Key points
- Californian/US privacy enforcement strategy to ensure companies comply with/implement their privacy policies
- If strategy is applied to Australian businesses on basis of similar laws, significant damages could be awarded for a first time or one–off failure to comply with/implement their privacy policies
- Review your current practices and existing privacy policy to ensure you have implemented and are complying with your privacy policy
Background
During the author's recent presentation and attendance at the International Association of Privacy Professionals' Privacy Academy in San Jose California, it became apparent that a privacy enforcement strategy (Strategy) was being considered to be 'ramped up' by the Californian Attorney General and the Department of Justice (which may spread to other US States). The Strategy uses the Californian state and the US federal 'misleading or deceptive conduct' or unfair trade laws, similar to Section 18 of the Australian Consumer Law (ACL), to 'prosecute' those companies operating in California that do not implement or comply with their own privacy policies.
While this Strategy has occasionally been considered in Australia under the old Trade Practices Act 1975 (Cth) provisions, it has to date not been actively and vigorously pursued in Australia by the relevant regulators or by individuals. However, based on the presentation by a representative of California's Department of Justice and a talk by a senior member of the California Attorney General's Office, it seems that the Strategy may now be aggressively pursued, in the state of California at least, in order to ensure that companies doing business in California actually do what they say they will do in their privacy policy.
Given the similarities with the 'misleading or deceptive conduct'/unfair trade provisions in Australian law and the expectation that use of the Strategy in California will soon become widely known to Australian regulators and individuals, we believe it is only a question of time before the Australian Competition and Consumer Commission (ACCC) and/or individuals (and possibly business competitors) in Australia start to take action for misleading or deceptive conduct under Section 18 of the ACL where a company carrying on business in Australia does not implement/comply with its privacy policy.
The previous US experience
Some of the early US federal cases have involved consideration of the statement in a company's privacy policy that it takes 'reasonable measures' to protect the security of the information provided to it (a common term in Australian privacy policies). US courts have held that where information has been hacked or leaked and an investigation of the security measures actually taken by that company revealed that they were not 'reasonable' in the context of the (then) current industry practice, this statement has been found to be unfair/misleading and therefore actionable.
Implications for Australian business v current situation
In Australia, the Strategy could be used to maintain an action in respect of any failure by a business to implement/comply with the provisions of its privacy policy. For example, in addition to the 'reasonable security measures' representation, statements such as 'we do not share your information' (if it turns out that you do), 'we do not use your information for marketing purposes' (if it turns out that you do) etc will be actionable. The implementation of the Strategy could also be fuelled by the recently proposed move to mandatory breach notification for data breaches in Australia.
A contravention of the prohibition on misleading or deceptive conduct in Section 18 of the ACL is subject to remedies including injunctions, damages and compensatory orders. Using the Strategy will enable the aggrieved individuals to seek damages for the harm caused by the breach of Section 18 of the ACL by the business. These damages could include any economic loss resulting from the breach, such as losses suffered from losing an opportunity (or chance). For example, loss of a prospective employment opportunity due to disclosure of one's personal information in circumstances where the promises/representations in the privacy policy were not actually implemented.
Even though the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Bill) currently before the Australian Parliament will, if passed, introduce fines of up to $220,000 for an individual and up to $1.1 million for an organisation for a serious invasion or repeated invasions of privacy, the Strategy will continue to be available to aggrieved individuals, giving individuals direct redress against the business.
The concern for business if the Strategy does take off in Australia is that, whereas currently no penalties exist and even under the Bill (if passed) penalties will only apply to serious or repeated invasions of privacy, the Strategy may result in significant damages (including for lost opportunity/chance) being awarded against the business for a first time or one–off (and likely considered by the business as a 'minor') failure to implement/comply with its privacy policy.
Key practical concern
In practice, the main worry at present is that the privacy policies of many Australian businesses have not been reviewed, amended/revised or updated to accord with changed circumstances (many for in excess of five years). That is, not reviewed and amended to reflect changes to the purposes for collection of/the use of the information collected, the business undertaken or the arrangements for the processing of the information and/or the security measures taken by the business in respect of such.
While the new privacy regime, if the Bill is passed, will require companies to 'maintain' their privacy policies (ie keep them up to date as a living document), any failure to implement/comply (even with an updated policy) will still lend itself to an action and potentially substantial damages under the Strategy.
What action is required now?
In a previous update dealing with the amendments proposed in the Bill, we suggested that you consider reviewing your privacy policy and processes and update them now in order to be ready for the new law. However, given the likelihood that the Strategy may soon come to Australia, we now advise that you urgently consider/audit your current practices and existing privacy policy to ensure that your policy is reflective of your current circumstances, business purposes and processes and your security arrangements in order to minimise the risk of an action for misleading or deceptive conduct under the ACL as a result of any failure by your business to implement or comply with its privacy policy.
Please do not hesitate to contact us if we can assist with this review/audit of your current practices and your privacy policy.
© DLA Piper
This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.
DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to www.dlapiper.com
