Australia is a step closer to having a mandatory data breach notification regime, after a bill to create such a scheme today received bipartisan support in the House of Representatives.
The government introduced the Privacy Amendment (Notifiable Data Breaches) Bill 2016 in October. The bill has yet to be introduced in the Senate.
Under the bill, if an organisation subject to Privacy Act obligations suffers an “eligible data breach”, it is obliged to notify both the Australian Information Commissioner and individuals whose data was affected by the breach.
Organisations subject to Privacy Act obligations include most Australian government agencies, businesses with an annual turnover in excess of $3 million, as well as a number of smaller organisations, such those handling sensitive health data.
An eligible data breach is “is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity” where “the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates”.
A 2008 Australian Law Reform Commission review of Australia’s privacy laws recommended the introduction of a mandatory breach notification scheme. Attempts in 2013 and 2014 to introduce a breach notification system failed.
In 2015, in response to a recommendation of a parliamentary inquiry into the bill to create a data retention regime, the government said it would create a mandatory breach notification scheme.
The government originally committed itself to introducing and passing legislation for the scheme before the end of 2015, but it wasn’t until December 2015 that an exposure draft of a bill was released for public comment.
Although privacy advocates have welcomed the proposal, its reception among businesses has been mixed.
Industry groups including the Australian Industry Group (Ai Group), the Association for Data-driven Marketing and Advertising (ADMA) and the Digital Industry Group Incorporated (DIGI), whose members include Google, Twitter, Facebook, Yahoo! and Microsoft, have argued that the existing voluntary notification scheme overseen by the Office of the Australian Information Commissioner is effective.