The latest iteration of the long-awaited mandatory data breach
The Privacy Amendment (Notifiable Data Breaches) Act
2017 (Cth) (PA Act) was passed on 13 February 2017 and was
assented to on 22 February 2017. This is the latest iteration of
the long-awaited mandatory data breach notification law, first
floated in 2013 with the Privacy Amendment (Privacy Alerts)
Bill 2013 (Cth) but which lapsed when Parliament was prorogued
before the federal election that same year.
In 2015, the Commonwealth Government released an exposure draft
of the Privacy Amendment (Notification of Serious Data
Breaches) Bill 2015 (2015 Bill) for public submissions, which
closed on 4 March 2016. The PA Bill is similar to the earlier 2015
exposure draft but with some notable changes, including:
Unauthorised access, disclosure or loss is not an eligible data
the entity takes action before any serious harm arises,
as a result, a reasonable person would conclude that the access
or disclosure would not be likely to result in serious harm to any
of the affected persons.
The matters to be considered when determining whether a
reasonable person would conclude that a breach is likely to result
in serious harm. In the PA Bill, the likelihood of persons
obtaining the compromised information and having the intent of
causing harm as well as the knowledge required to circumvent
security technologies is a relevant factor. This is in contrast to
the 2015 Bill, which required consideration of whether the
compromised information was in a form intelligible to an ordinary
Raising the threshold for when a data breach may become
notifiable, to situations where a data breach would be likely to
result in serious harm—that is, more probable than not. The
2015 Bill provided that a data breach may become notifiable if it
resulted in a real risk of serious harm (defined as being a risk
that was not a remote risk). This would have potentially resulted
in a larger number of notifications, even if the risk of actual
harm was relatively low. The PA Bill's explanatory memorandum
makes it clear that the legislation does not intend for every data
breach to be subject to a notification requirement or for minor
breaches to be notified due to the risk of, among other things,
The amendments to be enacted by the new legislation will come
into effect 12 months after assent or on an earlier date fixed by
Proclamation—it is possible the amendments could take effect
sometime in 2017.
The amendments will require a review of organisations'
privacy and compliance programs, including in relation to
identifying eligible data breaches and the responsibility for
investigating any such breaches, and reviewing third-party
processing and storage arrangements, and service contracts to
ensure compliance with the reforms.
Failing to comply with the reforms could expose individuals to
fines of up to $360,000 and $1.8 million for organisations. It
follows that those bound by the Privacy Act 1998 (Cth)
should begin working on compliance strategies sooner rather than
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The Australian Parliament passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth) (Data Breach Bill) on 13 February 2017.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).