This article was originally published in the NSW Law Society Journal and is reproduced here with permission.
Personal information is in essence any information that allows an individual to be personally identified.
The Privacy Act 1988 (Cth) (‘Privacy Act’) regulates the handling of this ‘personal information’ by all Commonwealth public sector agencies; as well as private sector organisations that have an annual turnover of more than $3 million, are health service providers or which otherwise trade in personal information (together, ‘Organisations’). The recent introduction of a mandatory data breach notification regime in Australia has been on the horizon for a number of years.
The road to mandatory data breach notification
In May 2013, the Commonwealth Labor government introduced the Privacy Amendment (Privacy Alerts) Bill 2013 (‘2013 Bill’) to amend the Privacy Act to introduce a mandatory data breach notification regime. Despite the 2013 Bill having bipartisan support, it was not passed before the 2013 federal election and lapsed as a result.
There were then various subsequent attempts to revive the push to amend the Privacy Act and in February 2015, as part of a report into the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, the Parliamentary Joint Committee on Intelligence and Security (‘PJCIS’) recommended the introduction of a new mandatory data breach notification scheme. In March 2015, the government indicated that it would support all of the recommendations made by the PJCIS. In December 2015, the Attorney-General’s Department released an exposure draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (‘Exposure Draft’) for public comment. It received approximately 45 submissions from industry and consumer groups, regulators, government departments, law reform bodies and major Australian and international companies. Many of the submissions raised similar issues, including concerns about the scope or lack of definition of key terms such as ‘real risk’ and ’serious harm’ and the possibility that multiple breach notices may be required in respect of a single incident.
The Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth) (Bill) was subsequently introduced into the Senate on 19 October 2016. The Bill differs from the Exposure Draft in a number of ways, including some changes to address many of the issues raised in the submissions on the Exposure Draft. The Bill was passed in February this year but will not take effect until 22 February 2018, unless an earlier commencement date is proclaimed.
Mandatory data breach notification obligations under the Bill
The Bill amends the Privacy Act to introduce a new legislative requirement that the Privacy Commissioner and any affected individuals be notified when an ‘eligible data breach’ has occurred. Agencies and Organisations will be required to:
- conduct an assessment of whether an eligible data breach has occurred within 30 days of becoming aware that there are reasonable grounds to suspect that there may have been such a breach (s 26WH)*; and
- if an agency or Organisation is aware that there are reasonable grounds to believe that there has been an eligible data breach (s 26WK(2)), they must prepare a statement that contains the identity and contact details of the agency or Organisation, a description of the eligible data breach, the kinds of information affected and recommendations for affected individuals (s 26WK(3)). The statement must then be provided to the Privacy Commissioner (s 26WK(2)(a)(ii)), and each of the individuals to whom the affected information relates or who is at risk from the eligible data breach must be notified. If it is not practicable to directly notify the affected individuals, then the agency or Organisation must publish the statement on its website.
An eligible data breach occurs where:
- there is unauthorised access to, or unauthorised disclosure of, personal information held by the agency or organisation, or personal information is lost in circumstances where access to, or unauthorised disclosure of, the information is likely to occur; and
- a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates (s 26WE(2)).
In assessing whether the access or disclosure would be likely to result in serious harm, the agency or Organisation is required to have regard to a number of factors, including:
- the kinds of information affected and its sensitivity;
- whether a security measure (such as encryption) was applied in relation to that data;
- the likelihood that the security measure could be defeated (including whether the persons who are likely to receive that data have the ability to circumvent the security measure, such as by obtaining or ‘cracking’ the encryption key);
- the nature of the potential harm to affected individuals; and
- any other relevant matters (s 26WG).
However, in cases where remedial action has been taken (such as when an individual who receives a misdirected email or letter agrees to destroy that communication without reading it) and a reasonable person would conclude that the remedial action would mean that the access, disclosure or loss of the information would not be likely to result in serious harm to any affected individuals as a result, then the notification obligations would not apply (s 26WF).
