Australia has had a Privacy Act in place since 1988, but has now taken steps to bring its law up to date with The Privacy Amendment Act of 2012.
The updated Privacy Act is explicit that enterprises that hold Australian customer data are responsible for protecting that data, regardless of where it’s located, or whether breaches are caused by cloud providers.
The law states that “reasonable” steps must be taken to protect personal information and that organizations must demonstrate “prudent” practices for information protection to avoid investigation and penalties.
The Privacy Amendment specifically discusses cross-border disclosure of personal information. If overseas cloud providers are not subject to Australian law and there is a breach, then the Australian entity that owns the data is financially and criminally liable.
The Office of the Australian Information Commissioner (OAIC) is the national data protection regulator responsible for overseeing the Privacy Act.
Breach Notification Requirements & Exemptions
An organization that breaches the Privacy Act is currently under no legal obligation (and it is not generally current practice) to report that breach to the affected individual(s) or the OAIC. However, the OAIC has issued guidance on data breach notification, which recommends that if there is a real risk of serious harm as a result of a data breach, the affected individuals and the OAIC should be notified.