This article was written by Charles Davies and Nick Valentine.
On 19 October 2016, the Privacy Amendment (Notifiable Data Breaches) Bill 2016 was introduced into the Australian Parliament. This is the Federal Government’s latest iteration of the long-anticipated mandatory data breach notification law, which was first attempted in 2013 with the Privacy Amendment (Privacy Alerts) Bill 2013 (2013 Bill). The 2013 Bill lapsed before passing when Parliament was prorogued before the 2013 election.
In March 2015, the Federal Government renewed its commitment to the introduction of such law, and in December 2015 it released an exposure draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (2015 Bill) for public submission. Forty-seven public submissions were received on the 2015 Bill before submissions closed 4 March 2016, and this latest draft is the first to be released since that time. We have previously written on the 2013 Bill and the 2015 Bill.
The latest iteration (2016 Bill) is largely similar to the 2015 Bill, but a few notable changes have been made to the draft since the consultation period.
Who is affected? What must they do?
As with the 2015 Bill, the Bill applies to APP entities holding personal information, credit reporting bodies holding credit reporting information, credit providers holding credit eligibility information, and file number recipients holding tax file number information, in each case where those entities are required to keep that information secure under the Privacy Act 1988 (Cth).
The key obligation remains largely the same as previous iterations of the Bill; an entity that is aware that there are reasonable grounds to believe that there has been an “eligible data breach” of the entity must, as soon as practicable after becoming so aware, prepare a statement setting out a number of matters, provide a copy of that notice to the Privacy Commissioner, and:
- if practicable, provide a copy to each individual to whom the compromised information relates; or
- if practicable, provide a copy to each individual who is at risk from the eligible data breach; or
- if neither of those are practicable, publish a copy of the statement on the entity’s website and take reasonable steps to publicise the content of the statement.
As with the 2015 Bill, failure to comply with this obligation constitutes an interference with the privacy of an individual. Repeated or serious interferences may give rise to a civil penalty of up to 2000 penalty units (or A$1.8 million, for a corporation, at time of writing).
The matters to be included in the statement include the identity or contact details of the entity, a description of the eligible data breach, the kind of information concerned, and recommendations about the steps affected individuals should take in response to the breach. The statement may also include the identity and details of other entities if the entity preparing the statement has reasonable grounds to believe that the breach would be an eligible data breach of those entities as well.
Like the 2015 Bill, in some circumstances where an Australian entity discloses information to an overseas recipient, the 2016 Bill deems that information to be held by the disclosing entity. That is, the Australian entity disclosing to an offshore recipient may be liable to prepare a notice for an eligible data breach that occurs in respect of the offshore recipient.
There are also a number of exceptions to the disclosure obligation, including where the entity is already required to disclose the breach pursuant to the My Health Records Act 2012 (Cth), or inconsistency with a secrecy provision in another law.
Eligible data breaches
The 2016 Bill defines an eligible data breach as where either:
- there is unauthorised access to, or disclosure of, the relevant information, and a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates; or
- the relevant information is lost in circumstances where unauthorised access to or unauthorised disclosure of that information might occur, and if it did, a reasonable person would conclude that it would be likely to result in serious harm to any of the individuals to whom the information relates.
The 2015 Bill set a somewhat lower threshold test, providing that a data breach may become notifiable if it resulted in a “real risk” of serious harm. The 2015 Bill defined a “real risk” as being a risk that was not a “remote risk”. This may have resulted in a larger number of breaches being notified, even if the likelihood of actual harm resulting from those breaches was low.
The 2016 Bill raises the bar so that notification may only be required if a data breach would be “likely” to result in serious harm. The explanatory memorandum for the 2016 Bill clarifies that “likely” in this context means more probable than not. This is a positive change designed to avoid creating a flood of largely irrelevant notices. The explanatory memorandum explicitly states “It is not intended that every data breach be subject to a notification requirement. It would not be appropriate for minor breaches to be notified because of the administrative burden that may place on entities, the risk of ‘notification fatigue’ on the part of individuals, and the lack of utility where notification does not facilitate harm mitigation.”
