Australia: New Privacy Legislation set to take effect in 2014

The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 was passed on 29 November 2012 and is set to make significant changes to Australian privacy law. From March 2014, both public sector organisations and private businesses will face significantly more stringent privacy requirements and the prospect of stronger sanctions if they do not comply. All businesses collecting and/or dealing with personal information in Australia or from Australian residents will need to review their privacy procedures to ensure compliance.

Key changes under the new legislation are as follows:

• A new unified set of Australian Privacy Principles (APPs) replacing the current dual system of Information Privacy Principles applicable to federal public sector organisations and National Privacy Principles applicable to private businesses.
• Stronger restrictions on direct marketing: personal information may not be used for direct marketing unless certain requirements are met including that the individual would reasonably expect the business to use or disclose the information for direct marketing purposes and that a simple "opt-out" mechanism is provided.
• New requirements in relation to cross-border data transfer including that businesses disclosing personal information to overseas recipients will remain liable in some circumstances for any breaches of the APPs by the overseas recipient. Since the Bill refers to disclosure to overseas recipients (rather than being limited to actual data transfer overseas) there may be significant implications for online data sharing.
• Requirements to actively maintain a privacy policy and ensure compliance on an ongoing basis.
• Changes to the credit reporting provisions.
• Enhanced powers for the Privacy Commissioner and significant monetary penalties for non-compliance:
• • Extending the Commissioner's power to conduct compliance audits to private organisations;
  • Allowing the Commissioner to direct a public sector agency to conduct a privacy impact assessment of any proposed activity which could impact on privacy;
  • Power to apply to the Federal Court or Federal Magistrates Court to compel an entity to comply with an undertakings given or to pay compensation for breach of undertakings;
  • Much greater powers in relation to 'own motion investigations' (instigated by the Commissioner rather than as the result of a complaint). The Commissioner may order an entity to take actions to prevent further breaches and order an entity to pay compensation as a result of such an investigation.
  • New civil penalties of up to $220,000 for individuals and $1.1 million for companies for a serious or repeated interference with the privacy of an individual.

These changes underscore an environment in which individuals are now demanding greater privacy protection and will avail of the Privacy Commissioner's services to ensure they receive such protection. This position is mirrored in New Zealand where the Government has indicated its agreement with the 2011 New Zealand Law Commission recommendation that a new Privacy Act be put in place to update New Zealand privacy law.

With indications that further changes recommended in the 2008 Australian Law Commission Report will be in the pipeline, including, for example, consideration of introducing mandatory data breach notification, now is the time for businesses to ensure that they have strong, compliant, privacy policies and procedures in place and mechanisms for regular review and update. Privacy is not going away, and can in fact provide a competitive advantage well worth investing in.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.