Privacy or data protection laws have become more stringent in recent years in response to concerns over the use of personal information. Personal information is information relating to an individual; hence, information such as company names or company switchboard numbers are not protected by privacy law.
Consequence for failing to comply
In Australia, the Notifiable Data Breaches (NDB) Scheme has significantly increased the level of fines that the Office of the Australian Information Commissioner (OAIC) can impose for breaches that is likely to result in serious harm – such breach could now result in fines up to $2.1 million for businesses or $420,000 for individuals.
在澳大利亚，“应通报数据泄露”计划（NDB）已显着的提高了澳大利亚信息专员办公室（OAIC）对可能导致严重伤害的数据泄露行为施加的罚款水平 – 这种违规现在可能导致企业被罚款210万澳元或个人被罚款420,000澳元。
In Europe, the General Data Protection Regulation (GDPR) also has serious financial consequence for non-compliance as failure to comply with the GDPR could result in sanctions being imposed of 4% of global turnover or 20 Million Euro (whichever is higher).
It would be a mistake to think the GDPR can’t be enforced in Australia, as the OAIC has committed to cooperate internationally with regard to privacy regulation. Hence, the OAIC will likely cooperate with and assist the EU Commission and other supervisory authorities to enforce the GDPR in Australia.
Privacy Laws in Australia
In Australia, changes were made to the federal Privacy Act 1988 (Cth), which commenced from 22 February 2018. These changes created the NDB scheme, which imposes notification obligations whenever (a) personal information has been disclosed or lost, (b) such loss is deemed reasonably likely to result in serious harm to the affected individual (such harm may be psychological, emotional, physical, reputational, or other forms of harm), and (c) such harm has not been prevented.
The NDB scheme requires that holders of personal information must notify any individuals affected by the breach and the Australian Information Commissioner once it becomes reasonably known that an eligible data breach has occurred. An eligible data breach may arise when there is unauthorised access to, unauthorised disclosure of, or loss of personal information this is likely to result in serious harm to any of the individuals to whom the information relates and the likely risk of serious harm has not been prevented through remedial action.
There is no period specified of how soon notification has to be made, but it would be fair to assume that this should be fairly prompt once it is certain that there has been an eligible data breach. If it is merely suspected that there is an eligible data breach, it is generally expected that any assessment to ascertain whether there has been indeed be an eligible data breach should be completed within 30 days.
The NDB scheme applies to the following organisations:
- Australian Government agencies;
- All businesses (including not-for-profit organisations) with an annual turnover of $3 million or more; and
- The following businesses with an annual turnover of less than $3 million, including:
(a) All private health service providers.
(b) Businesses that trade in personal information.
(c) Tax file number (TFN) recipients ( however, if the annual turnover is below $3 million, then the NDB scheme will only apply in relation to TFN information); and
(d)Businesses that hold personal information in relation to certain activities, for example; providing services to the Commonwealth under a contract.
(c) 税务档案编号（TFN）收件企业（但是，如果年营业额低于300万澳元，则NDB计划只适用于TFN信息）; 和
(d) 持有与某些活动有关的个人信息的企业; 如根据合同向联邦政府提供服务。
Privacy Laws abroad
Further afoot, the GDPR will come into force on 25 May 2018 and given its broad scope, an Australian business may need to comply with the GDPR. The GDPR applies to any organisation, including those outside of the European Union (EU) that is collecting, storing or processing personal data of any individual that lives in the EU (including non-citizens). Companies that have customers or clients residing in the EU should therefore ascertain whether their activities fall within the scope of the GDPR.
The GDPR has no threshold limits, hence Australian businesses that do not need to comply with the NDB scheme may nonetheless need to comply with the GDPR if they: (a) have an establishment in the EU, (b) are data processers and controllers based in the EU or part of an organisation with data processers and controllers based in the EU; (c) are organisations which offer goods or services to people in the EU; or (d) are organisations which monitor the behaviour of individuals in the EU.
Under the GDPR, an individual must be able to easily withdraw the consent given, and may further seek to have their data deleted. The company also needs to demonstrate that it has implemented appropriate technical and organisational measures to comply with the GDPR. If there is any data breach, the GDPR provides that such breach shall be notified to the data protection authority within 72 hours of the breach being known by the company.
Both the NDB scheme and the GDPR requires that a company must obtain express consent of the individual whose data is being used, and such use can only be for a legitimate purpose and should be specified when obtaining consent, and both require transparency in the information handling practices.
What should be your next step?
Apart from the fines/sanctions mentioned above, companies will likely incur additional costs in ascertaining how the breach occurred, in implementing remedial measures to prevent the breach from reoccurring, and in notifying those affected by the data breach. Apart from financial loss, it is highly likely there will also be reputational loss in the event there is a serious data breach.
As such, it is far better to be proactive and start monitoring what personal information you have access to, put in place security measures to minimise risk of disclosure or loss of information, and set out a clear process of how data breaches should be handled and reported, if the unfortunate should happen.