Strengthening data privacy: the obligation of organisations to notify affected individuals of data breaches

Abstract

The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) introduced a new Part IIIC into the Privacy Act to strengthen the existing information privacy laws by requiring the designated organisations to notify the Information Commissioner and affected individuals of data breaches that are likely to cause serious harm. The objective of this article is to consider the proper public policy basis for data breach notification laws, the likely ambit of operation of the new provisions and the merits of the law in enhancing data security. Whilst the article focuses on the Australian legislative framework, the provisions European Union’s new General Data Protection Regulation 2016/679, 27 April 2016, will also be considered to extend the discussion of appropriate law in this area. The article will conclude by identifying continuing areas of concern and suggesting initiatives to further strengthen the data privacy of individuals.