Australia Breach Notice Criticism May Delay Bill

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Murray Griffin

March 31 — Negative comments about a draft data breach notification bill proposed by the Australian government—as well as a pending federal election— may delay consideration of the legislation, but it appears inevitable that the country will adopt mandatory breach notice at some point.

Provisions in a draft Australian bill that would introduce a mandatory requirement to notify individuals of certain data breaches have been widely criticized for not restricting the proposed obligation to data controllers, according to public comments submitted on the draft bill.

Many companies and industry groups said that imposing the obligation on entities, such as contractors and cloud service providers, rather than restricting it to data controllers, would be confusing and impractical. Comments also presented different views on exactly what changes would make the bill more consistent with best practices and with other mandatory notification regimes around the world.

But Australian Privacy Commissioner Timothy Pilgrim gives the draft bill his full backing in his submission, stating that existing voluntary arrangements aren't adequate.

Although the various submissions will inevitably influence the design of any bill ultimately introduced to Parliament, this year's federal election—which could occur as early as July—is also likely also have a significant impact. Given that a final version of the bill has yet to be introduced, he chances of its passage through Prliament ahead of the election are starting to fade. If the existing Liberal-National Party coalition returned to office, as polls currently predict, then any mandatory breach notification regime could be less stringent than if the opposition Labor Party is victorious.

However, regardless of which party wins the election, there is a widespread realization that eventually some sort of a mandatory notification regime is likely. That's partly because the current government agreed to introduce it as a trade-off in parliamentary negotiations on metadata storage legislation and also because the main opposition party has long supported it.

Risk of Harm Threshold

The draft bill was released in December 2015 and was open for public comment until March 4.

The draft Australian bill has a higher notification threshold than those in many other jurisdictions—notifying affected individuals and the data protection regulator would only be required where there is a “real risk of serious harm.”

However, the bill defines serious harm broadly so that it can potentially include psychological, emotional and reputational damage, with the decision to be based on either an assessment process as specified in the bill or in accordance with provisions in supporting regulations that are yet to be released.

In an attempt to capture organizations that might try to sidestep notification obligations by denying they were aware of a breach, the bill imposes the obligation to notify on both organizations that actually become aware of a breach and those that “ought reasonably to be aware” of one.

If a breach does occur, an organization would have 30 days to prepare a statement describing the breach, the kind of information involved and “recommendations about the steps that individuals should take in response.”

Digital Sector Submissions

The Digital Industry Group Incorporated (DIGI), which has members including Google Inc., Twitter Inc., Facebook Inc. and Yahoo! Inc., was lukewarm on the need for a mandatory regime, describing the current voluntary arrangements as having been “put to good use.”

Meanwhile, the Software Alliance (BSA) advocactedfor notification to a regulator unless the breach is unlikely to result in a risk for rights and freedoms, augmented by a more restricted obligation to also notify individuals in serious cases

The Communications Alliance, which represents the telecommunications industry, recommended that the bill be limited to computerized data, “as is the case for most U.S. data breach notification laws,” rather than to all data formats.

The Communications Alliance also advocated for a dual notification regime, in which all breaches that are serious would require notification of individuals, but only those that affect a threshold number of individuals be notified to the regulator.

The Australian Law Reform Commission, a government advisory agency that in 2008 recommended that Australia implement mandatory data breach notification, welcomed the bill in its submission but suggested that the Privacy Commissioner have a “broad discretion” to waive the notification requirement if he or she considers that it wouldn't be in the public interest to notify.

The Law Council of Australia, which represents the legal profession, suggested that the bill's remit be narrowed to personal information only and, like the BSA, said regulations shouldn't be used to partially specify what constitutes information that might be implicated in a serious data breach.

It also recommended that notifying the Commissioner of a breach shouldn't constitute an admission of liability and that the definition of harm be more closely aligned with the Privacy Act.

Like the BSA, the Council recommended narrowing the reference to organizations that “ought reasonably be aware” of a breach, or removing it altogether.

To contact the reporter on this story: Murray Griffin in Melbourne at

To contact the editor responsible for this story: Jimmy H. Koo at

For More Information