It’s important to get on the front foot
A new feature of the 2016 Bill is that if unauthorised access, unauthorised disclosure or loss occurs, but:
- the entity takes action in relation to it before any serious harm arises; and
- as a result of that action a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of the affected individuals,
then the access, disclosure or loss is deemed to have never been an eligible data breach (of any entity, not just the entity taking action). This highlights the importance of proactive, effective and timely action in response to a data breach.
So what else is new?
The 2016 Bill also added a new obligation: where an entity is aware that there are reasonable grounds to suspect that there may have been an eligible data breach, but the entity is not yet sure whether the relevant circumstances amount to an actual eligible data breach, the entity must “carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach”, taking all reasonable steps to ensure that the entity completes that review within 30 days of becoming aware of the reasonable grounds for suspicion.
Rather than having a positive obligation to investigate in the 2015 Bill, the obligation to notify under the 2015 Bill was subject to a carve-out where the entity conducted and completed an investigation within 30 days of the date that it ought reasonably have been aware that reasonable grounds existed to believe a data breach had occurred, i.e. an objective test. This objective test meant that entities that became aware of a data breach would need to assess when they ought to have first become aware, and many would not be able to take advantage of that carve-out as most data breaches are discovered long after the fact.
The 2016 Bill removes the objective awareness test, which makes it easier to comply with from a practical perspective. As we said previously in our post on the 2015 Bill, wilful blindness is unlikely to be an issue in practice as that would likely be a breach of the entity’s obligations under APP 11.1 (and the equivalent obligations in the Privacy Act in relation to credit reporting information, credit eligibility information, and tax file numbers).
Another key difference between the 2015 Bill and the 2016 Bill is in relation to the matters that are to be considered when determining whether a reasonable person would conclude that a breach is likely to result in serious harm. The 2015 Bill required consideration of whether the compromised information was in a form intelligible to an ordinary person. The explanatory memorandum suggested that an ordinary person would be assumed to have had access to software capable of breaking encryption, so even where the compromised information was encrypted, the entity that suffered the breach may still have been liable.
The 2016 Bill clarifies that the likelihood of persons obtaining the compromised information having both the intent of causing harm and the knowledge required to circumvent those types of security technologies is a relevant factor in considering whether unauthorised access or disclosure would be likely to result in serious harm. Under this new position, the use of encryption and other security technologies or methodologies can significantly reduce the risk that a mere unauthorised access or disclosure of protected information would be an eligible data breach for which notification would be required.
Finally, the 2016 Bill contains an exception to the notification obligation if another entity has issued a notice in respect of the same data breach. Under the 2015 Bill, if an APP entity held personal information about its customers, and that personal information was stored on systems belonging to another APP entity (e.g. a cloud service provider), and the second entity suffered a breach, both of those entities would be required to issue a notice. Under the 2016 Bill, if one APP entity notifies affected individuals and the Privacy Commissioner about an eligible data breach, other entities for whom that same breach would also be an eligible data breach are not obligated to notify – a single notice from any relevant entity is enough.
The 2016 Bill does not go so far as to introduce concepts of a “data controller” and “data processor”, common in many other jurisdictions’ data protection laws. However, from a practical perspective, notices to affected individuals should be sent by data controllers, not the processing companies they may have engaged to perform ‘back-office’ processing tasks.
Where to from here?
This issue has bipartisan support, so like the previous Bills, barring another unexpected development causing the 2016 Bill to lapse, we would expect this Bill to pass Parliament later this year. The impact of the 2016 Bill, if passed, remains to be seen. There is some concern that it may encourage class action litigation against companies that suffer eligible data breaches, as notification may often look like admission of liability. However, even in the USA, which has the greatest incidence of class action litigation, only a small percentage of notified data security breaches lead to class actions.