Click here to view video.

Proposed changes to Australian privacy laws will have significant impacts on business, some of which they may not be expecting.

Changes to privacy laws in Australia are imminent and will have a big impact on business and Federal Government. Especially in the use of offshore outsourcers and service providers, and direct marketing.

The new Privacy Amendment Bill is close to being finalised and the scope of the changes proposed is significant enough that business and government agencies and departments need to get on top of the changes now.

The Privacy Amendment Bill follows a six-year reform journey to have consistent privacy obligations across the public and private sectors and to future proof privacy legislation by making it technology neutral.

The reforms will have a big impact in a number of areas – two topical examples are outsourcing and cross border transactions, and direct marketing.

In the outsourcing area – the Privacy Amendment Bill introduces a new accountability framework for those using offshore outsourcers and other services provided by overseas entities – including cloud computing.  Before disclosing personal information to a service provider overseas, an organization must take reasonable steps to ensure that the recipient doesn’t breach Australian privacy laws.  In an outsourcing or services agreement – this will mean requiring the provider to agree to comply with Australian privacy laws.  Also, if Australian Privacy laws don’t apply directly to the overseas entity – because they don’t have a presence in Australia – then the organization here becomes directly responsible for the overseas entity’s breach of Australian privacy laws. And it is a strict liability regime.

One exception to this new framework is where a person consents to the disclosure of their personal information overseas, after they have been expressly told that giving consent means the accountability framework won’t apply.

The Privacy Amendment Bill also requires that privacy policies state if an organization is likely to disclose personal information overseas, and if so, in which country or countries.

Another area that will be impacted by reforms is direct marketing.  And by direct marketing, we mean communicating directly with a consumer to promote the sale of goods and services.  There are new restrictions on the use of personal information for those purposes.  Understandably, a number of media and advertising organizations, as well as internet giants like Google and Facebook, are concerned with the potentially broad scope of the term “direct marketing” – it potentially covers all communications between businesses and consumers, and could prevent online advertising on their websites.  So in this area, industry needs to right across what they can and can’t do in direct marketing. And of course the devil is in the detail.

So what do these changes mean for business and government?  There are a number of things they should start to do now:

  • Review their privacy policies and consents to ensure they cover disclosure of personal information to any overseas service providers – and the country or countries those recipients are located in.
  • Review the privacy provisions in their contracts to ensure they have appropriate remedies if the conduct of the overseas outsourcer or service provider exposes the Australian organization to liability under the Privacy Act.
  • Consider what communications will be caught by the new direct marketing rules, and make sure privacy policies and privacy consents cover off use of personal information for direct marketing purposes, and that privacy procedures include a simple “opt out” mechanism.

Going forward, proper compliance will be key – the Privacy Amendment Bill also gives the Privacy Commissioner teeth – with new enforcement powers and a new penalty regime. 

For the first time, an organization which breaches the new Australian Privacy Principles, will risk civil penalties of up to $1.1 million.

So – although the Bill is still to be finalised and passed by the Senate before it becomes law, the changes proposed are significant so organizations need to start reviewing and updating their privacy policies and internal privacy. Those organizations which start this review process early will have fewer issues when the changes begin.