Mar 82017

Australia’s Long Anticipated Breach Notification Law Passes

Colleen Theresa Brown and Sana Munasifi
, , ,

*The authors are not licensed to practice law in Australia, and this information is intended for educational purposes only.

Australia has passed data breach notification legislation requiring certain companies with annual revenue over AU $3 million  ($2.3 million) to notify the Australian Information Commissioner and affected individuals in the event of a qualifying data breach.

The Privacy Amendment (Notifiable Data Breaches) Bill 2016 (“the Bill”), which the Australian Senate passed on February 13th, amends the Privacy Act of 1988 (Privacy Act) to require that qualifying companies provide notification if there is “unauthorized access to, unauthorized disclosure of, or loss of, personal information by an entity,” and “the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.” According to the Office of the Australian Information Commissioner, examples of personal information include names, signatures, addresses, telephone numbers, dates of birth, medical records and “commentary or opinion” about individuals.

Companies must “take all reasonable steps” to complete a “reasonable and expeditious” assessment of whether a breach triggers the Bill’s notification requirements within 30 days of becoming aware of a breach. In conducting such an assessment, companies should consider the type and sensitivity of the personal information at issue, security measures that protect the information, the likelihood those measures may be overcome, the identity of the individuals who obtained the information, and the likelihood that these individuals have any intention of causing harm. The Bill’s explanatory memorandum describes serious financial, economic or physical harm as the most likely harm giving rise to the Bill’s notification requirements, but does not exclude serious psychological or emotional harm.

Companies must notify the Commissioner and individuals as soon as practicable after becoming aware of an applicable breach. Notifications must include a description of the breach, the kinds of information concerned, and steps individuals should take in response. According to the Bill’s explanatory memorandum, the Commissioner can initiate investigations and make applications for civil penalties for “serious or repeated interferences with the privacy of an individuals.”

Entities that are not covered by the Privacy Act’s requirements, such as intelligence agencies, political parties, media organizations and small business operators, are also exempt from the Bill’s requirements.

The Bill may take effect on a date set by proclamation, or otherwise if the provisions do not commence before 12 months from the day after the Bill receives the Royal Assent, which is still pending.  It is generally expected that the Bill will become effective in 2018.

 

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Sana Munasifi

smunasifi@sidley.com

You might also like
UK GDPR Reform Is Back! Department of Science, Innovation and Technology Introduces New Data Protection and Digital Information Bill

On 8 March 2023, the newly created Department of Science, Innovation and Technology (“DSIT”) introduced the Data Protection and Digital Information (No. 2) Bill. The “Bill” is in substance a re-introduction of the previous Data Protection and Digital Information Bill which was withdrawn from Parliament on the same day as the new Bill was published. The Bill, which has been hailed by the UK Government as one that will “save billions” and “cut down pointless paperwork” is the UK’s latest attempt to create a more streamlined piece of data protection legislation for the UK whilst still “ensur[ing] data adequacy.” The Information Commissioner’s Office (“ICO”) also welcomed the re-introduction of the Bill, with the Commissioner stating that he would “support [the Bill’s] ambition.” While much of the Bill remains the same as its previous iteration, we set out the key provisions and notable amendments below.

Biden Administration Announces National Cybersecurity Strategy

On March 1, 2023, the Biden administration announced its long-awaited National Cybersecurity Strategy. The strategy is part of the administration’s efforts to bolster and modernize public and private responses to cybersecurity threats.

UK’s New Pro-innovation Approach to Regulating Digital Technologies

On 15 March 2023, the UK Government published, alongside its Spring Budget, a report on the Pro-innovation Regulation of Technologies Review (the “Report”). The Report was led by the government’s Chief Scientific Advisor and National Technology Officer, Sir Patrick Vallance, who was tasked with “bringing together the best minds to advise how the UK can better regulate emerging technologies, enabling their rapid and safe introduction.” In response, the UK Government has accepted all of the Report’s recommendations, and set out some next steps for their implementation.