred.
A serious data breach occurs when there is unauthorised access to, unauthorised disclosure of, or loss of personal information, credit reporting/ credit eligibility information or tax file numbers which results in areal risk of serious harm to the individual to whom the information relates. Whether or not there will be a real risk of serious harm will require a careful assessment of various factors including the sensitivity of the information, whether it is in an intelligible form and who may have accessed or could access it.
Who Has To Be Notified And When?
Entities will be required to notify both the Australian Information Commissioner and affected individuals. As regards the timing, notifications must occur as soon as practicable after the entity becomes aware, or ought reasonably to have become aware, that there are reasonable grounds to believe that there has been a serious data breach. Where an entity suspects a serious data breach may have occurred but is not sure, it has 30 days to conduct an assessment of whether notification is required.
The Australian Proposal In Its International Context
The notification trigger of real risk of serious harm is very similar to the trigger of real risk of significant harm to an individual recently enacted (but yet to come into effect) in Canada. On a global scale, the proposed notification threshold is quite high. For example, in California (which is famed for initiating mandatory breach notification requirements), notice is required for any "breach of the security of the system". Likewise, under the incoming European General Data Protection Regulation, any data breach will need to be notified to authorities unless it is unlikely to result in a risk for the rights and freedoms of individuals.
The requirement to notify as soon as practicable after a serious data breach is suspected coupled with the 30-day assessment period is also reasonably lenient. By comparison, notification in California and most other U.S. States must occur "in the most expedient manner possible and without unreasonable delay". The Canadian laws require notification "as soon as feasible" after it is determined that a breach occurred. In the EU, notification will soon be required “without undue delay and, where feasible, not later than 72 hours after having become aware of a breach”.
It is also noteworthy that the Australian proposal does not differentiate between notifications to authorities and affected individuals. If a reportable breach occurs, both have to be notified. Some jurisdictions take a two-tier approach setting a lower threshold for notification to authorities than for notification to affected individuals.
This is Australia’s second attempt to introduce mandatory data breach notification scheme (after a failed attempt in 2013). It is highly likely to succeed and confirms once again that data breach response management must become a compliance priority for businesses.