Data privacy is a growing area of concern for all companies who have an online presence, with a number of high profile retailers finding themselves the subject of data breaches in recent months. In franchise networks, there is the added complexity of dealing not just with the franchisor's business, but also ensuring that franchisees are complying with any legal obligations that they may have in regard to data privacy. With this in mind, it is important that all franchisors stay abreast of Australia's privacy laws and any changes to those laws.

Noting the above, franchisors should be aware that the legislation dealing with notifiable data breaches ( the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth) (Bill)) was finally introduced into the Senate on 19 October 2016.

There have been some substantial changes made to the Bill since an exposure draft was published by the Attorney-General's Department last year.

Some of the key changes include:

  • a change in terminology, with data breaches that are covered by the Bill, now being referred to as "eligible data breaches", rather than "serious data breaches";
  • a change to the notification requirement threshold, with eligible data breaches only covering situations where there is a "likely risk of serious harm", (rather than the previous "real risk of serious harm" wording in the exposure draft);
  • the removal of a requirement to notify data breaches that an entity ought reasonably to have been aware of;
  • the addition of a new exception to cover situations where remedial action is taken by the entity that suffers an eligible data breach, with the effect that data breaches will no longer be considered to be an eligible data breach (and therefore notification will not be required) if the remedial action would be considered by a reasonable person to mean that there is no longer a likely risk of serious harm;
  • amendments to the factors that are stated in the Bill to be relevant to determining whether there is a likely risk of serious harm, including recognition of the use of security technologies in relation to that information; and
  • clarification of when a notification must be given to affected individuals, (as opposed to publishing it on the entity's website).

While some of the more objectionable elements of the exposure draft have been removed or pared back, overall the substance of the Bill remains broadly similar. Organisations will have an obligation to notify the Privacy Commissioner and affected or at risk individuals, if an eligible data breach occurs. A failure to notify the Privacy Commissioner and affected individuals (including when the entity is directed to do so by the Privacy Commissioner) will be deemed to be an interference in the privacy of the individual(s).

In addition to receiving and determining complaints regarding interferences with privacy, the Privacy Commissioner has the power to seek civil penalty orders for serious interferences with the privacy of individuals or repeated interferences in the privacy of individuals. The maximum amount of the civil penalty that can be awarded by a Federal court is AU$360,000 for individuals or AU$1,800,000 for bodies corporate.

What does this mean for me?

The provisions of the Bill will commence 12 months after the Bill receives royal assent (unless an earlier date for commencement is fixed by proclamation). As the introduction of a mandatory data breach notification scheme has previously had the support of both Labor and the Greens, it is quite possible that the Bill could pass relatively quickly through the Parliament. This would be consistent with the government's previous commitment to introduce and pass the Bill by the end of this year. This could mean that organisations, which are subject to the Privacy Act 1988 (Cth) (the Act), would be required to commence notifying any eligible data breaches by the end of 2017.

While this may seem some time away, organisations subject to the Act need to start preparing now. If passed in its current form, the Bill will require organisations to be prepared to respond to a data breach, including the assessment of whether an eligible data breach has occurred and promptly complying with its notification obligations.

I'm subject to the Act - What should I do?

If your organisation is subject to the Act, it is critical to have a data breach response plan setting out what to do if a data breach occurs. For franchise networks, franchisors need their own plan. However franchisors should also consider if it is appropriate to develop a plan for broader use across the network, as such issues have the potential to have a significant impact on the whole network.

It is also important to educate your franchisees about cyber risks and steps that they can take to minimise the likelihood of any breaches occurring.

In regard to IT systems, in our experience, many breaches arise from weaknesses in external service providers' IT systems, rather than a company's own systems. It is therefore important to have a vendor cyber-risk management framework in place. Norton Rose Fulbright has substantial experience in developing and implementing such frameworks and we are happy to assist with the implementing such frameworks.

In addition, Norton Rose Fulbright offers a global 24/7 incident response service for cyber-incidents (including data breach and network interruption). As 'breach coach', we work with you to provide a streamlined response by assessing the size and nature of the incident, taking steps to contain it, and co-ordinating our panel of carefully selected third party vendors of remedial and protective services, all the while managing stakeholders' interests and advising on mitigation of potential loss.

So while there is certainly a risk to franchisors and franchisor networks, there are various steps that you can take now to minimise the likelihood that you, and your brand, will be exposed.