- The Commonwealth Government has tabled a bill containing major reforms to the Privacy Act.
- New Australian Privacy Principles will replace the current National Privacy Principles (applicable to the private sector) and Information Privacy Principles (applicable to the Federal public sector).
- Key areas impacted by the Australian Privacy Principles: direct marketing, cross-border data disclosure, privacy policies and notice requirements, credit reporting.
- The enforcement powers of the Privacy Commissioner will be expanded, including the ability to seek penalties of up to $1.1 million.
- For most of the new provisions, entities will have 9 months to comply once the amending bill receives Royal Assent.
The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Cth) (Bill)1 was introduced to Parliament this week. If enacted this Bill will make significant amendments to the Privacy Act 1988 (Cth) (Privacy Act), giving effect to more than half of the 295 recommendations in the 2008 Australian Law Reform Commission (ALRC) report on privacy laws (ALRC Report).2
The majority of the new provisions to be introduced by the Bill have a deferred commencement of 9 months from the day after the Bill receives Royal Assent to allow the entities sufficient time to prepare.
The Australian Privacy Principles
In accordance with ALRC’s recommendations, the Bill creates a new set of Australian Privacy Principles (APPs), which will replace both the Information Privacy Principles (IPPs) (for the Federal public sector) and the National Privacy Principles (NPPs) (for the private sector).
The thirteen APPs will apply to both Federal government agencies and private sector organisations (which are defined collectively as ‘APP entities’). Mostly, the APPs will apply equally to all entities, however there are some areas where ‘agencies’ and ‘organisations’ are treated differently. For example, organisations must only collect personal information reasonably necessary for their functions and activities, whereas agencies also have the right to collect information ‘directly related to’ their functions and activities.3
The APPs are more closely based on the NPPs, so the changes will be more extensive for the public sector. The APPs do however include a number of changes that private sector organisations should be aware of, including some of those discussed in this update.
APP 7 is a new direct marketing principle, but will not apply to the extent that the Spam Act or the Do Not Call Register Act apply. APP 7 is expressed to apply to organisations rather than agencies, however agencies may need to comply in relation to their commercial activities by virtue of the existing section 7A of the Privacy Act.
Where the direct marketing involves a use or disclosure of sensitive information, consent will be required.
For other personal information:
- consent will only be required if it is reasonably practical to obtain it and either the information was collected from a third party or the individual would not reasonably expect the direct marketing
- organisations must give individuals the ability to opt out, and
- individuals must not have previously opted out.
An exception is provided for contracted service providers to Federal government agencies.
In all cases individuals will have the right to:
- request the source of their personal information
- opt out of receiving direct marketing communications from the organisation, and
- opt out of disclosure of their personal information for third party marketing.
Under the proposed APP 8.1, an entity that discloses personal information to a recipient outside of Australia will be required to take ‘such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the APPs’. The government has indicated that in practice this will often involve entering into a contractual relationship with the overseas recipient.4
Under the new cross-border disclosure regime in the Bill, Australian entities that disclose personal information to overseas recipients will generally be liable for privacy breaches committed by those recipients—although the Australian entities may have recourse through their contracts. As the government acknowledges, this reflects a shift away from the ‘adequacy approach’ seen in NPP 9 and the EU to an ‘accountability approach’, as adopted by APEC and Canada.5 The government also comments that the ‘chain of accountability’ is not broken simply because an overseas recipient engages a subcontractor.6
There will be some exceptions to the ‘reasonable steps’ and accountability obligations. One of these is where the recipient is subject to a law or binding scheme similar to the APPs which gives appropriate enforcement rights to the individuals. Guidance from the OAIC is anticipated on this point. Notably, contractual provisions will no longer be sufficient alone to avoid accountability. Consent will also provide an exception, but must be more explicit than under NPP 9.
Some concerns have been raised in the media that the new APPs will significantly reduce the use of offshore cloud computing services. It is hard to see this being the case. While retaining data in Australia or a jurisdiction with similar laws will be more attractive in that it will overcome the accountability issue, we expect to see cloud computing customers seeking to use contractual measures to protect themselves in case they are held liable for a breach by the provider.
It should also be noted that APP 8 is not intended to apply ‘where personal information is routed through servers that may be outside Australia.’7 Entities will however need to take reasonable steps to ensure that personal information routed outside Australia is not accessed by overseas recipients as this will be considered disclosure.8
Privacy policies and notices
The bill confirms that the requirements for privacy policies and notices will be expanded to require additional details including the following:
Click here to view the table.
Any entities that rely on physical copies of their privacy policies, and on printed forms and other materials containing privacy notices, may need to commence reviewing their materials soon after the Bill is passed to ensure that they are able to print and distribute new materials within the 9-month grace period.
The current Privacy Act credit reporting regime is significantly overhauled in the Bill. As foreshadowed, the new approach is a move towards ‘more comprehensive’ credit reporting, allowing credit reporting agencies to record five new ‘positive’ data sets such as account opening/closing dates, in addition to previous ‘negative’ indicators such as payment defaults.
One of the new data sets, repayment history, will only be available to regulated National Consumer Credit Protection Act lenders who are subject to responsible lending obligations. This will tend to exclude some other credit providers such as utilities who offer services on a ‘post-paid’ basis.
The amendments have been considerably redrafted since a Senate Committee reported on the exposure draft last year.9
A parallel process of redrafting the Credit Reporting Code of Conduct is also under way, with an issues paper having been released in March.10
Enforcement – penalties up to $1.1 million
The Bill sets out a number of new enforcement powers and functions for the Commissioner which had been flagged by the government but not documented in this form until today. The new functions and powers include the ability to:
- accept written undertakings that may then be enforced in court
- seek civil penalties of up to $1.1 million for serious or repeated breaches, or for certain credit reporting breaches
- require Federal government agencies to conduct privacy impact assessments
- undertake privacy performance assessments, and
- recognise external dispute resolution schemes.