After close to five years of work, the Australian government will introduce mandatory data breach notification legislation into parliament, but the laws would be unlikely to take effect until sometime next year if they make it through parliament before the September 14 federal election.
The laws were recommended by the Australian Law Reform Commission as part of a review of the Privacy Act in 2008, but the government did not make any indications that it was moving on the issue until it released a discussion paper in 2012.
Today, Attorney-General Mark Dreyfus said that the legislation requiring business and government agencies to notify the people when a data breach occurs would be introduced into parliament tomorrow.
"The new laws will alert consumers to breaches of their privacy so that they can change passwords, improve security settings, and make other changes as they see fit," he said.
"Some data breaches have exposed the personal information of tens of thousands of Australians. The laws are good for consumers because they protect privacy, and are good for business because they will help create openness and trust."
The Office of the Australian Information Commissioner will need to be notified when breaches occur, and the office will be able to direct businesses and agencies to notify people of data breaches.
Privacy Commissioner Timothy Pilgram said that the laws will give people a much better understanding of the scope of data breaches in Australia.
"In my view, mandatory data breach notification will also lead to better public understanding of the scope and frequency of data breaches, and encourage greater privacy awareness," Pilgrim said.
As ZDNet reported earlier this month, the laws will only apply to companies covered by the Privacy Act, meaning businesses that have AU$3 million or more in turnover a year, as well as political parties, charities, and national security and law enforcement agencies.
Dreyfus said that the Information Commissioner will be able to seek civil penalties for serious or repeated non-compliance with the notification laws, but no amount has been specified. Leaked drafts of the legislation suggest AU$1.7 million in fines for businesses, and AU$340,000 in fines for individuals.
Dreyfus told journalists this afternoon that the laws would not come into effect as soon as the law was passed, but would instead give businesses time to prepare.
"There will be time for them to put procedures in place, and it is not something that is going to require instant notifications," Dreyfus said.
"We're going to look at the appropriate period for the introduction of this legislation."
He suggested that will be March 2014, when the other privacy reforms come into effect.
The government has until the end of June to pass the legislation, as that will be the last time parliament will sit prior to the September election. Dreyfus said that he was confident it could be passed before the election.
"This is a fairly simple piece of legislation, and I'm going to introduce it in the next few days."