Groundhog Day for Australian data breach alerts bill?

The Coalition government is planning to introduce legislation for mandatory data breach notifications into parliament before an anticipated July 2 federal election, but Australians could once again watch the bill run out of time to be passed.

An exposure draft of the Coalition's bill was published last December and remained open to feedback until early last month.

The government has now revealed that, despite concerns from some of Australia's biggest industry groups, it will push forward with the legislation.

The bill is listed among a host of others proposed for introduction in the 2016 winter sittings of parliament [pdf], which run from May 1 to June 30.

However, the Department of Premier and Cabinet indicated it does not expect to actually pass the legislation within the brief sitting period - parliament will be dissolved and the government will enter caretaker mode after the May 3 budget and the subsequent launch of the election campaign.

This means Australian businesses could, for the second time in three years, watch a bill mandating data breach notifications fail to be passed.

In June 2013, the former Labor government's data breach notifications legislation ran out of time to be heard in the Senate of the last day of sittings before that year's federal election.

It meant the bill lapsed and was not re-introduced after the Labor Party was ousted by the Coalition.

In early 2015 the Coalition government gave itself a deadline to have a data breach notifications scheme operating before the end of the year following the recommendation of a joint committee investigating its data retention scheme, but it missed its deadline.

It instead introduced an exposure draft for its own bill on the last day of parliamentary sitting last year.

The Coalition bill is almost identical to Labor's "Privacy Alerts" bill of 2013.

It outlines what the government considers to be a serious breach and details the steps an organisation must take to address one.

It dictates that an entity must notify customers, the privacy commissioner and potentially the media "as soon as practicable after it is aware" or has reasonable grounds to believe a serious data breach has occurred.

The scheme applies only to organisations governed by the Privacy Act. State government organisations and local councils, plus organisations with a turnover less than $3 million a year, will fall outside the legislation.

The privacy commissioner would have the power to chase civil penalties for non-compliance, with individuals facing fines of $340,000 and organisations facing up to $1.7 million.