Australian data breach notification laws will not be passed in 2015: Brandis

Despite the Joint Parliamentary Committee on Intelligence and Security recommending that Australia have data breach notification laws in place before the end of 2015, Australian Attorney-General George Brandis told the Senate on Tuesday that laws would not be passed this year.

Responding to questioning from Greens Senator Scott Ludlam, Brandis corrected the record at the end of Senate question time to say data breach legislation would only be introduced to Parliament this year.

"Senator Ludlam, you asked what the government's intentions were in relation to legislation for a mandatory data breach notification scheme, and as I recall, my answer was that the government intends to legislate for such a scheme this year. I should have said the government intends to introduce legislation before the end of this year," Brandis said.

Earlier in the day, Ludlam had called for any data breach notification legislation to be brought forward in light of Parliament having less than 15 sitting days remaining.

"One of the concessions that was made by government is they would introduce mandatory data breach notification laws by the end of the year, so if somebody loses control of your private material, they are obliged to tell you," he said.

"There are only 15 sitting days left in this calendar year, in this parliamentary year, and there is no sign of that bill."

Ludlam said he also expects the data retention window to go beyond the two years currently mandated.

"If it is still this Attorney-General in a couple of years, I fear they will make it work," he said. "My prediction -- they will keep adding agencies, services, types of data. They will ask for five years, not two.

"While we are on the subject of predictions, there will be data breaches, peoples' lives will be ruined. Whether it be high profile individuals who have material spilt into the public domain or the more large scale data breaches where thousands or millions of peoples' material is accessed.

"It is a disaster waiting to happen."

During question time, Brandis also said that the AU$131 million set aside for implementing data retention systems to store all Australians' telecommunications data for two years for warrantless access by law enforcement would favour small businesses.

"The outlay of that AU$131 million has been structured so that it is directed, in particular, to the smaller ISPs, to small businesses, because we acknowledge that the burden on smaller businesses, particularly in relation to their cash flows of compliance with these obligations will fall more heavily, proportionally more heavily, than upon big business," the Attorney-General said.

"That is, in the government's judgment, a reasonable contribution to those costs."

Last month, Internet Australia had warned that the cost of implementing data retention systems could send small ISPs to the wall.

"[There is a] very real prospect of ISPs going out of business if they are not adequately reimbursed for the costs of implementation and the ongoing operating costs incurred in complying with this questionable law," Internet Australia CEO Laurie Patton said at the time.

"There is a risk that some, perhaps many, of the smaller ISPs will simply go out of business as a result of this new law. This is especially unfortunate for rural internet consumers who rely on local ISPs because they offer a specialised and personalised service."

Brandis' intent to target SMBs is unlikely to be welcomed by Telstra, which said that it would be looking to recover its costs as well.

"We're very conscious of regulatory costs incurred, and will absolutely recover them as we can," Telstra chairman Catherine Livingstone said at the company's annual general meeting on Tuesday.

Livingstone revealed that Telstra has had its plans for its data retention implementation approved.

"We are pleased to say that Telstra is one of the few, if not only, I think, telecommunication providers that has submitted a data retention plan and had it approved by the government," she said.

"We are organised to do this and we will implement it over 18 months, and of course, we will work with the government following through on their undertaking to reimburse us for the costs incurred."

Under the data-retention laws passed in March, all customer call records, location information, IP addresses, billing information, and other data will be stored for two years, accessible without a warrant by law-enforcement agencies.

In February, the Joint Parliamentary Committee on Intelligence and Security report recommended data breach notification be in place prior to a data retention scheme taking effect.

"The Committee considers that a mandatory data breach notification scheme would provide a strong incentive for service providers to implement robust security measures to protect data retained under the data retention regime," the report said.