Tag Archives: Australia

Online Privacy in Australia Takes a Major Hit. Who’s Next?

The latest law passed by Australian Parliament has outraged global privacy advocates. The Assistance and Access Bill (AA Bill) essentially allows Australian officials to access the content of end-to-end encrypted communications. While it may be an Australian law, global privacy advocates predict it will impact global privacy rights, and other countries may follow suit.

Here’s what you need to know. The most controversial parts of the AA Bill are the “frameworks for voluntary and mandatory industry assistance to law enforcement and intelligence agencies” that allow the Australian government to access encrypted communication content.

  • What does “industry assistance” mean?

It means the Australian government can force “designated communication providers” to use known capabilities to intercept communications or build a new interception capability.

  • Who is a “designated communication provider?”

In short, anyone who touches hardware, software, or data used in end-to-end communication, including online services like websites. Continue reading Online Privacy in Australia Takes a Major Hit. Who’s Next?

Australia Passes Data Breach Notification Law

If you’re keeping tabs of the ever-evolving world of data breach notification laws, you can finally add Australia to the list. Organizations who experience a data breach affecting Australian citizens now have new reporting and notification requirements.

The new breach notification law in Australia amends the Privacy Act of 1988. Thus, the new law applies to organizations governed by the Privacy Act – companies with over $3 million AUD in revenue.

Updated Australian Notification Requirements

The requirements recently passed in Australia will mirror other breach notification laws in various jurisdictions. Here are the most notable updates:

  • Notify affected Australian residents and the Australian Information Commissioner in the event of an eligible data breach
  • Take all reasonable steps to ensure that an assessment of the incident is completed within 30 days of discovery
  • If the assessment finds an eligible data breach has occurred, required parties must be notified as soon as practicable
  • If the notification to the affected parties is not practicable, the updated amendment allows for substitute notice

In the unfortunate event that an organization determines a breach occurred, the notification even has certain content requirements:

  • Identity and contact details of the breached organization
  • Description of the serious data breach
  • Kinds of information possibly breached
  • Recommendations about steps individuals should take in response to the breach

Notifications can be sent through the normal method of communication with affected individuals.

Penalties

Failure to properly notify the required parties can lead to heavy fines and consequences for organizations. The highest penalty is set for $1.8 million AUD for noncompliant organizations.

It’s important to consult with counsel and review the definitions in the law to determine if an eligible data breach has occurred affecting personal information. However, in the accompanying  several examples of notifiable data breaches were given:

  • A malicious breach of the secure storage or handling of information – i.e. cybersecurity incident with compromised data
  • Accidental loss – i.e. theft of IT equipment, laptops, or hard copy documents
  • Negligent or improper disclosure of information

The effective date for the new law has not yet been set.