Changes in the pipeline for data protection in Queensland

2018 has been a big year in data.

Spurred on by recent well publicised global data breaches such as the Cambridge Analytica‘s data harvesting of Facebook in the lead up to the 2016 US presidential elections), this year has seen the introduction of ground-breaking new data laws both in Australia and internationally.

This article explores two of these key developments; the EU General Data Protection Regulation and the Australian mandatory Notifiable Data Breaches Scheme, and explores how we can expect these reforms to be reflected in Queensland in the future.

EU General Data Protection Regulation

The General Data Protection Regulation (GDPR) came into effect on 25 May 2018. It is widely considered to be the most comprehensive data protection and privacy legislation in the world and goes beyond Australia’s current privacy law. It not only affects businesses established within the EU, but also businesses that offer goods and services or monitor the behaviour of individuals within the EU.

Some of the key differences between the GDPR and the Australian regime under the Privacy Act 1988 (Cth) are:

• Application: It applies to data controllers (those that decide why information is collected and processed) and data processors (those that do the processing);
• Consent: Unlike Australian law where consent can be implied, consent under the GDPR must be explicit and affirmative, precluding “opt out” systems (resulting in a seemingly endless stream of emails from businesses across the globe requesting consumers to agree to their new privacy terms);
• Rights: The GPDR significantly enhances the rights of the individuals, including creating rights to:
  • require data controllers to delete their data in certain circumstances;
  • request their data from an online service provider and transmit it to another online service provider;
  • object at any time to the processing of personal data for certain purposes (e.g. direct marketing).

Consequences for non-compliance are unprecedented, with fines of up to €20 million or 4% of global turnover (whichever is greater) plus non-pecuniary sanctions such as the ability to halt trading within the EU.

The Officer of the Australian Information Commissioner has released a comprehensive resource into the GDPR, accessible here.

Australian mandatory data breach notification scheme

In line with the increase in individual data rights found in the GDPR, the Australian government introduced a mandatory Notifiable Data Breaches scheme (NDB Scheme) on 22 February this year. The primary goal of the NDB Scheme is to ensure that people are informed of data breaches that may affect them.^[1]

The NDB Scheme applies to all agencies and organisations with existing personal information security obligations under the Privacy Act 1988 (Cth). For example, federal government agencies, companies turning over AU$3 million or more, health services and non-profits etc.

The NDB Scheme introduced an obligation to notify the Australian Information Commissioner (AIC) and individuals whose personal information is involved in a data breach that may result in serious harm. When notifying the AIC/individuals, the reporting organisation must include recommendations about the steps individuals should take in response to the breach.

Failure to comply with the NDB Scheme results in fines of up to AU$2.1 million.

While it’s early days, the NDB Scheme seems to be effective. In January 2018, prior to the introduction of the Scheme, the federal government was not notified of any data breaches. However, within two months of the Scheme’s introduction 63 notifiable data breaches were reported.

The Office of the Australian Information Commissioner has released a comprehensive resource on the NDB, accessible here.

Reform in Queensland

With the introduction of the GDPR and the NDB Scheme, people are increasingly expecting more transparency in the way that their data is handled and are gradually being granted more rights to manage their personal information.

While the developments described do not immediately apply to state government agencies, they reflect ongoing development of ‘best practice’ and are being closely scrutinised as signposts for future reform in Queensland.

Addressing the Legal Affairs and Community Safety Committee on 30 April 2018, the Queensland Privacy Commissioner, Philip Green, said:

 “[t]he times are very interesting in privacy and data security at the moment. You cannot open a paper without seeing some new challenge or some new issue. I think the Facebook and the Cambridge Analytica issues will have rippling effects around the world around government use of data and data analytics. Although they are in the federal jurisdiction, my colleagues are looking at that very closely and participating to some level.”

Key takeaway

People around the world want to know what’s happening to their data and want to have clear rights when they believe it is not being handled appropriately or in the event of a breach.

The federal mandatory NDB scheme moves Australia part way towards meeting this expectation and, depending upon the international success of the GDPR, all signs currently point to similar schemes being adopted in other areas of the world, including Australia. In the meantime, government agencies and business can look to both of these developments as setting a new standard of ‘best practice’ in creating transparent and accountable data and privacy policies.

[1] According to the 2017 Australian Community Attitudes to Data Security Survey, 94% of Australians want to know if their data is breached so that they can take some action about it.

Authored by:
Michael Owens, Partner
Lara Cresser, Senior Associate