On February 13, 2017, the Australian Senate passed a bill establishing a mandatory requirement to notify the Privacy Commissioner and affected individuals of “eligible” data breaches. The Privacy Amendment (Notifiable Data Breaches) Act 2016, which was passed by the House of Representatives the previous week, amends Australia’s Privacy Act 1988 and is slated to take effect on February 22, 2018 if no earlier date is proclaimed.
The new law introduces a data breach notification scheme that obligates all agencies and businesses that are regulated by the Privacy Act to provide notice to the Office of the Australian Information Commissioner (OAIC) and affected individuals of certain data breaches that are “likely” to result in “serious harm.”
An explanatory memorandum accompanying the law indicates that “serious harm” is “likely” if it is more probable than not, and lists factors to consider when making the determination, such as the sensitivity of the information involved, whether the information was protected, who may have obtained the information, and the nature of the harm that could result. Although “serious harm” is not defined, the explanatory memorandum states that serious physical, psychological, emotional, economic, reputational or financial harm may qualify, as well as other types of serious harm that reasonably could result from the breach.
A failure to notify that is found to constitute a serious interference with privacy under the Privacy Act may result in a fine of up to AU$360,000 (about US$274,560) for individuals or AU$1.8 million (about US$1.37 million) for organizations.
Prior to the passage of this bill, the OAIC had a voluntary breach notification system in place and had published a best practice guide that will be updated prior to implementation of the mandatory notification requirement. According to a statement issued by Australian Privacy and Information Commissioner Timothy Pilgrim, from 2015 to 2016 the OAIC received 107 voluntary data breach notifications.