Groundhog Lazarus: Twice dead data breach notification laws re-enter Parliament

It's a scenario that feels like it could use a Ron Howard voiceover as Australia is making a third attempt at passing data breach notification laws, following previous attempts being stranded in the Senate by both Labor and Coalition governments.

The country is currently without data breach notification laws, despite the Joint Parliamentary Committee on Intelligence and Security recommending in February 2015 that Australia have breach notification laws in place before the end of 2015, prior to the implementation phase of the mandatory data-retention laws.

Approved law-enforcement agencies are able to warrantlessly access two years' worth of customers' call records, location information, IP addresses, billing information, and other data stored by telcos thanks to the operational data-retention scheme.

The laws being introduced this time around are similar to those drafted in 2015, in that a notification would only need to occur for incidents involving personal information, credit card information, credit eligibility, or tax file number information that would put individuals at "real risk of serious harm".

"It is not intended that every data breach be subject to a notification requirement. It would not be appropriate for minor breaches to be notified, because of the administrative burden that may place on entities, the risk of 'notification fatigue' on the part of individuals, and the lack of utility where notification does not facilitate harm mitigation," the explanatory memorandum said.

Notification laws would only apply to companies covered by the Privacy Act, and would exempt intelligence agencies, small businesses with turnover of less than AU$3 million, and political parties from needing to disclose breaches. E-health providers are still subject to the mandatory data breach notification scheme under the My Health Records Act.

Those covered by the laws will need to notify the Australian Information Commissioner and affected individuals if there are reasonable grounds to believe that a serious data breach has occurred. If it is not certain that a breach has occurred, the affected entity has 30 days to investigate whether notification is needed.

Penalties for non-compliance with the laws would see the Information Commissioner able to initiate investigations, make determinations, seek enforceable undertakings, and pursue civil penalties for serious or repeated interferences with privacy.

"This Bill will improve the privacy and protection of Australians in the event of a data breach without placing an unreasonable regulatory burden on business," Justice Minister Michael Keenan said on Wednesday.

"The extensive consultation undertaken in developing the Bill will ensure that the Bill's mandatory data breach notification scheme is both workable and effective."

Shadow Attorney-General Mark Dreyfus said during the recent election campaign that an incoming Labor government would have introduced the laws as soon as practicable, with the expectation of Coalition support.

"Mandatory data breach legislation was a Labor commitment, and it is one that we maintain," Dreyfus told ZDNet in April.

The laws will come into force either by a proclaimed date, or a year after they receive Royal Assent.