Allens

Data Governance, Data Services, Privacy & Cyber

Increase text sizeDecrease text sizeDefault text size

Focus: Major changes to privacy law endorsed

3 October 2012

In brief: A Senate Committee has endorsed changes to privacy law that will have significant implications for most companies and federal agencies. Partners Michael Pattison , Gavin Smith (view CV), Senior Associate Nathan Shepherd and Lawyer Ishwar Singh report.

How does it affect you?

  • The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 introduces new Australian Privacy Principles, new penalties, increased powers for the Information Commissioner and a revamped credit reporting system.
  • The Senate Legal and Constitutional Affairs Legislation Committee's report endorses and recommends that the Senate pass the Bill subject to the committee's recommendations.
  • The nature of the committee's recommendations means that the Federal Government is unlikely to make further substantive amendments to the Bill.
  • As the committee recommends that the nine-month transition period remain unchanged, organisations and federal agencies should begin reviewing their privacy compliance regimes, so that they are prepared when, in the near future, the Bill becomes law.

Background and scope of report

In its report, the committee stated that it would not be revisiting those matters on which the Federal Government had, in the course of addressing the earlier Senate Committee recommendations regarding the initial exposure draft of the Australian Privacy Principles (the APPs), made and communicated clear policy decisions. This approach effectively restricted the scope of the committee's recommendations to new issues that were not considered as part of the earlier Senate inquiry.

The committee made 21 recommendations regarding the Bill. A summary of the key recommendations is set out below.

The Australian Privacy Principles

The committee made nine recommendations regarding the APPs, including:

  • APP 2 (anonymity and pseudonymity): That the exception to an individual's right to anonymity and pseudonymity be broadened to include circumstances where it is impractical for an organisation to deal with individuals who have used a pseudonym.
  • APP 7 (direct marketing): That certain parts of APP 7 be amended, to enable individuals to opt out of direct marketing communications at any time, even in circumstances where an individual would reasonably expect the organisation to send direct marketing communications.
  • APP 8 (cross-border disclosure): That APP 8.2(b) (which operates as an exception to the requirement to take reasonable steps to ensure that an overseas recipient does not breach the APPs) be amended to require organisations to inform an individual of the practical effect and potential consequences of any informed consent by that individual. The committee also recommended that the Explanatory Memorandum be revised to explain clearly the nature of this additional requirement.

The committee's recommendations regarding the new direct marketing and cross-border disclosure regimes would, if implemented, make it more difficult for organisations to rely on the exceptions to their new direct marketing and cross-border disclosure related obligations under the Bill.

In the case of APP 8, this is likely to result in a more prominent focus on the new 'deemed liability' provisions, which operate by deeming certain organisations to be liable for a subsequent breach of the Privacy Act 1988 (Cth) committed by the overseas recipient, even where that organisation has taken all reasonable steps to prevent such a breach. When combined with the new penalties and the Commissioner's new powers, this may result in a significantly increased risk to many organisations, and may require changes to current direct marketing and cross-border data transfer practices.

Credit reporting regime

The committee made nine recommendations regarding the credit reporting regime, including:

  • Consumer credit default information: That the regime be amended so that individuals in default must be warned about the potential for a default information listing (being consumer credit information concerning overdue payments) and provided with a reasonable amount of time to rectify a default following notification. The committee also recommended that default listings be limited to the non-payment of amounts of more than $300 and that the Office of the Australian Information Commissioner formulate guidelines, including a requirement for credit providers to consider applications for financial difficulty assistance under the National Consumer Credit Protection Act 2009 (Cth) before an individual's default information is listed.
  • Correction of credit information: That the regime be amended to strengthen the protections for consumers in relation to the correction of consumer credit information. The committee also recommended that recipients of a request to correct personal information be required to take reasonable steps to have the information corrected; notify the individual about the outcome of their request; and, where such information is inaccurate, out-of-date, irrelevant or misleading, correct it within 30 days. The committee also recommended amendments to enable credit reporting bodies and providers to correct an individual's personal information in exceptional circumstances that would result in the listing being unfair to the individual (such as natural disasters, bank error, fraud and medical incapacity).

The committee acknowledged the concerns of a number of stakeholders regarding the provisions prohibiting credit providers from disclosing credit eligibility information (being credit reporting and other derived information) overseas. In the course of the inquiry, certain stakeholders (including the Australian Bankers' Association and the Communications Alliance) argued that the effect of the 'Australian link' requirement in section 21G(3)(b) of the Bill would be to prevent credit providers (including banks, telecommunications service providers and other companies providing forms of consumer credit) from disclosing such information to their foreign subsidiaries and foreign service providers. As the 'Australian link' requirement operates in parallel with APP 8, it effectively imposes additional restrictions on the cross-border disclosure of credit eligibility information, even when other highly sensitive information may be able to be disclosed to an overseas recipient under APP 8. Interestingly, the committee declined to make any recommendations regarding this issue, noting that the Government had stated that it was aware of the issue and would continue to work with stakeholders to determine the correct approach.

Other recommendations

The committee's other recommendations are as follows:

  • Transition period: that the Bill's commencement date remain at nine months after it receives royal assent in order to provide certainty for all relevant stakeholders.
  • Educational material: that the Office of the Australian Information Commissioner develop and publish material informing consumers of the key changes to the privacy legislation, and provide guidance to federal agencies and private sector organisations to ensure compliance with the new legislative requirements.

As we previously reported, one of the Bill's most important aspects is the number of significant new powers given to the Commissioner. Notably, the committee did not make recommendations in relation to any of these powers.

The committee's final recommendation was that the Senate pass the Bill, subject to the implementation of the above recommendations.

What next?

The committee's report endorses the Bill and paves the way for the first stage of the reforms of the Privacy Act to become law. Given the relatively short transition period of nine months, organisations will need to monitor the introduction of the revised Bill to Parliament.

Allens' Privacy team can assist you with assessing the likely impact of the new privacy legislation on your organisation, and advise you regarding any amendments that may be required to your organisation's privacy, marketing and information technology practices, policies and agreements.

For further information, please contact:

Share or Save for later

What are these?

 

To save this publication on your smartphone or
tablet for off-line reading (eg on a plane flight),
we recommend Pocket.

 

 

You can leave a comment on this publication below. Please note, we are not able to provide specific legal advice in this forum. If you would like advice relating to this topic, contact one of the authors directly. Please do not include links to websites or your comment may not be published.

Comment Box is loading comments...