On February 13, 2017 Australia became one more among nation states adopting data breach notification legislation. In recent House and Senate votes, the Australian Parliament amended the Privacy Act 1988, introducing mandatory data breach notification requirements for entities regulated by the Privacy Act.
Who is Subject to the New Legislation?
The recent bill requires entities with revenue over $3 million AUD ($2.3 million USD) and certain credit reporting bodies and recipients of tax file number information to notify both the Australian Information Commissioner and affected individuals “as soon as practicable” when an “eligible data breach” occurs. The notification should include the following information:
- the entity name and contact details;
- a description of the data breach;
- the kinds of information concerned; and
- reasonable recommendations as to steps individuals should take in response to the data breach.
When is the Notification Requirement Triggered?
Under the new bill, a data breach occurs when there is “unauthorized access to, or unauthorized disclosure of, information.” If an entity is aware of “reasonable grounds to suspect” or “believe” that an eligible data breach has occurred, it must “take all reasonable steps” to carry out “a reasonable and expeditious assessment” of whether an eligible data breach has in fact occurred within 30 days of becoming aware of the relevant circumstances.
A data breach is “eligible” if “a reasonable person would conclude that the access or disclosure is likely to result in serious harm” to any of the affected individuals. To be best understood, the phrase “likely to result in serious harm” should be broken down into two parts: “likely to result” and “serious harm.”
Akin to a probability standard, the phrase “likely to result” means that the notification requirement is triggered when serious harm is more likely than not.
As to the meaning of “serious harm” under the new bill, no definition exists under the legislation. However, legislative guidance states that serious harm “could include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm that a reasonable person in the entity’s position would identify as a possible outcome of the data breach.”
Importantly, the guidance explains that although solely mental or emotional distress at the knowledge of one’s information being shared with unauthorized parties will not usually fall under the “serious harm” category, this conclusion may vary depending on the type of information disclosed. Indeed, disclosure of health or other “sensitive information” (as defined under the Privacy Act) alone could, according to legislative guidance, reasonably cause “serious harm.” When determining the severity of potential harm, entities should focus on the sensitivity of the data, who may be able to access the data as a result of the breach, and the type and extent of potential consequences of the breach.
Exceptions to the Notification Requirement:
The legislation seems to primarily focus on providing individuals adequate information to take remedial steps. As a result, although an eligible data breach of one entity would also be an eligible data breach of other entities that “jointly and simultaneously hold the same particular records of personal information,” (e.g. outsourcing partners, joint venturers), if one of the entities fulfills the notification requirements under the bill, the other entities are also deemed to have fulfilled their obligations.
Other instances in which an entity may be exempt from notifying affected individuals include: if the entity (i) obtains an exemption from the Commissioner or (ii) takes remedial steps before the breach can result in serious harm. In the former instance, the Commissioner may exempt an entity from providing notification of an eligible data breach where the Commissioner “is satisfied that it is reasonable in the circumstances to do so.” Indeed, it may often be the case that there are law enforcement or other investigatory reasons to refrain from notifying individuals that the Commissioner may consider to either delay or exempt entirely the entity’s notification requirements.
What are the Penalties?
Failure to comply with the obligations set forth in the bill is considered an “interference with the privacy of an individual for the purposes of the Privacy Act.” Such interference could trigger the Commissioner’s authority to both investigate and provide recommendations to remedy such non-compliance with the Privacy Act. As a result, the new legislation promotes the use of less severe sanctions such as public apologies, compensation payments, or mandatory compliance regimes before elevating to civil penalties.
Civil penalties of up to AU $360,000 for individuals and AU $1.8 million for organizations (~ US $275,000 and US $1.37 million, respectively) would only arise when an entity has seriously or repeatedly failed to comply with mandatory notification requirements.
The amendments to the Privacy Act will become effective one year after it receives Royal Assent, which typically occurs a week to ten days after Parliament passes a bill.