Privacy law update - data breaches must now be notified

It is time to review your cyber security posture

In brief

Australia’s federal privacy laws are set for their most significant amendment since the introduction of the Australian Privacy Principles in 2012.  

On Monday, Parliament passed the Privacy Amendments (Notifiable Data Breaches) Bill 2016 (the Bill), which will make it mandatory for entities regulated by the Privacy Act to notify of any data breach that is likely to result in serious harm.

These amendments have been a long time coming.  They were originally recommended as part of the Australian Law Reform Committee’s 2008 report on Australia’s privacy laws, and then were proposed as part of the legislative package of changes in 2015 that required telecommunications providers to store metadata.

A not-so-safe harbour

Alex Hutchens, John Kettle, Paul McLachlan, William McCullough

It is impossible to avoid the frenzy that has been kicked up by the European Court of Justice’s (ECJ) decision of 6 October 2015 in Case C-362/14 Maximillian Schrems v Data Protection Commissioner.

What is/was the Safe Harbour?

Like Australia, the Member States of European Union (EU) are subject to strict data protection regulations. Generally speaking, personal data cannot be transferred out of a Member State unless the destination country has adequate protection for the data in question. Over a decade ago, the United States of America (US) and European Commission entered into the ‘Safe Harbour Agreement’ which meant that data could be shared where both companies comply with the Safe Habour Agreement.

All was well and good and many big businesses (including Amazon and Google) relied on the enforceability and protection of the Safe Harbour Agreement.

Forget-me-not (just forget what I’ve done)

The right to be forgotten

Alex Hutchens, Malcolm McBratney, Sheena Fraser

To forget is human.  The problem is, the internet never forgets.  At least, not until now.

Earlier this year, European courts confirmed the right of Europeans in certain circumstances to request that information pertaining to them be deleted from the internet.  This means that they no longer have to rely on peoples’ fading memories for what they have done to be forgotten.

Spurr vs New Matilda: landmark case considers interplay between right to privacy, confidentiality and the public interest

Alex Hutchens, Alexia Marinos

A landmark privacy case is currently being heard in the Federal Court involving a university professor, an online news site and the publication of controversial leaked emails.  The outcome of this case is likely to have significant implications for the media and public generally.

OPSM parent company loses $33.5 million ADF contract for privacy breach

The parent company of OPSM, Luxottica Retail Australia has lost a $33.5 million contract with the Australian Defence Force (ADF) by sending ADF medical records overseas.

Luxottica was awarded the contract by the ADF in 2012 under which it provided optical services to all ADF personnel.  At that time, Luxottica claimed that it would exclusively offer eye services to more than 80,000 ADF personnel each year primarily through its OPSM stores.