On March 20, 2014, Australia’s Privacy Amendment (Privacy Alerts) Bill 2014 was re-introduced in the Senate for a first read. The bill, which was subject to a second reading debate on March 27, 2014, originally was introduced on May 29, 2013, but it lapsed on November 12, 2013 at the end of the session.
As we previously reported, if passed, the bill would amend the Privacy Act 1988 by introducing a mandatory breach notification requirement for “serious data breaches.” The proposed definition of “serious data breach” includes a harm threshold: pursuant to the bill, the breach notification obligation would be triggered if unauthorized access to, or disclosure of, personal information would result in a “real risk of serious harm” to the individual to whom the information relates. In the event an organization “believes on reasonable grounds” that there has been a “serious data breach,” the organization would be required, as soon as practicable, to notify affected individuals and submit a copy of the notification to the Australian Privacy Commissioner. The bill also contemplates notification methods, and would allow the Privacy Commissioner to exempt organizations from the notification requirement under certain circumstances.