Australian businesses now legally obliged to report data breaches or cop hefty fines

It took a while, but the 2016 Privacy Amendment Bill was finally passed into legislation last year after getting the royal say-so to become law, and its conditions will be enforced from today.

Effective immediately, the law requires that all Australian businesses, not-for-profit organisations and government agencies with an annual turnover of $3 million or more are to report any and all data breaches involving customers’ personal data. Failure to report any breach can result in massive fines of up to $2 million.

Businesses will have up to 30 days to report the breach, not only to the Office of the Australian Information Commissioner (OAIC), but to any affected individual if they are at risk of “serious harm”.

Information commissioner Timothy Pilgrim said in a statement that the Notifiable Data Breaches (NDB) scheme “[reinforces] accountability for personal information protection” and “supports greater consumer and community trust in data management”.

Coughing up

Failure to comply with the law will see companies fined up to $2.1 million, but it could also end up costing individuals a hefty penalty of up to $420,000.

While these fines may be little more than a dent in the accounts of large organisations, small business could be crippled if they need to cough up millions of dollars in penalties. 

The OAIC hopes that the potential to lose business could see companies, especially small businesses, comply with the law. "One of the biggest risks they have is losing the trust of their customers," Mr Pilgrim added.

Speaking up

Although businesses have 30 days to report any data breach, the time limit could be extended if the incident is being investigated by authorities and public knowledge could impede the process.

However, if the company is confident that the breach has been contained and customers are not at any risk, they could be exempt from reporting the incident.

And it’s not just Aussie businesses that are obliged to report breaches – any foreign company operating on Australian soil also come under the law. The OAIC can also work with overseas authorities to investigate international leaks.

"Two years ago, my office did a joint investigation with the Canadian commissioner's office in the Ashley Madison breach," Mr Pilgrim explained. "We found Ashley Madison in breach under both our laws."

While the NDB scheme may not be the most stringent law when compared to other countries', it is being viewed as a positive step forward in protecting Australians’ personal information.

[Image courtesy of Blogtrepreneur]

Sharmishta Sarkar
Managing Editor (APAC)

While she's happiest with a camera in her hand, Sharmishta's main priority is being TechRadar's APAC Managing Editor, looking after the day-to-day functioning of the Australian, New Zealand and Singapore editions of the site, steering everything from news and reviews to ecommerce content like deals and coupon codes. While she loves reviewing cameras and lenses when she can, she's also an avid reader and has become quite the expert on ereaders and E Ink writing tablets, having appeared on Singaporean radio to talk about these underrated devices. Other than her duties at TechRadar, she's also the Managing Editor of the Australian edition of Digital Camera World, and writes for Tom's Guide and T3.