On 23 May 2012, the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (the Bill) was introduced into the Australian Parliament. Described by Attorney-General Nicola Roxon as "one of the most significant developments in privacy reform"1 since the introduction of the Privacy Act 1988 (the Act), the Bill seeks to modernise Australia's privacy protection framework and to provide greater control to consumers over the manner in which organisations use their personal information.
Personal information is any information which is capable of identifying an individual.
What Does the Bill Propose?
Unified Australian Privacy Principles
The Bill proposes the introduction of Australian Privacy Principles (APPs). These will combine and replace the current National Privacy Principles (which apply to the private sector) and Information Privacy Principles (which apply to the public sector). The APPs will continue to cover the collection, storage, security, use, disclosure, access and correction of personal information acquired by an "organisation"2. However, the key change is that the APPs will now apply to both the private and public sectors, save to a limited extent3.
The APPs will apply to a range of small businesses including those conducting business in the financial services and gambling sectors. Under s6E of the Act, the Act applies to a small business operator that is also a reporting entity, as if it were an "organisation", and therefore an entity to which the APPs apply. However, those small businesses that are not reporting entities will continue to be exempt.
Direct Marketing - Specific Principle
A new privacy principle dealing specifically with direct marketing (APP 7) will be introduced. 'Direct marketing' is the promotion and sale of goods and services directly to both new, unsolicited customers and to existing customers. Within the context of the APPs, direct marketing might include compiling a list of potential customers' names and contact details from publicly available sources, often without their knowledge, or communications designed to let customers know about new products or services, using previously collected personal information such as customer preferences.4
The principle is therefore based on the presumption that an organisation which holds any personal information about an individual must not use or disclose the information for the purpose of direct marketing (APP 7.1) Various exceptions to this principle will be set out in APP 7.2.
This will allow organisations to use or disclose personal information (other than sensitive information) for the purpose of direct marketing only if all of the following criteria are met:
- the organisation must collect the information from the individual; and
- the individual would reasonably expect the organisation to use or disclose the information for the purpose of direct marketing; and
- the organisation provides a simple means for the individual to make a request to opt-out from receiving direct marketing communications from the organisation; and
- the individual has not made an opt-out request to the organisation.
An exception also exists to allow the use or disclosure of sensitive information (e.g. health information, genetic information, political opinions, racial or ethnic origins) about an individual for the purposes of direct marketing. However, this requires actual consent from the relevant individual to the use or disclosure.
Reflecting the Bill's objective to provide consumers with greater power to protect their personal information, APP 7.6 provides that, if personal information is used or disclosed about an individual for the purpose of direct marketing, that individual should have the ability to request the organisation:
- to refrain from using or disclosing the information; and
- to provide the source of the information.
Cross-Border Disclosure of Personal Information
Stronger protections will also be introduced in respect of personal information which is disclosed overseas. APP 8 covers cross-border disclosures of personal information. An Australian entity will be required to take reasonable steps to ensure that an overseas recipient does not breach the APPs, before providing the overseas entity with personal information about an individual.
Greater Powers for the Australian Privacy Commissioner
The powers of the Australian Information Commissioner will also be expanded to improve the Commissioner's ability to resolve complaints, conduct investigations and promote privacy compliance. In particular, the Commissioner will now be able to make a determination to direct an organisation to take specific steps to stop conduct in breach of the APPs, obtain enforceable undertakings from an organisation and most importantly, apply to a court for a civil penalty order against organisations which can, for a company, range from $110,000 up to $1.1 million for serious and repeated breaches of privacy.
'Modernisation' of Credit Reporting Arrangements
Credit reporting arrangements must now enable consumers to access and correct their personal credit information as well as make more information available to businesses and credit providers on request such as the types of accounts opened and closed, current credit limits and positive information about repayment history, such as when a credit card was paid off in time. However, this is of course subject to the protections of the new stringent privacy and credit reporting principles. For example, repayment history will only be retained for a rolling two-year period (unlike the five year period for most other information) and importantly, that information will only be available to credit providers who are subject to the responsible lending obligations of the National Consumer Credit Protect Act 2009.
What Does This All Mean?
The introduction of specific principles dealing with direct marketing will shift the balance of power to consumers. Companies involved in direct marketing must now provide a clear, simple method that allows consumers to opt out of receiving direct marketing materials. The APPs will require all organisations and companies covered by the Act who use or disclose personal information to develop detailed privacy policies and make them clearer and more accessible to consumers. Further, now that individuals are able to request an organisation to confirm how their personal information was sourced, organisations must now keep more detailed, accurate and current records as to how personal information was obtained.
If enacted, the Bill will have significant ramifications for
many organisations. As a result, most entities will need to review
and update their privacy policies and develop more stringent and
extensive procedures for collecting, storing and recording both the
source of personal information obtained, and the information
Further, stronger restrictions relating to the transfer overseas of personal information will add to the management and monitoring costs involved. Relevant parties must now take reasonable steps to ensure that any overseas recipient of the personal information they have collected does not breach the APPs. Importantly, the Australian entity will continue to be accountable for information sent overseas and therefore will remain liable for breaches of the APPs by the overseas recipient.
The modernisation of the credit reporting regime will have both positive and negative ramifications. The new provisions appear to be more flexible and allow consumers greater access to check and correct their credit information. On the one hand, the reforms will provide banks and the credit industry in general with the information they need to conduct more accurate risk assessments, as well as enabling Australian businesses to have greater access to their potential customers' credit repayment history. On the other hand, Australian businesses and credit providers will now have positive obligations to help consumers check and correct their credit information and, unless these measures are in place, are likely to face a greater number of complaints about inaccuracies in credit information.
Despite the above proposed changes, there will remain inconsistencies. Also, Australia's privacy regime will not comply with international standards. This is generally due to the exemption for small business which has the effect that personal information collected and used by small business will remain generally outside the ambit of the Privacy Act and the APPs.
On 24 May 2012, the Bill was referred to the House of Representatives Standing Committee on Social Policy and Legal Affairs for further consideration. If enacted, the Bill will commence nine months after royal assent in order to allow industry, government agencies and organisations to review and update their privacy policies and procedures.
1 Commonwealth, Hansard, House of
Representatives, 23 May 2012, 4-6 (Nicola Roxon).
2 An "organisation" is an individual, body corporate, partnership or any other unincorporated association or trust, which is not a "small business" – s 6 Privacy Act 1988.
3 The APPs will not apply to small businesses with an annual turnover of less than $3 million unless the small business is a "reporting entity". Reporting Entity" has the same meaning as in the Anti-Money Laundering and Counter-Terrorism Financing Act 2006, which provides that a reporting entity is any person who provides a designated service. "Designated service" is then defined to be the provision of a range of financial services and gambling services (s6 Anti-Monetary Laundering and Counter-Terrorism Financing Act 2006).
4 Australian Government, Companion Guide, Australian Privacy Principles, June 2010, p 11.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.