All signs point to mandatory data breach notification in Australia

Posted by Elisabeth Koster, Amy Gibbs and Paul Kallenbach

It's been reported today that a confidential Exposure Draft Bill for an Australian mandatory data breach notification scheme has been released by the Federal Attorney-General's department to a limited number of key stakeholders.

This news comes in the wake of Commonwealth Attorney-General Mark Dreyfus's comments at this week's launch of Privacy Awareness Week 2013 that he believes there is 'a strong case to move to a mandatory scheme.'

Discussion paper

Former Attorney-General Nicola Roxon released a discussion paper in October last year seeking submissions on whether mandatory data breach notification laws should be introduced in Australia.

The discussion paper was published in response to the Australian Law Reform Commission's 2008 report on the state of the effectiveness of Australian privacy laws, which recommended the introduction of a mandatory breach notification scheme. Our earlier article on the discussion paper can be read here.

Recent developments

On Monday 29 April 2013 at the launch of Privacy Awareness Week 2013, the Attorney-General suggested that mandatory data breach notification laws were on the horizon. Mr Dreyfus said organisations involved in a data breach should inform affected parties in a timely fashion, noting that 'if there continues to be under-reporting of data breaches, or we continue to find out about them only through media reports, some would argue there is a strong case to move towards a mandatory scheme'.

Mr Dreyfus also commented that 'mandatory notification requirements may also act as an incentive for holders of information to secure it'.

The Exposure Draft Bill: what we know

It has since come to light that an Exposure Draft Bill entitled the Exposure Draft Privacy Amendment (Privacy Alerts) Bill 2013 was circulated by the Attorney-General's office to a limited number of key stakeholders this week.

Reports indicate that the following provisions have been included in the Exposure Draft:

• an organisation must notify the Privacy Commissioner in the event of a 'serious breach'. The notification must outline the nature of the breach, what information was compromised and advise of any remedial steps the affected parties should take;
• a breach will be considered 'serious' if an organisation fails to take reasonable steps to secure consumer information in accordance with the new Australian Privacy Principles, and if it exposes the affected consumer to a 'real risk of serious harm';
• an organisation must also notify the affected consumers of the breach. Additionally, the Privacy Commissioner may instruct the organisation to post a public statement to its website and inform media outlets of the breach; and
• the Privacy Commissioner may declare certain organisations as exempt from the new regulations if it is in the public interest to do so.

Although civil pecuniary penalties of up to $1.7 million have been introduced by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 in the event of serious or repeated interferences with privacy by an entity, it is not yet known whether civil pecuniary provisions will be introduced for failure to comply with the new notification requirements.

What next?

Mr Dreyfus commented on Monday that the Government was still engaging in a consultation process in relation to any Australian data breach notification laws.

Although stakeholders will likely be given an opportunity to prepare submissions on the draft legislation once it has been publicly released, it appears clear that mandatory data breach notification may become a reality in the Australian privacy landscape.

We will provide a more detailed analysis of the Exposure Draft Bill once it has been released for public consultation and comment.