The long awaited privacy enhancing protection bill, the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (the Bill), was passed by Federal Parliament on 29 November 2012.

Businesses will have 15 months to review their existing arrangements to ensure compliance with the new reforms.

The key privacy reforms implemented by the legislation are:

  • New Australian Privacy Principles (APPs). These principles affect existing practices with respect to data handling, privacy policies, direct marketing, the scope of the legislation due to a new definition of personal information, cross border transfer and disclosure of personal information, correction of personal information and unsolicited personal information. The APPs will now also apply to certain foreign organisations which were not previously captured.  The APPs are a single set of privacy principles, (which replace the old Information Privacy Principles and National Privacy Principles), and apply to Commonwealth agencies and private sector organisations.
  • New powers for the Australian Privacy Commissioner. The Privacy Commissioner now has the power to conduct privacy assessments, privacy impact assessments and investigations and to accept enforceable undertakings. Civil penalties ranging from $110,000 to $1.1 million may also be imposed by a court if a business commits a serious or repeated interference with an individual's privacy.
  • New credit reporting provisions. The key reforms include the introduction of positive credit reporting, changes to data retention obligations, the introduction of specific rules relating to pre-screening of credit offers and freezing access to personal information where there has been fraud and additional consumer protections from enhanced obligations relating to data quality, access, correction and complaints.

In June, we provided detailed analysis of the major reforms in the Bill to the existing Privacy Act 1988 (Cth) (the Privacy Act) (see alert). Please let us know if you have any questions about how these reforms will affect your business.

In this alert, we set out the key amendments to the Bill which have been implemented as part of the final legislation.

Summary of the amendments

During the Senate readings:

  • the government moved for 40 amendments to the Bill in Schedules 1 (Australian Privacy Principles), 2 (Credit Reporting) and 4 (Other amendments of the Privacy Act 1988).  These amendments were largely based on recommendations from the Senate Legal and Constitutional Affairs Legislation Committee's report into the Bill (tabled 26 September 2012);
  • the Greens moved for 3 amendments to the Bill with respect to Schedule 2 (Credit Reporting); and
  • the Coalition, the Nationals and the Greens moved for 1 amendment to the Bill with respect to Schedule 2 (Credit Reporting).

All 40 amendments from the government and 1 amendment from the Greens were included in the final version of the Bill which was passed.

Key amendments

Commencement

Businesses now have 15 months (from the day after the Bill receives Royal Assent), rather than 9 months, to review and update their information-handling practices before the new regime comes into effect.

Australian Privacy Principles

No substantive amendments were made to the proposed Australian Privacy Principles which we covered in our previous alert.

This extended period will also allow time for the Office of the Australian Information Commissioner (OAIC) to develop relevant guidelines and the Credit Reporting Code of Conduct (CR Code) to assist industry to implement the new regime.

Credit reporting provisions

The credit reporting provisions apply to credit providers (CPs), credit reporting bodies (CR bodies) (currently credit reporting agencies), and 'affected information recipients'. The amendments to the Bill mainly affect the provisions relating to CPs and as such this is where we have concentrated our analysis.

  • Cross border disclosure. The Bill originally prohibited the disclosure by CPs of credit reporting information to a foreign entity unless the recipient had an "Australian link."  “Australian link” is defined in the Bill as an organisation or small business operator:
    • that has a continued presence in Australia that is not subject to a limitation as to time imposed by law, or a partnership formed in Australia or an external Territory, or a trust created in Australia or an external Territory, or a body corporate incorporated in Australia or an external Territory, or an unincorporated association that has its central management and control in Australia or an external Territory; or
    • none of the above apply and the organisation carries on business in Australia or an external Territory and the personal information was collected or held by the organisation in Australia or an external Territory, either before or at the time of the act or practice.

A number of references to the requirement for an "Australian link" have been removed to ensure that CPs can continue to engage in certain cross-border disclosures with respect to credit eligibility information, such as those that are currently permitted under the Privacy Act.

Following these amendments, a CP may disclose credit eligibility information about an individual to:

  • a related body corporate of the CP which does not have an Australian link (21G(3)(b)); and
  • a debt collector who does not have an Australian link (21M).

In addition, a credit manager without an Australian link may now process an application for credit as well as manage credit provided by a CP (21G(3)(c)).

A new provision (21NA) has been added which provides that an Australian CP remains responsible for the acts or practices of any overseas entity to which the Australian CP discloses credit eligibility information.  21A will apply to disclosures under paragraph 21G(3)(b) or (c) where the recipient does not have an Australian link.

  • Content of credit provider’s privacy policy. Where a CP is likely to disclose credit information or credit eligibility information to an entity without an Australian link, 21B will require the CP to include in its privacy .policy a statement that the provider is likely to disclose credit eligibility information to an entity that does not have an Australian link and, where this is likely to occur, the countries in which those entities are likely to be located if it is practicable to specify those countries.

In practice, CPs may continue to disclose credit eligibility information to certain offshore entities who are not CPs as is currently permitted under the Privacy Act.

However, where an offshore entity is also a CP, CPs should review their disclosure arrangements with those entities to ensure the CP is compliant with the Privacy Act. As part of this, CPs may need to consider entering into new arrangements with entities with an "Australian link."

CPs should be aware of their now overarching liability for offshore entities as well as their extra obligations with respect to notifying individuals of such offshore arrangements when reviewing any existing arrangements and entering into new arrangements.

Powers of the Australian Privacy Commissioner

Civil penalty order for multiple contraventions. A court is now required to take into account in determining the amount of a multiple contravention civil penalty order the same matters as it does when determining a civil penalty order for a single contravention.

Specifically, these matters are:

  1. the nature and extent of the contravention; and
  2. the nature and extent of any loss or damage suffered because of the contravention; and
  3. the circumstances in which the contravention took place; and
  4. whether the entity has previously been found by a court in proceedings under the Privacy Act to have engaged in any similar conduct.