Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
March 31 — Negative comments about a draft data breach notification bill proposed by the Australian government—as well as a pending federal election— may delay consideration of the legislation, but it appears inevitable that the country will adopt mandatory breach notice at some point.
Provisions in a draft Australian bill that would introduce a mandatory requirement to notify individuals of certain data breaches have been widely criticized for not restricting the proposed obligation to data controllers, according to public comments submitted on the draft bill.
Many companies and industry groups said that imposing the obligation on entities, such as contractors and cloud service providers, rather than restricting it to data controllers, would be confusing and impractical. Comments also presented different views on exactly what changes would make the bill more consistent with best practices and with other mandatory notification regimes around the world.
But Australian Privacy Commissioner Timothy Pilgrim gives the draft bill his full backing in his submission, stating that existing voluntary arrangements aren't adequate.
Although the various submissions will inevitably influence the design of any bill ultimately introduced to Parliament, this year's federal election—which could occur as early as July—is also likely also have a significant impact. Given that a final version of the bill has yet to be introduced, he chances of its passage through Prliament ahead of the election are starting to fade. If the existing Liberal-National Party coalition returned to office, as polls currently predict, then any mandatory breach notification regime could be less stringent than if the opposition Labor Party is victorious.
However, regardless of which party wins the election, there is a widespread realization that eventually some sort of a mandatory notification regime is likely. That's partly because the current government agreed to introduce it as a trade-off in parliamentary negotiations on metadata storage legislation and also because the main opposition party has long supported it.
The draft bill was released in December 2015 and was open for public comment until March 4.
The draft Australian bill has a higher notification threshold than those in many other jurisdictions—notifying affected individuals and the data protection regulator would only be required where there is a “real risk of serious harm.”
However, the bill defines serious harm broadly so that it can potentially include psychological, emotional and reputational damage, with the decision to be based on either an assessment process as specified in the bill or in accordance with provisions in supporting regulations that are yet to be released.
In an attempt to capture organizations that might try to sidestep notification obligations by denying they were aware of a breach, the bill imposes the obligation to notify on both organizations that actually become aware of a breach and those that “ought reasonably to be aware” of one.
If a breach does occur, an organization would have 30 days to prepare a statement describing the breach, the kind of information involved and “recommendations about the steps that individuals should take in response.”
The Digital Industry Group Incorporated (DIGI), which has members including Google Inc., Twitter Inc., Facebook Inc. and Yahoo! Inc., was lukewarm on the need for a mandatory regime, describing the current voluntary arrangements as having been “put to good use.”
Meanwhile, the Software Alliance (BSA) advocactedfor notification to a regulator unless the breach is unlikely to result in a risk for rights and freedoms, augmented by a more restricted obligation to also notify individuals in serious cases
The Communications Alliance, which represents the telecommunications industry, recommended that the bill be limited to computerized data, “as is the case for most U.S. data breach notification laws,” rather than to all data formats.
The Communications Alliance also advocated for a dual notification regime, in which all breaches that are serious would require notification of individuals, but only those that affect a threshold number of individuals be notified to the regulator.
The Australian Law Reform Commission, a government advisory agency that in 2008 recommended that Australia implement mandatory data breach notification, welcomed the bill in its submission but suggested that the Privacy Commissioner have a “broad discretion” to waive the notification requirement if he or she considers that it wouldn't be in the public interest to notify.
The Law Council of Australia, which represents the legal profession, suggested that the bill's remit be narrowed to personal information only and, like the BSA, said regulations shouldn't be used to partially specify what constitutes information that might be implicated in a serious data breach.
It also recommended that notifying the Commissioner of a breach shouldn't constitute an admission of liability and that the definition of harm be more closely aligned with the Privacy Act.
Like the BSA, the Council recommended narrowing the reference to organizations that “ought reasonably be aware” of a breach, or removing it altogether.
To contact the reporter on this story: Murray Griffin in Melbourne at email@example.com
To contact the editor responsible for this story: Jimmy H. Koo at firstname.lastname@example.org
The draft bill and submissions are available at https://www.ag.gov.au/Consultations/Pages/serious-data-breach-notification.aspx.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)