This week, the Australian Parliament passed the long-awaited amendments to the Privacy Act 1988 (Cwlth), the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (the Amending Bill).
The Bill was introduced into the House of Representatives in May this year, and was passed by the senate on 27 November with 41 amendments resulting from the Senate Legal and Constitutional Affairs Legislation Committee report of September 2012. 40 of these changes came from the Government, and the one Greens amendment was successful.
The House agreed to the Senate’s amendments and the Bill passed Parliament on 29 November 2012. While the amendments from the Bill as originally introduced (Original Bill) are largely mechanistic or minor, four important amendments were made.
The Original Bill was scheduled to take effect 9 months after the amendments receive Royal Assent. The Amending Bill extends this to 15 months. With Royal Assent usually occurring within two weeks of Bills passing, the Amending Bill is expected to take effect in March 2014.
The Explanatory Memorandum states that this extension of time was to allow agencies and organisations greater time to prepare, and to provide the Privacy Commissioner more time to develop relevant guideline and develop, approve and register a Credit Reporting Code of Conduct (CR Code).
Currently, credit providers are able to make various disclosures to offshore entities, including call centres and data processing and storage facilities. The Original Bill, however, only permitted disclosure to offshore bodies if those bodies had an Australian link.
The Government stated that it was not their intention to prevent credit providers from disclosing information in a way that the current Privacy Act does not. As a result, the Australian link requirement has been removed from amendments that concern disclosures to related bodies corporate, agents, credit managers and debt collectors.
The Amending Bill introduces a complementary requirement that the privacy policies of credit providers must include information concerning whether the provider is likely to disclose information to an entity that does not have an Australian link, and if so, the countries in which those entities are likely to be located (if possible).
Liability for foreign entities
As a result of removing the Australian link requirement, the Amending Bill introduces provisions similar to clause 16C of the Original Bill in relation to credit providers who disclose information overseas. Section 21NA will make the credit provider liable for acts done or practices engaged in by an entity without an Australian link if the provider has disclosed credit eligibility information to that entity. Unlike clause 16C, however, there appear to be no exceptions to this rule.
The credit provider also has an obligation, before disclosing credit eligibility information to a party that does not have an Australian link, to take such steps as are reasonable in the circumstances to ensure that the body or person does not breach certain credit reporting provisions.
The Amending Bill adds mortgage insurers to the list of entities a credit reporting body may disclose repayment history information to.
The passing of the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 will bring large changes to Australian privacy law, and from the view of uncertainty, its eventual passage is welcome.
The longer lead time the Amending Bill gives will allow entities longer to prepare for the new laws, but may make internal compliance and forward privacy planning more difficult in the next 15 months.
The Amending Bill also gives credit providers the flexibility to share creditor information with companies lacking an Australian link, but at the same time, makes clear their responsibilities for acts of those companies.
This alert was prepared with the assistance of Julian Chant.