Privacy law reform and the new mandatory reporting regime for data breaches: how will it affect you?

The privacy and data protection regulatory landscape in Australia has seen further recent revision with the formal assent of the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) earlier this year. The new law will become operative from 22 February 2018.

The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), like the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth), will amend the Privacy Act 1988 (Cth), which regulates the handling of personal information about individuals.

What is the significance of the new law?

First, it sets out a mandatory regime for the notification of “eligible data breaches” in respect of certain defined entities.[1] And it has real teeth. An entity can be subject to a civil penalty up to $1.8M in the event of serious or repeated breaches of its notification obligation.

Under the new law, entities must notify “eligible data breaches” to the office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable after the entity becomes aware that “there are reasonable grounds to believe that there has been an eligible data breach of the entity.”[2]

“Eligible data breaches” are defined as data breaches where there is unauthorised access or disclosure of personal data, or loss of personal data is likely to occur as a result of the foregoing, and a “reasonable person would conclude that [the breach] would be likely to result in serious harm to any of the [affected individuals]”.[3]

Although the new law provides no definition of “serious harm”, it does provide a non-exhaustive list of factors that may be considered in making that determination e.g. the nature and sensitivity of the personal data; whether the personal data is protected by security measures (e.g. encryption) and the strength of such measures; who has obtained or accessed, or could obtain or access, the personal data; and the nature of the harm to affected individuals.[4]

The explanatory memorandum which accompanies the new law envisages that “serious harm” in respect of an affected individual may include physical, psychological, emotional, economic and financial harm, as well as serious reputational harm.[5]

The new law does provide entities with some margin for manoeuvre to remedy data breaches in certain circumstances where any affected individual has not yet suffered “serious harm”. If the data breach is remedied without any individual suffering or being likely to suffer “serious harm”, the obligation to notify is not triggered.[6]

Once enacted, the new law will replace the current discretionary self-reporting regime for entities. Thence an entity will no longer have the right to adopt a discretionary and reactive response to a serious data breach — if the data breach meets the definition of “eligible data breach” it has to be reported.

In this reshaped regulatory landscape, an entity needs to ensure that it is properly prepared for both events i.e. a potential “eligible data breach” which can be remedied before an individual suffers or is likely to suffer “serious harm”; and an “eligible data breach” where an individual has suffered, or will likely suffer, “serious harm”, and the obligation to notify is triggered.

In any event an entity may adopt a policy of informing an affected individual of any data breach in order to establish and maintain a reputation for transparency, honesty and trust.

Second, the new law will likely raise the public’s awareness of privacy and data protection law, and the relief and remedies available to an individual in the event of a data breach. And as a corollary, this may create a more litigious environment in both a business-to-consumer and business-to-business context.

Litigation may take the form of a claim:

• in contract for damages: for breach of a confidentiality agreement that applies to the data which has been disclosed; for breach of a relevant provision of a service agreement in a business-to-business context; or for breach of a contractual provision precluding the collection of the personal data which is the subject of the data breach in a business-to-consumer context.
• in tort e.g. negligence; it may also lead to the development of a tort for the invasion of privacy,[7] which exists in some other common law jurisdictions.[8]
• in equity e.g. breach of confidence.
• under statute e.g. for a determination by OAIC under s 52 of the Privacy Act 1988 (Cth) that an entity must compensate an individual for loss or damage caused by an interference of privacy, including for injury to the feelings of the individual and humiliation suffered by the individual.[9]

A technology company’s ability to handle, process and store the personal data of its users in a diligent, secure and authorised manner is vital to its reputation and success — trustworthiness provides a competitive advantage. Similarly, this approach is becoming just as vital for established companies in traditional industries that continue to technologically enable their businesses. Serious data breaches have the potential to cause immediate and long-lasting (and even irreparable) reputational damage. News of a data breach – accurate or otherwise – can go viral.

Finally, the enactment of the new law comes at a time when the EU is strengthening its data protection and privacy laws via the EU General Data Protection Regulation (GDPR), which will be enacted by member states in May 2018. The GDPR imposes maximum penalties of 4% of global turnover or €20M (whichever is greater) for serious breaches of its core provisions e.g. not having sufficient customer consent to process data, failure to notify of a data breach or violating the core of its “privacy by design” concepts.[10] In the United States, 47 States, the District of Columbia and three territories have already implemented mandatory data breach notification regimes.[11]

The new law significantly revises Australia’s privacy and data protection law. It may also act to raise awareness of an individual’s rights, and the possible relief and remedies available — under statute and in contract, tort and equity — if those rights are violated. The nature and extent of that effect will inform the development of this area of the law.

[1] All entities that are currently subject to the Australian Privacy Principles under the Privacy Act 1988 (Cth) are subject to the new law. Specifically, many Australian Government agencies and private sector organisations with an annual turnover of more than $3 million.

[2] Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), s 26WL.

[3] Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), s 26WE.

[4] Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), s 26WG.

[5] Explanatory Memorandum, Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth), para 9.

[6] Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), s 26WF.

[7] See Australian Law Reform Commission, Serious Invasions of Privacy in the Digital Era, Report No 123 (2014).

[8] See the discussion in Vidal-Hall v Google Inc [2015] EWCA Civ 311.

[9] Failure to provide notice of an “eligible data breach” under the new law is regarded as such an interference: Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), s 2.

[10] Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L 119/1.

[11] Explanatory Memorandum, Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth), para 66.