ARTICLE
16 March 2017

Australia's New Breach Notification Law Set To Take Effect February 2018

B
BakerHostetler

Contributor

BakerHostetler logo
Recognized as one of the top firms for client service, BakerHostetler is a leading national law firm that helps clients around the world address their most complex and critical business and regulatory issues. With five core national practice groups — Business, Labor and Employment, Intellectual Property, Litigation, and Tax — the firm has more than 970 lawyers located in 14 offices coast to coast. BakerHostetler is widely regarded as having one of the country’s top 10 tax practices, a nationally recognized litigation practice, an award-winning data privacy practice and an industry-leading business practice. The firm is also recognized internationally for its groundbreaking work recovering more than $13 billion in the Madoff Recovery Initiative, representing the SIPA Trustee for the liquidation of Bernard L. Madoff Investment Securities LLC. Visit bakerlaw.com
Explore
On February 13, 2017, the Australian Senate passed a bill establishing a mandatory requirement to notify the Privacy Commissioner and affected individuals of "eligible" data breaches.
Australia Privacy
Photo of Melinda L. McLellan
Photo of Emily Fedeles
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

On February 13, 2017, the Australian Senate passed a bill establishing a mandatory requirement to notify the Privacy Commissioner and affected individuals of "eligible" data breaches. The Privacy Amendment (Notifiable Data Breaches) Act 2016, which was passed by the House of Representatives the previous week, amends Australia's Privacy Act 1988 and is slated to take effect on February 22, 2018 if no earlier date is proclaimed.

The new law introduces a data breach notification scheme that obligates all agencies and businesses that are regulated by the Privacy Act to provide notice to the Office of the Australian Information Commissioner (OAIC) and affected individuals of certain data breaches that are "likely" to result in "serious harm."

An explanatory memorandum accompanying the law indicates that "serious harm" is "likely" if it is more probable than not, and lists factors to consider when making the determination, such as the sensitivity of the information involved, whether the information was protected, who may have obtained the information, and the nature of the harm that could result. Although "serious harm" is not defined, the explanatory memorandum states that serious physical, psychological, emotional, economic, reputational or financial harm may qualify, as well as other types of serious harm that reasonably could result from the breach.

A failure to notify that is found to constitute a serious interference with privacy under the Privacy Act may result in a fine of up to AU$360,000 (about US$274,560) for individuals or AU$1.8 million (about US$1.37 million) for organizations.

Prior to the passage of this bill, the OAIC had a voluntary breach notification system in place and had published a best practice guide that will be updated prior to implementation of the mandatory notification requirement. According to a statement issued by Australian Privacy and Information Commissioner Timothy Pilgrim, from 2015 to 2016 the OAIC received 107 voluntary data breach notifications.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Melinda L. McLellan
Melinda L. McLellan
Photo of Emily Fedeles
Emily Fedeles
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More