In the context of buying and selling businesses, we are often asked to advise on whether a company is permitted to sell its customer list without infringing its customers' privacy rights. The first step in understanding the impact of the Privacy Act 1988 (Cth) (the Act) is to understand the structure of the sale.
Under Australian Privacy Principle 6, if an organisation holds personal information about an individual that was collected for a particular purpose (the primary purpose) the entity must not use or disclose the information for another purpose (the secondary purpose) unless:
- the individual has consented to the disclosure;
- the individual would reasonably expect the organisation to disclose the information for the secondary purpose, and the secondary purpose is related to the primary purpose; or
- another exception under the Act applies.
Generally, in situations where the sale of a business occurs through a sale of shares, customers' personal information will remain with the same owner of the business, and therefore will not directly raise privacy compliance issues. While there may be new shareholders of the entity, the personal information held by the business will not be disclosed outside of it.
Importantly, vendors and purchasers must take care to protect customers' privacy during a due diligence process and, where possible, vendors should provide de-identified information to a prospective buyer. We recommend that privacy clauses be included in confidentiality agreements with potential buyers and that all personal information exchanged during due diligence be returned or destroyed if the sale does not proceed.
Regardless of whether a vendor would usually be entitled to the “small business” exemption under the Act (where its annual turnover falls below $3 million), disclosing personal information about another individual to anyone else for a benefit, service or advantage (i.e. “trading”) automatically brings an organisation within the bounds of the Act.
In this context, where a customer database is being sold as one asset of a business that is a going concern, the Office of the Australian Information Commissioner has expressed a view in published guidelines that the sale of a customer list in this context is a disclosure of personal information in a manner consistent with the primary purpose and that the benefit, service or advantage is being received for the sale of the business rather than the personal information itself. Our earlier comments about due diligence would also apply in this scenario.