The Privacy Amendment (Enhancing Privacy Protection) Bill 2012
was passed on 29 November 2012 and is set to make significant
changes to Australian privacy law. From March 2014, both public
sector organisations and private businesses will face significantly
more stringent privacy requirements and the prospect of stronger
sanctions if they do not comply. All businesses collecting and/or
dealing with personal information in Australia or from Australian
residents will need to review their privacy procedures to ensure
Key changes under the new legislation are as follows:
A new unified set of Australian Privacy Principles (APPs)
replacing the current dual system of Information Privacy Principles
applicable to federal public sector organisations and National
Privacy Principles applicable to private businesses.
Stronger restrictions on direct marketing: personal information
may not be used for direct marketing unless certain requirements
are met including that the individual would reasonably expect the
business to use or disclose the information for direct marketing
purposes and that a simple "opt-out" mechanism is
New requirements in relation to cross-border data transfer
including that businesses disclosing personal information to
overseas recipients will remain liable in some circumstances for
any breaches of the APPs by the overseas recipient. Since the Bill
refers to disclosure to overseas recipients (rather than being
limited to actual data transfer overseas) there may be significant
implications for online data sharing.
compliance on an ongoing basis.
Changes to the credit reporting provisions.
Enhanced powers for the Privacy Commissioner and significant
monetary penalties for non-compliance:
Extending the Commissioner's power to conduct compliance
audits to private organisations;
Allowing the Commissioner to direct a public sector agency to
conduct a privacy impact assessment of any proposed activity which
could impact on privacy;
Power to apply to the Federal Court or Federal Magistrates
Court to compel an entity to comply with an undertakings given or
to pay compensation for breach of undertakings;
Much greater powers in relation to 'own motion
investigations' (instigated by the Commissioner rather than as
the result of a complaint). The Commissioner may order an entity to
take actions to prevent further breaches and order an entity to pay
compensation as a result of such an investigation.
New civil penalties of up to $220,000 for individuals and $1.1
million for companies for a serious or repeated interference with
the privacy of an individual.
These changes underscore an environment in which individuals are
now demanding greater privacy protection and will avail of the
Privacy Commissioner's services to ensure they receive such
protection. This position is mirrored in New Zealand where the
Government has indicated its agreement with the 2011 New Zealand
Law Commission recommendation that a new Privacy Act be put in
place to update New Zealand privacy law.
With indications that further changes recommended in the 2008
Australian Law Commission Report will be in the pipeline,
including, for example, consideration of introducing mandatory data
breach notification, now is the time for businesses to ensure that
they have strong, compliant, privacy policies and procedures in
place and mechanisms for regular review and update. Privacy is not
going away, and can in fact provide a competitive advantage well
worth investing in.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Victorian public sector bodies will need to review their data systems and security.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”