In the context of buying and selling businesses, we are often asked to advise on whether a company is permitted to sell its customer list without infringing its customers' privacy rights. The first step in understanding the impact of the Privacy Act 1988 (Cth) (the Act) is to understand the structure of the sale.

The law

Under Australian Privacy Principle 6, if an organisation holds personal information about an individual that was collected for a particular purpose (the primary purpose) the entity must not use or disclose the information for another purpose (the secondary purpose) unless:   

  • the individual has consented to the disclosure;
  • the individual would reasonably expect the organisation to disclose the information for the secondary purpose, and the secondary purpose is related to the primary purpose; or
  • another exception under the Act applies. 

Share sale

Generally, in situations where the sale of a business occurs through a sale of shares, customers' personal information will remain with the same owner of the business, and therefore will not directly raise privacy compliance issues. While there may be new shareholders of the entity, the personal information held by the business will not be disclosed outside of it.

Importantly, vendors and purchasers must take care to protect customers' privacy during a due diligence process and, where possible, vendors should provide de-identified information to a prospective buyer. We recommend that privacy clauses be included in confidentiality agreements with potential buyers and that all personal information exchanged during due diligence be returned or destroyed if the sale does not proceed.

Asset sale

Regardless of whether a vendor would usually be entitled to the “small business” exemption under the Act (where its annual turnover falls below $3 million), disclosing personal information about another individual to anyone else for a benefit, service or advantage (i.e. “trading”) automatically brings an organisation within the bounds of the Act.

In this context, where a customer database is being sold as one asset of a business that is a going concern, the Office of the Australian Information Commissioner has expressed a view in published guidelines that the sale of a customer list in this context is a disclosure of personal information in a manner consistent with the primary purpose and that the benefit, service or advantage is being received for the sale of the business rather than the personal information itself. Our earlier comments about due diligence would also apply in this scenario.

By contrast, where a customer list is not sold as part of the going concern, or the purchaser contemplates significant changes to the character or operations of the business, the obligations of the Act would become applicable, including the need to have privacy policy. In the context of the sale, the vendor must carefully consider, from an objective standpoint, whether the relevant individuals would ‘reasonably expect’ the vendor to disclose their personal information to a prospective purchaser. The sale of a customer list outside the context of the sale of a going concern, or where disclosure is to a third party that does not intend to continue the operations of the business, is far more likely to fall outside what the customers would reasonably expect.  As such, any such sale could well require individuals’ consent.