Bloomberg: Aussie Breach Notice Law May Distract from EU Privacy Compliance

By Murray Griffin

Australia’s new mandatory data breach notice law may have distracted some companies from their compliance obligations under the European Union’s new privacy regime, privacy attorneys told Bloomberg BNA.

A decade after it was proposed, mandatory data breach notification in Australia takes effect in February 2018, a few months before the EU General Data Protection Regulation (GDPR) enters into force in May 2018. The GDPR not only has its own breach notice requirement, it includes several provisions that will impose first-time compliance burdens on Australian companies.

The more imminent requirements under the Australian breach notice law “are getting more focus” than the GDPR, Brendan Tomlinson, information technology, privacy, and cybersecurity special counsel with Maddocks in Sydney, told Bloomberg Law. “GDPR isn’t as much on the radar as it needs to be,” he said. “The requirements around data breach for GDPR are more stringent and the potential fines are far greater.”

The Australian law requires that companies notify privacy regulators of data breaches no later than 30 days after discovering the incident. The GDPR requires breach notice within 72 hours.

Although companies with revenues in Australia of over A$3 million ($2.3M) need to be prepared for the long-awaited Australian breach notice requirement, all companies that collect and control the use of or process personal data of EU citizens or aim their business at the EU will be subject to the GDPR’s broad extraterritorial scope. In addition, the maximum A$1.8 million ($1.3 million) penalty under the Australian law pails in comparison to the potential $20 million euro ($23.3 million) or 4 percent of a company’s worldwide revenue fines available under the GDPR.

Other Differences

The GDPR will also introduce new privacy principles unknown in Australia, including the right for individuals to request that their personal information be deleted, Melanie Marks, principal of Australian privacy and cybersecurity consulting company elevenM, told Bloomberg Law.

Australian law doesn’t recognize the concept of a data processor, a company that handles and processes personal data on behalf of another company that controls the use of the data. The GDPR extends current privacy requirements beyond data controllers to cover data processors. The GDPR also requires informed consent from individuals to the processing of their personal data and that companies allow individuals the right to easily withdraw their consent.

Australian companies are “reviewing their consent frameworks, and in some cases, we hear they are contemplating moving away from consent as a basis for data handling entirely,” Marks said. Instead they are looking to other legal means to process data under the GDPR, such as through specific contracts, she said.

The GDPR also includes a broad right of individuals to access their personal data.

“The challenge is there is a lot of intermixed data between data that is considered the employee’s and data that is considered the organization’s,” Didier Elzinga, CEO of employee analytics company Culture Amp Pty Ltd, told Bloomberg Law.

Large Australian companies, such as retailer Woolworths Ltd.—which brought in $42 billion in revenues in fiscal year 2017 according to Bloomberg data—have been subject to Australia’s privacy laws for decades. But small businesses in Australia may also be forced to confront privacy protections for the first time with the advent of the GDPR.

“In Australia, there is an exemption if you are a small business from needing to comply with the Australian Privacy Principles,” but the GDPR has no such exemption, Tomlinson said.

Competitive Advantage

For technology companies, much of the pressure to be GDPR-ready will come from business clients or potential clients that value the ability to participate freely in the international digital economy and that provides commercial opportunities, Marks said.

“It becomes a unique selling point or a point of differentiation that you can say ’our data practices are compliant with the GDPR’,” she said.

About 95 percent of a company’s spending on GDPR preparation should go to compliance efforts and having a good privacy framework, but the other 5 percent should be set aside for marketing the story of GDPR-readiness “because it is a commercial advantage.”