Australia finally gets data breach notification laws at third attempt

At the third time of asking, Australia will have data breach notification laws.

The passage of the Privacy Amendment (Notifiable Data Breaches) Bill 2016 through the Senate on Monday means Australians will in the near future begin to be alerted of their data being inappropriately accessed.

The legislation is restricted to incidents involving personal information, credit card information, credit eligibility, and tax file number information that would put individuals at "real risk of serious harm".

"It is not intended that every data breach be subject to a notification requirement. It would not be appropriate for minor breaches to be notified, because of the administrative burden that may place on entities, the risk of 'notification fatigue' on the part of individuals, and the lack of utility where notification does not facilitate harm mitigation," the explanatory memorandum for the Bill states.

Notification laws would only apply to companies covered by the Privacy Act, and would exempt intelligence agencies, small businesses with turnover of less than AU$3 million annually, and political parties from needing to disclose breaches. E-health providers are still subject to the mandatory data breach notification scheme under the My Health Records Act.

Upon a qualifying breach or on reasonable grounds to believe that a serious data breach has occurred, the impacted entity would need to notify the Australian Information Commissioner and affected individuals. In cases where it is not certain a breach has occurred, the entity has 30 days to investigate whether notification is needed.

The new laws are set to come into force either by a proclaimed date, or a year after they receive Royal Assent.

Speaking during the second reading of the Bill, Senator Penny Wong said many Australians would be surprised that companies were not already legally required to inform them when a serious breach occurred, and pointed to the three-year delay that Catch of the Day took to inform its users as an example of why notification is needed.

Australian Greens Senator Scott Ludlam was unsuccessful in moving a motion to have the notification requirements apply to political parties and businesses with turnover of less than AU$3 million.

A data breach notification scheme was recommended by the Joint Parliamentary Committee on Intelligence and Security in February 2015, prior to Australia's mandatory data-retention laws being implemented.

Under the data-retention laws, approved law-enforcement agencies are able to warrantlessly access two years' worth of customers' call records, location information, IP addresses, billing information, and other data stored by telecommunication operators.

Two Bills that would have had a similar impact were stranded when Parliament rose for the 2013 and 2016 federal elections.