Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
By George Lynch
U.S.-based multinationals should be in good shape to comply with Australia’s data breach notification law taking effect Feb. 22, privacy professionals told Bloomberg Law.
Australia’s long-awaited mandatory data breach notification law—the Privacy Amendment (Notifiable Data Breaches) Act 2017—replaces a voluntary breach notice law. U.S. companies are well-positioned because they have been dealing with their own federal, state, and sector-specific mandatory breach notice laws for decades, privacy pros said.
U.S. companies with good compliance practices at home shouldn’t struggle with the new Australian requirements, Malcolm Crompton, lead privacy advisor at Information Integrity Solutions Pty Ltd. in Melbourne, and Australian privacy commissioner from 1999-2004, told Bloomberg Law.
Those that have been getting ready for the European Union’s new privacy regime, the General Data Protection Regulation, should also have a leg up on compliance.
“As a rule of thumb, if you’re GDPR-compliant you’ll be 90 percent of the way there for Australia,” Alec Christie, a data protection partner at EY in Sydney, told Bloomberg Law. The GDPR takes effect May 25, and U.S. companies may want to prepare for the two new laws at the same time, he said.
Still, U.S. companies’ familiarity with the concept of breach notice doesn’t remove the need to conduct a compliance review for the new Australian law.
U.S. companies shouldn’t assume U.S. and Australian laws are the same, or that their existing policies and procedures are sufficient for Australian compliance, Leah Wickman, a privacy associate at Allens in Melbourne, told Bloomberg Law.
The Australian law claims extraterritorial reach, so U.S. companies linked to the country through the receipt of personal data of Australian citizens must report breaches that are “likely to result in serious harm” to the Office of the Australian Information Commissioner (OAIC) and affected individuals. Notice must be made “as soon as practicable” but no later than 30 days after discovering the breach.
The law covers all companies, Australian government agencies, and nonprofit organizations with income of at least A$3 million ($2.36 million).
The risk of harm threshold setting—"likely to result in serious harm"—as the trigger for requiring breach notice may be problematic.
The new law cites general factors to consider when deciding if potential harm is serious, including the sensitivity of the information breached, the type of person who might gain access to the information, and the nature of the harm that may result from a breach. But the terms “likely,” “serious,” and “harm” don’t have clear meanings in Australian privacy law.
Deciding when notice is necessary is very difficult, Christie said, but that isn’t an excuse for not being prepared. When a breach occurs, companies should look at what data was compromised, who was affected, and who received the data—and then determine whether a reasonable person would determine that serious harm could occur, he said.
When notice is required should become clearer as the privacy office and courts address the issue.
The privacy office will likely dedicate its limited resources to enforcing the breach notification law as way of establishing its credibility and that of the new law, Crompton said.
It is unlikely that the OAIC will come out with a big enforcement effort right off the bat, Christie said. The office will probably be relatively lenient for roughly the first 12 months, as long as companies are making good faith efforts to comply, he said.
In any event, there will be a new privacy chief in charge when the new law takes effect. Timothy Pilgrim, Australia’s information commissioner and privacy commissioner, announced Feb. 20 that he will retire effective March 24, after serving more than 20 years in Australia’s privacy office.
To contact the reporter on this story: George Lynch in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Donald Aplin at email@example.com
Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)