The Federal Government will soon introduce into Parliament major legislative reforms to the Privacy Act 1988 (Cth) (Privacy Act), according to an announcement made by the Attorney-General, Nicola Roxon during Privacy Awareness Week earlier this month.
The Attorney-General emphasised that the reforms will include changes intended to benefit consumers, including changes to:
- Strengthen protections for personal information
- Enhance the powers of the Australian Privacy Commissioner
- Modernise credit reporting arrangements.
The announcement acknowledged that the reforms represent 'the culmination of an extensive consultation process'. Most recently, that process saw the release of reports and recommendations last year by the Senate Finance and Public Administration Committee (Committee) on exposure drafts of amendments relating to:
- Credit reporting
- The replacement of the existing National Privacy Principles (NPPs) and the Information Privacy Principles with a single set of principles applicable to both the public and private sectors (the Australian Privacy Principles or APPs).
The reform process stalled somewhat following the Australian Law Reform Commission's (ALRC's) release of the proposed new APPs in 2008. We waited to see the extent to which the Federal Government (Government) would adopt the recommendations and what the final legislation would look like. The recent announcement that the legislation will be introduced in Parliament this winter suggests we may soon see these suggested reforms put into effect.
What does this mean?
Stronger protection for personal information
The announcement highlights a number of changes, which were previously reflected in the exposure draft of the APPs:
- Tighter regulation of the use of personal information for direct marketing. NPP 2 currently allows organisations to use personal information that is not sensitive information for the secondary purpose of direct marketing, subject to certain conditions. The draft APP 7 provides additional conditions that will apply, regardless of whether the information is collected for the primary or the secondary purpose of direct marketing. However, it is not clear whether APP 7 will be introduced in its current form, given that the Committee has raised concerns that its complex structure may undermine its effectiveness.
- Extension of privacy protection to unsolicited information. NPP 1 provides that an organisation that collects information about an individual from someone else must take reasonable steps to make the individual aware of certain matters, but does not specifically mention obligations that apply when an organisation receives unsolicited personal information. APP 4 is intended to ensure that unsolicited personal information is also protected. The Committee, overall, was supportive of this principle, but required further clarification of the term 'no longer personal information' in order for the aims of the principle to be achieved.
- Tighter rules for sending personal information outside Australia. NPP 9 outlines the circumstances in which a private sector organisation (other than exempted small business operators) can currently transfer personal information offshore. The draft form of APP 8 represents a significantly revised principle, which would apply also to Government agencies. It is the subject of five of the Committee's recommendations, which sought further clarification, most notably in relation to the extra-territorial provisions that would impose potential liability on entities that disclose personal information to overseas recipients.
Enhanced powers of the Australian Privacy
In a follow-up announcement, the Australian Privacy Commissioner stated that the proposed reforms will enable it to:
- Seek civil penalties in cases where there is a serious or repeated interference with the privacy of an individual
- Audit the handling of personal information by private sector organisations
- Accept written undertakings from organisations that will be enforceable in court
- Make determinations following all investigations (ie even if the investigation is an 'own motion' investigation).
Modernisation of credit reporting arrangements
The announcement flags that consumers will also benefit from changes to credit reporting arrangements, which include:
- Imposing clear obligations that require organisations to substantiate or justify disputed credit ratings
- Improving rights to access and correct credit reporting information
- Banning the collection of credit reporting information about children
- Simplifying the complaints process and introducing alternative dispute resolution.
We still do not know whether and to what extent the Government will fully adopt the recommendations of the ALRC and the Senate Committee or how much the new legislation will resemble the exposure drafts released to date, but expect all will be revealed soon.
The issue of privacy reform is popular throughout the region, with Korea's new law recently coming into effect and Singapore expected to introduce its first national privacy law this year. Also, significant reforms are expected in Hong Kong in July. In Australia, we expect that the Attorney-General's announcement will reignite our reform process. Further, the timing for implementation of proposed APPs, which are to replace the current principles that apply different rules to Government and private sector organisations, is still not known.
© DLA Piper
This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.
DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to www.dlapiper.com