As mentioned in our previous
legal update, the Attorney-General's Department has
released an exposure draft of the Australian Government's
promised mandatory data breach notification bill. The
Attorney-General's Department sought comments on an exposure
draft of the Privacy Amendment (Notification of Serious Data
Breaches) Bill 2015 (Cth) (Exposure Bill).
The time for submissions has now closed and the
Attorney-General's Department has published a number of the
non-confidential submissions in relation to the Exposure Bill on
What submissions were made?
The published submissions were made by 45 separate
organisations, agencies and individuals, including:
industry and consumer groups;
regulators, government departments and law reform agencies;
major Australian and international companies.
Many of the submissions raised similar issues, including:
concerns about the scope or lack of definition of key terms in
the Exposure Bill, such as 'real risk' and 'serious
the possibility of 'notification fatigue' arising from
too many data breach notifications being received by
as a related issue, the possibility that under the Exposure
Bill potentially inconsistent multiple notifications of the same
data breach may be required, which could require notification of a
data breach by the organisation that collected the personal
information and also by the cloud service provider whose service
was the subject of the actual data breach;
the application of the Exposure Bill to undetected breaches
that organisations ought reasonably to be aware of; and
the timing of requirements to notify affected individuals of
the occurrence of the data breach (including the opportunity to
consult with the Australian Information Commissioner in relation to
The Attorney-General's Department is likely to take some
time to consider the submissions and may recommend changes to the
Exposure Bill before it is introduced to Federal Parliament. Given
recent forecasts of an early Federal election, it remains to be
seen how a possible election could affect the progress of a bill
through the Federal Parliament.
In the event that a bill is introduced into Parliament but does
not pass through both houses prior to an election, the bill will
lapse on the dissolution of Parliament. This was the fate of the
previous Privacy Amendment (Privacy Alerts) Bill 2013
(Cth) under the former Labor government.
However, notwithstanding a possible early election, there is
every indication that the introduction of a mandatory data breach
notification regime has the support of the major political parties.
We still consider it likely that a bill will be introduced to
Parliament and passed during the course of this year, with the law
to take effect in late 2017.
What should I do?
Accordingly, organisations should continue to be pro-active in
this area and should start preparing for the introduction of
mandatory data breach notification obligations as part of their
overall cyber-risk management strategy.
As part of being able to effectively manage cyber-risk,
organisations will need to have a data breach response plan setting
out what to do if a breach occurs. Many breaches arise from
weaknesses in vendors' systems, rather than organisations'
own systems. It is therefore also important to have a vendor
cyber-risk management framework in place. Our Australian Privacy
and Cyber-risk Team has worked with our colleagues overseas to
develop two fixed price global best practice cyber-risk management
packages to address these issues. Please contact us for further
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Privacy issues require a considered strategy where sets of big data come with ever-increasing regulatory obligations.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).