U.S. Multinationals in Shape for Aussie Data Breach Notice Law

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By George Lynch

U.S.-based multinationals should be in good shape to comply with Australia’s data breach notification law taking effect Feb. 22, privacy professionals told Bloomberg Law.

Australia’s long-awaited mandatory data breach notification law—the Privacy Amendment (Notifiable Data Breaches) Act 2017—replaces a voluntary breach notice law. U.S. companies are well-positioned because they have been dealing with their own federal, state, and sector-specific mandatory breach notice laws for decades, privacy pros said.

U.S. companies with good compliance practices at home shouldn’t struggle with the new Australian requirements, Malcolm Crompton, lead privacy advisor at Information Integrity Solutions Pty Ltd. in Melbourne, and Australian privacy commissioner from 1999-2004, told Bloomberg Law.

Those that have been getting ready for the European Union’s new privacy regime, the General Data Protection Regulation, should also have a leg up on compliance.

“As a rule of thumb, if you’re GDPR-compliant you’ll be 90 percent of the way there for Australia,” Alec Christie, a data protection partner at EY in Sydney, told Bloomberg Law. The GDPR takes effect May 25, and U.S. companies may want to prepare for the two new laws at the same time, he said.

Still, U.S. companies’ familiarity with the concept of breach notice doesn’t remove the need to conduct a compliance review for the new Australian law.

U.S. companies shouldn’t assume U.S. and Australian laws are the same, or that their existing policies and procedures are sufficient for Australian compliance, Leah Wickman, a privacy associate at Allens in Melbourne, told Bloomberg Law.

Following Aussie Rules

The Australian law claims extraterritorial reach, so U.S. companies linked to the country through the receipt of personal data of Australian citizens must report breaches that are “likely to result in serious harm” to the Office of the Australian Information Commissioner (OAIC) and affected individuals. Notice must be made “as soon as practicable” but no later than 30 days after discovering the breach.

The law covers all companies, Australian government agencies, and nonprofit organizations with income of at least A$3 million ($2.36 million).

The risk of harm threshold setting—"likely to result in serious harm"—as the trigger for requiring breach notice may be problematic.

The new law cites general factors to consider when deciding if potential harm is serious, including the sensitivity of the information breached, the type of person who might gain access to the information, and the nature of the harm that may result from a breach. But the terms “likely,” “serious,” and “harm” don’t have clear meanings in Australian privacy law.

Deciding when notice is necessary is very difficult, Christie said, but that isn’t an excuse for not being prepared. When a breach occurs, companies should look at what data was compromised, who was affected, and who received the data—and then determine whether a reasonable person would determine that serious harm could occur, he said.

When notice is required should become clearer as the privacy office and courts address the issue.

Enforcement Prospects

The privacy office will likely dedicate its limited resources to enforcing the breach notification law as way of establishing its credibility and that of the new law, Crompton said.

It is unlikely that the OAIC will come out with a big enforcement effort right off the bat, Christie said. The office will probably be relatively lenient for roughly the first 12 months, as long as companies are making good faith efforts to comply, he said.

In any event, there will be a new privacy chief in charge when the new law takes effect. Timothy Pilgrim, Australia’s information commissioner and privacy commissioner, announced Feb. 20 that he will retire effective March 24, after serving more than 20 years in Australia’s privacy office.

To contact the reporter on this story: George Lynch in Washington at glynch@bloomberglaw.com

To contact the editor responsible for this story: Donald Aplin at daplin@bloomberglaw.com

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security