Volume: 14 Issue: 2
The Parliament of Australia passed, on 13 February 2017, the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Ďthe Actí), which amends the Privacy Act 1988 to create provisions requiring mandatory data breach notification by agencies, organisations and other entities it regulates. In particular, the Act does not apply to breaches that may result in a real risk of serious harm. Instead, the notification requirement is cast in relation to eligible breaches that are likely to result in serious harm.
Alec Christie, Partner at EY, said, “The introduction of a reasonable person test […] will cause confusion and will require entities to obtain legal advice on how it relates to their particular circumstances. One of the downsides for Australian entities […] is that data breaches become significantly more public and complaints increase as awareness rises. In Australia, the use of representative complaint mechanisms will also increase, driving an expansion in privacy disputes and enforcement activity, leading to greater costs and higher stakes.”
Other key aspects include an exemption from notification where remedial action has or is being taken and a 30-day grace period to assess whether an eligible data breach has occurred, but only where an entity is reasonably aware of a suspected breach.