Australia: Privacy Law Changes on the Horizon
EBIT (Emerging Business, Innovation and Tax)

Introduction

Welcome to the December 2010 issue of EBIT (Emerging Business, Innovation and Tax). In this edition we feature three articles from our Technology, Media & Telecommunications and Competition & Consumer Law group regarding impending changes to the privacy landscape in Australia, SPAM - the risk of non-compliance, and the use of Facebook, Twitter and other social media by business. We also:

• summarise the wash-up from the Bamford decision, and what needs to be done with existing trusts
• look at good faith in commercial contracts
• revisit Division 7A and the slight softening of the ATO's stance reflected in the finalised Practice Statement, and
• review the latest decision from the NSW Supreme Court regarding restraint clauses.

Privacy Law Changes on the Horizon

The privacy landscape in Australia is changing. Your business needs to ensure that its policies and procedures reflect these changes.

The collection, storage, use and disclosure of "personal information" is regulated under the Privacy Act 1988 (Cth) (Act) (for the private sector and the Commonwealth public sector) and corresponding state legislation (for the relevant state public sector). Personal information is essentially information about an individual whose identity is apparent or can be reasonably ascertained from that information. The Act provides 10 National Privacy Principles (NPPs) that regulate how personal information is to be handled by private sector organisations.

Currently under the Act, an organisation with an annual turnover of $3 million or less is generally exempt from the requirements of the Act. Although many businesses will not fall within the ambit of the current Act, most businesses strive to adhere to the requirements of the Act.

In August 2008, the Australian Law Reform Commission (ALRC) released a report outlining its findings of an inquiry into the Act and recommended various reforms to improve Australia's privacy framework. The report contained 295 recommendations. These included national harmonisation of privacy laws in Australia with a single set of privacy principles to apply to both the private and public sector. The report also recommended that the credit reporting regime be expanded and that the current exemptions be removed, thus increasing the scope of the Act. Such exemptions include the small business exemption (noted above) and an exemption for employee records.

The Commonwealth Government initially proposed a response to the report consisting of 2 stages. Stage 1 of the changes would be implemented by amendments to the Act within 12 to 18 months, with no timeframe proposed for Stage 2 of the changes.

Stage 1

In June this year, an exposure draft of the proposed Stage 1 changes was released. The draft legislation provides 13 new Australian Privacy Principles (APPs) that are to replace the NPPs and the Information Privacy Principles that apply to Commonwealth public sector agencies. The APPs largely address the issues contained in the current NPPs but also expand the obligations on businesses, particularly in the areas of privacy policies, offshore activities and direct marketing.

Privacy policies and notices

The APPs will increase the notification requirements for the collection, use and disclosure of personal information. Businesses will need to ensure that an individual is aware of how and why their personal information will be collected and dealt with, at the time of collection. In particular, privacy policies will need to include the details of the complaint process for dealing with interferences with privacy. Such policies will also need to outline details of any possible cross-border disclosures and how individuals can access and rectify their information. Privacy collection notices for businesses will also need to provide these details.

Offshore activities and outsourcing

The APPs strengthen the provisions relating to cross-border data flows. The new provision clarifies that a cross-border 'disclosure', rather than 'transfer' is restricted. Such 'disclosure' is not intended to capture situations where personal information is merely routed through servers that are not located in Australia. The Australian entity will need to take reasonable steps to ensure that the offshore third party does not breach the APPs. The APP provides that businesses will remain accountable for any disclosure of personal information outside Australia, unless an exception applies. Exceptions include circumstances where the individual has consented or where the Australian entity reasonable believed that the offshore entity was subject to similar laws that would protect the personal information.

Direct marketing

The proposed APPs also increase the restrictions on businesses that collect, use or disclose personal information as part of direct marketing. Under the APPs, if an organisation has obtained personal information from an individual, it may use the information for direct marketing where the individual would reasonably expect the organisation to use the information for that purpose. However, the organisation must also provide a simple means for the person to 'opt-out' of receiving such marketing from the organisation. Where the individual would not expect that his or her personal information would be used for direct marketing, or the information was collected from a third party, the organisation will be required to obtain the individual's consent to the use or disclosure, unless it is impractical to do so, and will need to prominently draw the individual's attention to an opt-out feature. Under the new APPs, individuals will also be able to request not to receive direct marketing and may also request the source of the marketing.

These changes move the Act closer to the Spam Act 2003 (Cth) and Do Not Call Register Act 2006 (Cth) but will not apply to the extent that the conduct is otherwise captured under those Acts.

Stage 2

Importantly, the small business exemption will remain at this stage. However, the Government will continue to consider whether such exemption should be retained in the second stage of the response to the ALRC report.

Stage 2 of the Government's response to the ALRC report will consider the remaining recommendations of the report, including the creation of a privacy right for individuals and mandatory obligations to notify affected individuals of serious data breaches.

Although the draft legislation has not yet been enacted, businesses need to prepare by reviewing their privacy policies and notices to ensure compliance once the new laws are in force.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.