Focus: Major privacy reforms passed
30 November 2012
In brief: The Federal Parliament has passed much anticipated reforms that will have a significant impact on the way companies and government agencies collect and deal with various forms of personal information. Partners Michael Pattison and Gavin Smith (view CV), Senior Associate Nathan Shepherd and Lawyers Amy Dobbin and Ishwar Singh report.
- Background to the reform
- Privacy Commissioner's new powers
- Australian Privacy Principles
- Credit reporting regime
- What next?
How does it affect you?
- When does the new regime come into effect? The amendments to the Privacy Act 1988 (Cth) (the Privacy Act) come into effect in March 2014. The Senate has extended the expected nine-month transition period to 15 months.
- Who will be regulated? Most entities that handle personal information, including most Australian companies, will need to comply with the new regime.
- What are the major regulatory impacts for businesses? The reforms introduce significant new pecuniary penalties, of up to $1.1 million, for breaches of the Privacy Act by companies and grant substantially increased powers to the Office of the Australian Information Commissioner. The reforms also consolidate and redraft the National Privacy Principles (NPPs) and Information Privacy Principles (IPPs) as new Australian Privacy Principles (APPs) that apply to both private and public sector organisations and institute a new credit reporting regime.
- What should businesses do now? Businesses should review and update their privacy policies, collection statements, direct marketing procedures and procedures for dealing with unsolicited information. Businesses should also identify any relevant cross-border disclosures and review applicable arrangements. These steps should be accompanied by an overall update of procedures to promote privacy compliance.
- What is the impact of the new credit reporting regime? Credit reporting bodies can now collect 'positive' data about individuals, including repayment history information. The new regime also provides significant new protections for individuals in relation to their credit information, including a strengthened complaint process.
The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (the Privacy Amendment Act), is the culmination of a long process of privacy law reform. As previously reported in our Focus: Tougher Australian data protection regime, the process of reforming Australia's privacy laws began more than four years ago, with the release of the Australian Law Reform Commission's comprehensive report entitled For Your Information. Since the release of this report, amendments to the Privacy Act have been the subject of a number of parliamentary reviews, which have involved extensive consultation with key stakeholders that will be affected by the changes. In addition, the Senate introduced a series of amendments on 27 November 2012, including an extension of the transition period from nine months to 15 months.
The new privacy reforms provide the Privacy Commissioner with additional investigation and audit powers, as well as the power to accept enforceable undertakings, develop and register binding privacy codes, and commence proceedings in the Federal Court or the Federal Magistrates Court.
One of the most significant changes to the Privacy Act is the introduction of new and significant penalties to support and bolster these additional powers of the Privacy Commissioner. If an entity engages in serious or repeated breaches of the APPs or a registered privacy code, the Commissioner may apply to the Federal Court or the Federal Magistrates Court for an order that the entity pay a penalty of up to $1.1 million for corporations (and up to $220,000 for individuals). There are also criminal and civil penalty provisions attracting a range of penalties in relation to breaches of the credit reporting regime.
There is currently no specific guidance as to the nature of serious or repeated breaches that may result in a court order for a pecuniary penalty. However, it is expected that the courts will have significant latitude to deal with a range of privacy breaches in cases where the Commissioner makes an application for a penalty.
The Commissioner's ability to seek penalties of up to $1.1 million adds a significant potential legal risk for companies. Moreover, the press attention and associated reputational risk for a company created by Federal Court proceedings being brought could be significant.
The amended Privacy Act incorporates 13 new APPs, which we have reported on previously. The APPs replace the NPPs and IPPs, which applied to private organisations and government agencies respectively. The new Privacy Act now simply refers to 'APP entities', which includes both organisations and agencies.
Entities will need to take a number of steps to ensure that their systems comply with the new principles. The most significant of the new APPs, and what entities should do to comply, are summarised below:
- APP 4 (unsolicited personal information): provides that, where an entity receives unsolicited personal information, it must, within a reasonable period, determine whether it could have collected the information itself under the APPs. If not, the entity must destroy or de-identify that information. Entities should consider instituting procedures governing how unsolicited information is to be dealt with as a matter of course.
