With the considerable rise in personal information that is
stored in "the cloud" and the significant increase of
"data breaches" (ie personal information being improperly
accessed, including by inadvertent emails, websites accidentally
open to public viewing, or hacked databases) in recent times, the
issue of mandatory notification has been a hot topic.
The Australian Law Reform Commission (ALRC) argued for mandatory
notification requirements where a data breach would cause a
"real risk of serious harm" in its 2008 review of
Australian privacy law. The ALRC's recommendations included a
system requiring businesses to notify the Privacy Commissioner and
affected persons that specified personal information has been, or
is reasonably believed to have been, acquired by an unauthorised
person. The recommendations also included a civil penalty system to
be enforced by the Privacy Commissioner.
Australian Privacy Commissioner Timothy Pilgrim has stated that
notifications give affected customers an opportunity to reduce the
impact of a security breach by acting quickly and could also
improve public confidence in companies that store personal
The Government's discussion paper, which is seeking
submissions by 23 November 2012, revisits the issues outlined in
the ALRC's recommendations. It recognises that consideration of
a mandatory data breach notification regime is the next stage in
responding to the ALRC's 2008 report.
The discussion paper canvasses the following questions:
Should Australia introduce mandatory data breach notification
Is a change from the current requirements, where voluntary
notification is encouraged, warranted?
What kind of breaches should prompt notification
Who should decide whether notification is necessary?
What should be reported and when?
How should a notification requirement be enforced?
Who should be subject to a mandatory data breach notification
The discussion paper also recognises that if Australia went down
this route and introduced a mandatory data breach notification
scheme, it would not be alone. In fact, a significant number of
international jurisdictions have considered this question and
introduced various measures to implement some form of mandatory
notification scheme. The discussion paper discusses the various
approaches of international jurisdictions to this issue.
In the United States (US), almost all states have data breach
laws and US Congress is considering national proposals. Germany has
adopted breach notification requirements under three different
acts. In the European Union (EU), such requirements are applicable
to telecommunications companies pursuant to the European Commission
Directive on Privacy and Electronic Communications. The EU is
currently considering wider proposals that would cover all sectors.
Russia has also adopted a requirement that data security incidents
be "cured" immediately and, in India, certain
intermediaries must report a "cyber security incident".
Chile has established a general consumer protection requirement. In
Brazil, active consumer protection agencies are generally willing
to pursue actions against global enterprises for data security
breaches. Mexico has also adopted data security breach notification
The effects of mandatory notification in Australia could be far
reaching, depending on the model and specific requirements adopted.
It also isn't clear at this stage how a mandatory notification
scheme would interact with foreign laws, such as the USA
PATRIOT Act, that might apply to a service provider and
require disclosure of data to foreign governments, and that at the
same time prohibit the affected organisation from disclosing the
fact that the information was sought or obtained.
The devastating effects of a data breach, both in terms of cost
and reputation, have hit many high profile organisations in recent
years. Mandatory notification laws could bring to light data
breaches that otherwise may never have been disclosed, increasing
the pressure on companies that collect, store, use or disclose
personal information to ensure that it is adequately protected.
We await with interest for the submissions to the discussion
paper and the Government's next steps in implementing privacy
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Middletons has been awarded a 2012 EOWA Employer of Choice for
Women citation acknowledging our commitment to workplace
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Those types of personal disclosure may still be permitted under the Privacy Act as long as your house is in order.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).