The changes to the Privacy Act 1988 (Cth), including the introduction of the new Australian Privacy Principles (APPs), significantly increase the obligations imposed on an offshore parent or related entity that collects or deals with personal information from Australian residents (ie employees) in connection with managing employee share incentive plans (Plans).
When the reforms become effective on 12 March 2014, many of the current practises of overseas entities that offer Australian employees the ability to participate in Plans will not, for information collected from 12 March 2014, be compliant with Australian privacy law and will need to be changed.
SIGNIFICANT NEW ATTITUDE AND TEETH FOR REGULATOR: NEW PENALTIES AND INCREASED POWERS
From 12 March 2014:
- the functions and powers of the Privacy Commissioner (the relevant government regulator) are significantly enhanced;
- the existing National Privacy Principles (NPPs), currently applicable to the private sector, are replaced with the new APPs which are applicable to both the public and private sectors; and
- for the first time in Australia, significant monetary penalties for both serious and repeated invasions of privacy (ie breaches of the Privacy Act/APPs) are available.
The Privacy Commissioner's increased powers under the APPs enable the regulator to, among other things:
- seek civil penalties (up to A$340,000 for an individual and A$1.7 million for a company) in cases where there is either a serious interference or repeated interferences with an individual's privacy;
- audit the handling of personal information by the private sector;
- investigate compliance of an organisation with the APPs on its own motion (ie no complaint is required in order to investigate); and
- make determinations following all investigations (ie even if the investigation is an "own motion" investigation) and apply to the Federal Court of Australia or Federal Magistrates Court to enforce such determinations.
However, the most significant "change" that has been introduced by the amendments to the Privacy Act and the new APPs is the approach and attitude (together with the increased and new powers) of the Privacy Commissioner to that of a more aggressive regulator keen to exercise the new powers and to police and enforce the provisions of the Privacy Act and the APPs!
Soon after the passing of the amendments and the new APPs, the Privacy Commissioner (Mr Timothy Pilgrim), in response to questions about the Privacy Commission's new and extended powers and the new significant fines for serious or repeated invasions of privacy, clearly flagged his future intentions by stating:
"From the commencement of the new laws, I will be able to accept enforceable undertakings and seek civil penalties ¼ I will not shy away from using these powers in appropriate cases."
This new or re-invigorated attitude is also evident in the flurry of recent guidance documents issued by the Office of the Australian Information Commissioner (under which the Privacy Commissioner sits). These guidance documents remind us of existing obligations and the fact that many of these obligations will be the subject of a renewed focus going forward, in addition to reminding us of the new obligations applicable from 12 March 2014.
CURRENT PRACTICES AND THE EMPLOYEE RECORDS EXEMPTION
Many overseas entities that offer Australian employees the ability to participate in their Plans have relied on the local Australian subsidiary employer to collect the required information from its employees and to then forward this information on to the overseas entity, with minimal wording in the plan documentation and no additional privacy processes or policy in place in respect of the personal information provided by the employees.
This approach is based on the "employee records" exemption under the Privacy Act (which is continued, for the time being, under the revised law from 12 March 2014), whereby employment related personal information collected and disclosed by an employer from/about its employee for employment–related purposes is exempt from the provisions of the Privacy Act. However, there are concerns as to whether employees' personal information collected in connection with overseas Plans are for an employment related activity of the employer. Certainly, the exemption does not apply where the overseas entity collects this information directly. In practice, these possible problems are currently often overlooked.
From 12 March 2014, however, there will be a significantly increased focus on "black letter" compliance with the Privacy Act and APPs and any privacy "workarounds" in place or shortcomings previously overlooked will now need to be revisited.
WHAT ARE THE MAIN CHANGES THAT OVERSEAS ENTITIES THAT OPERATE PLANS NEED TO PREPARE FOR?
While the APPs in many ways mirror the current NPPs, there are some changes introduced by the amendment to the Privacy Act and the new APPs including, most relevantly for overseas entities offering Plans into Australia:
- the kinds of personal information the business collects and the purpose(s) for which it collects the information (and how it collects and holds that information);
- how an individual can access his/her personal information held by the business (and how they can have the information corrected, if necessary);
- whether the business is likely to disclose personal information to overseas recipients and, if so, the countries in which such recipients are likely to be located (and whether such countries have appropriate privacy protections); and
- how the individual may complain about a breach of the APPs (and what the business will do to address such complaints).
Businesses also need to take reasonable steps to implement practices, procedures and systems that will ensure compliance with the APPs.
- Cross-border data transfers (continuing liability for offshore incidents)
In a change from the current NPPs, the APPs generally permit cross–border disclosure of personal information, if reasonable steps are taken to ensure the overseas recipient will comply with the APPs. However, if a business discloses personal information to an overseas recipient it will remain liable for any breaches of the APPs by the overseas recipient of that information (as if the sending organisation itself had committed those breaches).
Businesses can minimise this continuing liability for personal information sent out of Australia by obtaining the individual's "informed consent" to disclose his/her personal information to an overseas recipient. However, the current wording that most organisations use to allow cross–border transfers will not comply with the new requirements of the APPs.
This will be relevant to overseas entities who directly collect and further disclose the information of the Australian employees (eg to a third party service provider). It will also be relevant to the Australian subsidiary employer which collects this personal information and then discloses/transfers it to its overseas parent entity.
- Re-invigorated focus on obligations and enforcement (current practical "workarounds" need to be reconsidered)
In addition, where the overseas entity collects the information via its local subsidiary that employs the Australian employees, we caution that this approach will need to be reconsidered in each specific circumstance to ensure that processes are implemented by the Australian subsidiary in order to benefit from the employee records exemption, if applicable.
WHAT THOSE OVERSEAS ENTITIES THAT OPERATE PLANS CAN DO NOW!
The main steps that overseas entities that operate Plans should be taking now include:
- examining and determining in respect of their Australian employees:
- what personal information needs to be collected, how it will be collected (and from whom – the individual or the local group entity) and the purpose(s) for which the information is being collected;
- whether their current internal practices with respect to the handling of that personal information (including security measures) are compliant with the APPs; and
- implementing APP compliant processes, policies and documentation/relevant clauses for Plan documentation to address the findings from the gap analysis resulting from (i) above.