Mandatory data breach notification legislation has finally made its way into Parliament, with Justice Minister, Michael Keenan, introducing the proposed laws into the House of Reps.
If passed into law, the Privacy Amendment (Notifiable Data Breaches) Bill 2016, introduced by Keenan on 19 October, would compel government agencies and businesses operating under the Privacy Act to notify the Australian Information Commissioner and affected individuals of an eligible serious data breach.
According to the Bill’s explanatory memorandum, an eligible data breach is applicable where there is a likely risk of serious harm to the affected individual or individuals as a result of the unauthorised access or disclosure of data.
When introducing the legislation, Keenan cited some high-profile incidents where the personal information of millions of individuals had been compromised.
“Data breaches in recent years, such as the breach involving the dating website, Ashley Madison, or the US Office of Personnel Management, have demonstrated the potential harm that can result to individuals following the unauthorised access to, or unauthorised disclosure of, personal information,” Keenan said.
“The rationale for mandatory data breach notification is that if an individual is at likely risk of serious harm because of a data breach involving their personal information, receiving notification of the breach can allow that person to take action to protect themselves from that harm."
The introduction of the Bill follows a lengthy consultation period held by the government, which published an exposure draft of the legislation late last year.
Dozens of stakeholders lodged submissions to the government, with some industry heavyweights, such as Telstra which, while supporting the move broadly, made some suggestions regarding the finer details of the draft legislation.
One of Telstra’s recommendations dealt with the draft legislation’s concept that an entity is subject to the notification regime not only when it is aware of a breach, but also in circumstances where it “ought reasonably to be aware”.
“The concept of “ought reasonably to have become so aware” adds complexity to determining when to notify and to the application of the legislation,” said Telstra in its submission.
“In our view, the concept should be removed and reliance should simply be placed on the question of whether an entity that is aware of an issue has sufficiently reasonable grounds to believe there has been a serious data breach."
The final version of the legislation, as introduced into Parliament by Keenan, instead calls for an entity to provide notification of an eligible data breach if it is “aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity”.
In its current form, the Bill makes provisions for the Commissioner to use existing powers to investigate, make determinations, and provide remedies in relation to non-compliance with the Privacy Act.
“This includes the capacity to undertake Commissioner initiated investigations, make determinations, seek enforceable undertakings, and pursue civil penalties for serious or repeated interferences with privacy,” the explanatory memorandum stated.
“This approach will permit the use of less severe sanctions before elevating to a civil penalty.
"These less severe penalties could include public or personal apologies, compensation payments or enforceable undertakings."
There are some exceptions to the proposed rules, however, with the Commissioner able to exempt an entity from providing notification of an eligible data breach where it is deemed appropriate.
The Commissioner can also issue an exemption on application from an entity or on the Commissioner’s own initiative.
Additionally, the explanatory memorandum pints out that the legislation is not intended to make every data breach subject to a notification requirement.
“It would not be appropriate for minor breaches to be notified because of the administrative burden that may place on entities, the risk of ‘notification fatigue’ on the part of individuals, and the lack of utility where notification does not facilitate harm mitigation,” it stated.
The proposed laws follow the proposal of similar legislation that was set to be introduced by the former Labor government in 2013, but which ran out of time to be read in Parliament prior to the federal election in September that year.
The new data breach legislation is set to be read a second time at the next sitting day in Canberra.
Meanwhile, recent research by CyberArk has revealed that just 34 per cent of Australians surveyed felt their businesses were completely prepared to handle the government's mandatory breach notification requirements, as they were initially proposed.
Less than half of the CyberArk's survey respondents said they believed the proposed scheme will be good for their organisations as a whole.
At the same time, almost 20 per cent believed there would be a negative impact on their organisations.