- APP 5 (notification of collecting personal information): expands the scope of the notification required to be given to individuals when personal information is collected. As with APP 1, entities must ensure their collection notices address a list of prescribed matters, including whether the entity is likely to disclose the information to overseas recipients and, if so, to which countries. Entities should review and update their collection statements to ensure they comply with the new requirements.
- APP 7 (direct marketing): includes specific rules that apply to direct marketing. The new APP 7 restricts the use or disclosure of personal information for direct marketing unless an exception applies. Entities should review their current direct marketing practices, and consider what new systems, procedures and consents might need to be implemented in order to rely on the new exceptions under the new legislation.
- APP 8 (cross-border disclosure of personal information): the new APP 8 significantly changes the current cross-border transfer regime. In certain circumstances, an entity may now be deemed to be liable for a breach of the APPs by an overseas recipient of personal information disclosed by the entity. Entities should consider whether current cross-border transfer consents, practices and/or agreements will continue to comply with the new requirements, and whether they need to obtain new consents or otherwise mitigate any risk arising as a result of any deemed liability for subsequent breaches of the APPs by overseas recipients. Significantly, given the change of terminology from cross-border 'transfer' to the broader term 'disclosure', organisations will also need to consider whether there is a disclosure to overseas recipients, even if such information is stored in Australia. If so, those organisations will need to ensure that they comply with the new APP 8 regarding that disclosure. APP 8 will be particularly relevant to the increasing number of organisations that use information technology services that disclose or transfer personal information to overseas recipients (such as outsourcing, off-shoring and cloud computing).
It is expected that the APPs will be supplemented with guidance on specific issues from the Office of the Australian Information Commissioner.
The reforms introduce a completely redrafted credit reporting regime. Credit reporting bodies can now collect 'positive' data about individuals, namely:
- the date a credit account was opened or closed;
- the types of credit account opened;
- the current limit of each open credit account; and
- most significantly, repayment history information.
To offset this increased access to information, the reforms include significant new protections for individuals in relation to their credit information, including a strengthened complaint process and increased ability for individuals to correct their credit information. Businesses that use credit information, such as financial institutions and telecommunications companies, will need to ensure that they have systems in place to comply with the new regime.
The Privacy Act credit reporting regime will be supported by a Credit Reporting Code, which will cover credit reporting procedures in more detail than the Privacy Act. Significantly, the Credit Reporting Code is still in development, and will impact extensively on systems used by credit reporting bodies and credit providers to handle information about credit.
From the date of Royal Assent, anticipated to occur shortly, there will be a 15-month transition period before the amendments come into effect, which gives businesses more time to respond to the reforms than the nine months originally proposed. Given the wide-ranging nature of the reforms, businesses should still begin taking steps as soon as possible to ensure that their compliance regimes and systems are in place for when the reforms commence, around March 2014.
There are likely to be further reforms to privacy regulation in coming years. Discussion papers have been released in relation to a statutory tort for privacy breaches and, significantly for businesses, mandatory data breach notification. Some Privacy Act exemptions, such as the small business exemption, are also slated for removal in a second tranche of privacy reforms. It is expected that amendments in relation to these issues will be proposed at some stage in the next few years, although the timing is, at this stage, unclear.
Allens' Privacy team can assist you with assessing the likely impact of the new privacy legislation on your organisation, and advise on any amendments that may be required to your organisation's privacy, marketing and information technology practices, policies and agreements.
- Gavin SmithPartner, Sector Leader, Technology, Media & Telecommunications,
Ph: +61 2 9230 4891
- Ian McGillPartner,
Ph: +61 2 9230 4893
- Michael MorrisPartner,
Ph: +61 7 3334 3279
You can leave a comment on this publication below. Please note, we are not able to provide specific legal advice in this forum. If you would like advice relating to this topic, contact one of the authors directly. Please do not include links to websites or your comment may not be published.