Data breach laws fail to pass Senate

Legislation for mandatory data breach reporting in Australia has failed to make it through the Senate and, unless the upcoming federal election date is changed, will not be enacted into law until after the next election.

The legislation comes in the form of the Privacy Amendment (Privacy Alerts) Bill 2013. If passed, it would require organisations in certain circumstances to notify the Privacy Commissioner and affected individuals when information in their systems was compromised.

The Bill was slated to come before parliament last Thursday, but was not debated and not brought forward for a vote.

As the last scheduled parliamentary sitting before the upcoming federal election, this was the last opportunity for the Bill to be made law before the election.

But with last week’s change in prime minister, the election date may be moved. If so, it’s possible that parliament may sit again before the election and the Bill be debated and, potentially, passed.

If the Bill is not heard before the election, it’s not clear what future the legislation has in its current form.

Early last week the Senate Legal and Constitutional Affairs committee released a report into the proposed changes. And although the committee recommended that the Senate pass the Bill, the report contained a section devoted to objections from Coalition senators, titled ‘Additional comments by Coalition senators’.

“Coalition senators are, like a number of submitters to this inquiry, concerned with the lack of due process and time for scrutiny afforded to this Bill through the committee,” one part of the section read.

“Coalition senators understand that the number and depth of analysis of submissions to this inquiry has been hampered by the restrictive timeframe.”

It also said: “Coalition senators note the concerns expressed by a number of submitters regarding the lack of definition of the terms ‘serious breach’ or ‘serious harm’ in the legislation.”

“We note also concerns expressed about ‘regulatory overload’ being experienced by industry as it digests both the new privacy regime and this latest tranche of significant enhancements to that regime.”

But according to ITnews, the Coalition “does believe in mandatory data breach notifications as a matter of principle, to cover those entities not participating in various voluntary data breach notification codes.”

“The concept would remain on the parliamentary agenda if a Coalition government is elected in the upcoming federal election, in order to have some form of mandatory data breach notification scheme in place to accompany the arrival of new privacy reforms, due next March,” the site says.