The Office of the Australian Commissioner recently issued draft guidelines on how it will interpret and apply the new Australian Privacy Principles. The new principles will replace the current “National Privacy Principles” and “Information Privacy Principles,” the two different sets of principles for companies and for government entities. The new principles will apply to both groups, and are part of Australia’s privacy law changes (the Privacy Amendment Act, which was passed November 29, 2012, and the Privacy Regulations of 2013, which will go into effect on March 12, 2014). These new principles do not only combine the prior two sets of principles. There are also some substantive changes, including about how companies can use information for direct marketing (APP 7) and cross-border disclosures of personal information (APP 8). Direct marketing is generally prohibited under the new principles, although there some broad exceptions, like if there is consent. Or, if no consent, if there is a simple (and prominent) means to opt-out included in each marketing communication. For those used to the US regime, this may seem similar to the CAN-SPAM Act, but it is method-neutral (email, text, etc.). With respect to cross-border transfers, the principles continue to prohibit cross-border transfers except in certain circumstances. For example, having obtained express consent from the data subject or if the entity believes that the recipient is subject to laws similar to those in Australia. Now, however, instead of also being able to transfer data if the entity “takes reasonable steps to ensure” that the information will be used in accordance with the Principles, this particular exception has been revised to indicate that the transfer can occur under such an exception if the sending (Australian) entity ensures that the receiving (non-Australian) entity “does not breach” the Australian Privacy Principles. Violations of the amended Privacy Act can result in fines (the Commissioner can now seek significant civil penalties for repeated violations of the law).
Tip: If operating in Australia, be mindful of these new requirements. If working with entities in Australia, be mindful that they have new requirements about how they can transfer personal data to entities not located in the country.