On February 13, the Privacy Amendment (Notifiable Data Breaches) Bill 2016 passed both Houses of Parliament after two previous attempts to establish such notification obligation were unsuccessful.

This means that Australians will need to be notified of serious incidents regarding the processing of their personal data. However, not every data breach will be subject to the notification requirement; the new law is limited to incidents involving personal data that would put individuals at “real risk of serious harm”.

What Exactly Is a Data Breach?

A data breach is an incident relevant to data security and data privacy, in that personal data is divulged to unauthorized parties. This can be, for instance, by way of a hacking attack, the loss of a memory stick, or a stolen smart phone.

Small Businesses Are Exempt

The notification requirement under the Australian Privacy Amendment Bill only applies to companies which are covered by the Australian Privacy Act; small businesses with an annual turnover of less than 3 million AUD are exempt, as are intelligence agencies and political parties.

Notification Requirement

In the event of a serious data breach or under circumstances that give reason to believe that such data breach has occurred, the impacted entity would need to notify the Australian Privacy and Information Commissioner as well as the affected individuals. If it is uncertain whether a breach has occurred, the entity has 30 days to investigate and determine whether or not they must notify.

The new law will enter into force either by a proclaimed date, or 12 month after it receives Royal Assent.

Statement of the Australian Commissioner

Australia’s Privacy and Information Commissioner, Timothy Pilgrim, said:
“I welcome the passage of the Privacy Amendment (Notifiable Data Breaches) Bill 2016, which establishes a mandatory data breach notification scheme in Australia.”

“The new scheme will strengthen the protections afforded to everyone’s personal information, and will improve transparency in the way that the public and private sectors respond to serious data breaches. It will also give individuals the opportunity to take steps to minimise the damage that can result from unauthorised use of their personal information.”

Good Things Come to Those Who Wait

While this is certainly an important step ahead in terms of data protection, many Australians may be surprised that companies were not already required by law to inform them of serious incidents concerning their personal data.