- Californian/US privacy enforcement strategy to ensure companies comply with/implement their privacy policies
- If strategy is applied to Australian businesses on basis of similar laws, significant damages could be awarded for a first time or one–off failure to comply with/implement their privacy policies
During the author's recent presentation and attendance at the International Association of Privacy Professionals' Privacy Academy in San Jose California, it became apparent that a privacy enforcement strategy (Strategy) was being considered to be 'ramped up' by the Californian Attorney General and the Department of Justice (which may spread to other US States). The Strategy uses the Californian state and the US federal 'misleading or deceptive conduct' or unfair trade laws, similar to Section 18 of the Australian Consumer Law (ACL), to 'prosecute' those companies operating in California that do not implement or comply with their own privacy policies.
The previous US experience
Implications for Australian business v current situation
Even though the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Bill) currently before the Australian Parliament will, if passed, introduce fines of up to $220,000 for an individual and up to $1.1 million for an organisation for a serious invasion or repeated invasions of privacy, the Strategy will continue to be available to aggrieved individuals, giving individuals direct redress against the business.
Key practical concern
In practice, the main worry at present is that the privacy policies of many Australian businesses have not been reviewed, amended/revised or updated to accord with changed circumstances (many for in excess of five years). That is, not reviewed and amended to reflect changes to the purposes for collection of/the use of the information collected, the business undertaken or the arrangements for the processing of the information and/or the security measures taken by the business in respect of such.
While the new privacy regime, if the Bill is passed, will require companies to 'maintain' their privacy policies (ie keep them up to date as a living document), any failure to implement/comply (even with an updated policy) will still lend itself to an action and potentially substantial damages under the Strategy.
What action is required now?
© DLA Piper
This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.
DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to www.dlapiper.com