New powers of the Privacy Commissioner
If the Privacy Commissioner is aware that there are reasonable grounds to believe that an eligible data breach has occurred (s 26WR(1)), then it will have the power under the new amendments to require the affected agency or Organisation to make a data breach notification.
The Privacy Commissioner also has the power to declare that an agency or Organisation does not have to comply with these notification obligations and can also extend the time for compliance with the notification obligations (s 26WQ). The Commissioner may make such a declaration on his or her own initiative. The affected agency or Organisation can also apply to the Privacy Commissioner for such a declaration.
The Commissioner must consider the public interest and any relevant advice given by law enforcement or security agencies.
Data held by offshore service providers
The new mandatory data breach notification obligations may also apply where the data which is the subject of the data breach is held by a service provider outside Australia. Australian Privacy Principle 8.1 under the Privacy Act allows personal information to be disclosed outside Australia if the Australian agency or Organisation has taken reasonable steps to ensure the offshore recipient handles that information in accordance with the Privacy Act, such as by entering into a binding contract with the offshore recipient that imposes equivalent privacy obligations on the offshore recipient.
Where an Organisation or agency in Australia has disclosed personal information to an offshore recipient under Australian Privacy Principle 8.1, an eligible data breach that occurs offshore in relation to that transferred personal information is deemed to be an eligible data breach that affects the Organisation or agency in Australia (s 26WC(1)). This provision would potentially apply to Australian agencies or Organisations that hold personal information in cloud computing platforms that are located outside Australia.
Penalty for failure to report a breach
A failure to report an eligible data breach (either when required by the relevant provision of the Privacy Act as amended, or when the agency or Organisation is directed to make a notification by the Privacy Commissioner) will be deemed to be an interference with the privacy of the individuals affected by the eligible data breach (s 13(4A)). This means that a failure to notify affected individuals of an eligible data breach could be the subject of a complaint to the Privacy Commissioner (Privacy Act, s 36).
Where the failure to make a notification of the eligible data breach amounts to a serious or repeated interference with privacy, the Privacy Commissioner has the power to seek civil penalty orders of up to $360,000 in the case of individuals and up to $1.8 million in the case of bodies corporate (ss 80W & 80X).
Possible consequences of the new regime
Privacy compliance and cyber security are likely to become even more critical risk issues for company boards and senior government officials between now and when the Bill comes into effect on 22 February 2018.
Prospect of class actions and representative complaints
There is a very real prospect of class actions being initiated following the occurrence of any notified data breach. This has been the case in the United States following the introduction of data breach notification obligations in most states, where a notification of the occurrence of a data breach is often quickly followed by a class action being filed on behalf of the affected individuals. It is certainly possible Australia will follow down this path with the introduction of mandatory data breach notification laws.
The Privacy Act does contain a representative complaint mechanism that allows an individual to make a representative complaint to the Privacy Commissioner, so it is possible that the new data breach notification obligations could lead to an increase in the number of representative complaints. A representative complaint can be made on behalf of all affected individuals if the class members have complaints against the same entity, the complaints arise out of the same or similar circumstances and the complaints all give rise to a common issue of law or fact. It is not necessary to specify the number of class members or to obtain the consent of the class members before the representative complaint is lodged.
Given that the affected Organisation or agency would have had to identify the affected individuals as part of notifying them of the occurrence of the data breach, formulating a representative complaint or identifying a class of plaintiffs for a class action by reference to the individuals who receive a data breach notification may be a relatively straight forward exercise.
Increased demand for cyber risk insurance
The introduction of mandatory data breach notification obligations may also lead to an increased demand for cyber risk insurance, which is a relatively new type of insurance policy in the Australian market. Depending on the policy, cyber risk insurance may cover ‘first party’ loss or costs for the agency or Organisation (such as legal expenses, forensic IT experts’ costs and any fines or penalties) as well as third party losses and claims.
*This article refers to the relevant section of the Privacy Act as it will be amended by the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), effective from 22 February 2018.