A year in review and looking ahead to 2015

Within Australia

Last year the most significant reforms to the Privacy Act were introduced since the law was amended to cover the private sector in 2000. The Amending Act introduced the Australian Privacy Principles, a new credit reporting system and stronger enforcement powers for the Privacy Commissioner, including the power to seek civil pecuniary penalties of up to A$1.7 million for serious and repeated interferences with privacy.

The Office of the Australian Information Commissioner (OAIC) was active in 2014 with the Annual Report showing privacy complaints increasing by 183.3% . Big data breaches involved Telstra Corporation and the Government Department of Immigration and Border Protection. The Privacy Commissioner released further guidance material to assist organisations and agencies interpret the APPs; develop a privacy policy; conduct a privacy impact assessment; de-identify personal information; respond to a data breach; train staff; while setting out the OAIC's approach to enforcement in its Regulatory Action Policy. The final Guide to security personal information has now been published.

Legislative developments have affected different industries in different ways:

  • Financial services and credit providers: Following the introduction of the reforms, credit providers must now belong to a recognised external dispute resolution scheme. Although commercial credit providers obtained a temporary exemption, this exemption is currently due to expire on 11 March 2015. The new Privacy (Credit Reporting) Code 2014 was approved and the Privacy (Credit Related Research) Rule 2014 on de-identification of credit information was introduced. Public interest determinations were made to temporarily enable certain banks and other authorised deposit taking institutions to deal with international money transfers. These determinations are due for consideration as to whether they should continue on a permanent basis in 2015. The reform journey for credit reporting may continue if the recommendations of the recent Financial System Inquiry are adopted.
  • Marketing: The AMSRO (Association of Market and Social Research Organisations) registered the first voluntary APP code which will bind its members. The Privacy Commissioner also announced that he had signed a Memorandum of Understanding with the Australian Communications and Media Authority to streamline the approach taken by the regulators to telecommunications, spam and telemarketing.
  • Energy and water utilities: From 11 March 2015, energy and water utilities who had previously been granted a temporary exemption will need to become members of an external dispute resolution scheme.
  • Health: The OAIC released an eHealth Annual Report detailing compliance and enforcement activity in relation to the handling of personally controlled electronic health records and health information under the relevant statutes.
  • Government: Statutory reforms have focused on strengthening protections for the personal information of Australian intelligence officers. New public sector information privacy laws were passed in ACT and Victoria.

Further legislative reforms are on the horizon for 2015. From an administrative perspective, it is expected that the Senate will soon pass laws to disband the OAIC and relocate the Privacy Commissioner within the Australian Human Rights Commission. Any organisations or agencies that refer to the OAIC in their privacy policy will need to change these references.

To assist enforcement agencies, legislation is proposed to introduce a requirement for telcos and internet service providers to retain data on Australians for two years. The House of Representatives Standing Committee on Social Policy and Legal Affairs also released its report into the use of drones - making recommendations to the Australian Government to consider introducing by July 2015 specific legislation to protect against privacy invasive technologies, simplify and harmonise Australian surveillance laws and to review by June 2016 the adequacy of privacy regimes including identifying issues and areas for action.

Enhanced consumer privacy protections may also be coming. In 2014, the Australian Law Reform Commission tabled in Parliament a final report outlining the design for a statutory tort for serious invasions of privacy. Although the Labor government introduced a Bill for mandatory data breach notification which failed to pass through the Senate before the election, the Financial Services Inquiry offers another opportunity for the Government to again consider introducing mandatory data breach notification. The final report of that inquiry recommended the Government engage the Productivity Commissioner to consider the costs and benefits associated with increased access and improved uses of data. One option proposed is that the Government increase transparency through data breach reporting.

Transferring information overseas remains an important issue for entities and over the last year, we have identified some practical tips to comply with the cross border disclosure obligations.

The global scene

The Australian Privacy Commissioner has pursued ways of enforcing the purported long arm jurisdiction of the Privacy Act, signing a Memorandum of Understanding with the Data Protection Commissioner of Ireland to provide mutual assistance in the enforcement of laws protecting personal information in the private sector. The Asia-Pacific Economic Cooperation (APEC) has identified there are no impediments to Australia in signing the letters of intent to join the Cross Border Privacy Rules framework creating regional cooperation in the enforcement of privacy laws.

The most infamous of data breaches includes Apple's iCloud breach which resulted in private photographs of celebrities being publicly released online with other data breaches involving Sony, Dropbox and Snapchat.

The European Court of Justice has recognised, at least for EU citizens, that they have a "right to be forgotten" online, requiring search engine providers to remove links to personal data that is inaccurate, inadequate, irrelevant or excessive. The first international standard for cloud services providers was also released providing a benchmark for data security in the cloud.

What lies ahead for 2015

The Australian Privacy Commissioner stated that in 2015 he will be focusing on corporate governance structures. He intends to check that entities have appropriate practices, procedures and systems in place to ensure compliance and that there is a mechanism to deal with privacy complaints. The Commissioner emphasised that organisations and agencies should design their security measures to account for the chance of deliberate mishandling by staff and human error.

In light of this focus, it will be interesting to see what enforcement action the Commissioner takes in the coming months. Although he has signalled an intention not to target specific sectors, he will be looking at organisations across a range of sectors that are high risk or high volume users of personal information including Government, finance and telecommunications.

As the first anniversary of the privacy reforms approaches, it will be timely for businesses and agencies to review their practices, policies, procedures and systems against the published guidance and to assess the privacy and security risks their organisation needs to manage, including the vulnerabilities to cyber attacks. New products, apps, uses of big data and overseas arrangements involving the transfer of personal information bring opportunities as well as challenges to privacy and customers' trust.

Abroad, negotiations on the major reforms proposed to the EU's 1995 data protection rules should reach a head while the EU continues to negotiate on the US safe-harbour arrangements.