Australia to go without a working data-breach notification scheme until at least 2017

The earliest that Australia will now have a working data-breach notification scheme is set to be sometime in 2017, after the Attorney-General's Department released its exposure draft of amendments to the Privacy Act to create such a scheme.

With consultation open until March next year, the legislative process yet to begin, and any notification scheme set to commence a year after the Bill passes parliament, that would leave Australia without a working data-breach notification scheme until 2017 at the earliest.

In October, Australian Attorney-General George Brandis told the Senate that data-breach notification laws would not be passed this year, but that the legislation would be introduced into Parliament. However, that did not occur.

At the same time, Australia's telecommunications companies are implementing plans to create systems to retain data on their users. The data-retention laws came into force in October, with telcos having 18 months' grace before they would be considered non-compliant.

The Australian data-retention laws allow the nation's approved law-enforcement agencies to warrantlessly access two years' worth of customers' call records, location information, IP addresses, billing information, and other data stored by telcos.

The Joint Parliamentary Committee on Intelligence and Security recommended in February that Australia have data-breach notification laws in place before the end of 2015, prior to the implementation phase of the data-retention laws.

According to the exposure draft released yesterday, notification would only need to occur for incidents involving personal information, credit card information, credit eligibility, or tax file number information that would put individuals at "real risk of serious harm".

"Serious harm, in this context, includes physical, psychological, emotional, economic, and financial harm, as well as harm to reputation," the draft explanatory memorandum said. "The risk of harm must be real, that is, not remote, for it to give rise to a serious data breach.

"It is not intended that every data breach be subject to a notification requirement. It would not be appropriate for minor breaches to be notified, because of the administrative burden that may place on entities, the risk of 'notification fatigue' on the part of individuals, and the lack of utility where notification does not facilitate harm mitigation."

The scheme would only apply to companies covered by the Privacy Act, and would exempt intelligence agencies and small businesses from needing to disclose breaches.

"Law-enforcement bodies will not be required to notify affected individuals if compliance with this requirement would be likely to prejudice law-enforcement activities," the draft memorandum said.

Under the requirements of the exposure draft, entities would need to notify the Australian Information Commissioner and affected individuals if there are reasonable grounds to believe that a serious data breach has occurred. If an entity is not certain that a breach has occurred, it has 30 days to investigate whether notification is needed.

The information contained within a notification would be a description of the data breach, the kinds of information concerned, recommendations about the steps that individuals should take, and contact details of the breached entity. When communicating the notification, entities are allowed to use any method of communication that it normally uses to communicate with users.

Penalties for non-compliance with the laws would see the Information Commissioner able to initiate investigations, make determinations, seek enforceable undertakings, and pursue civil penalties for serious or repeated interferences with privacy.

"This approach will permit the use of less severe sanctions before elevating to a civil penalty," the draft memorandum said. "These less severe penalties could include public or personal apologies, compensation payments, or enforceable undertakings.

"A civil penalty would only be applicable where there has been a serious or repeated non-compliance with mandatory notification requirements. Civil penalties would be imposed by the Federal Court or Federal Circuit Court on application by the commissioner."

All telecommunications service providers that are subject to implementing data retention would also be subject to mandatory data-breach notification, whereas e-health providers would be subject to the mandatory data-breach notification scheme under the My Health Records Act.

Submissions are able to be made to the Attorney-General's Department on the draft until March 4, 2016.