In brief: Amendments to strengthen Australia's privacy regime will create new penalties, increased requirements for procedures and disclosure, and a revamped credit reporting system and will have significant implications for most companies and government agencies. Partner Michael Pattison ( view CV) , Senior Associate Nathan Shepherd and Lawyers Nikki Macor and Margaret Walsh report.

How does it affect you?

  • Entities that handle personal information (which is essentially every company in Australia) will need to ensure that their privacy policies and procedures comply with the new privacy principles.
  • Any disclosure of personal information overseas will need to comply with the new regime applying to cross-border data transfers. There are no 'saving provisions' for disclosures made under existing contracts, so companies will need to check that their existing and planned offshoring arrangements and cloud computing contracts comply with the new requirements.
  • More types of information will be able to be collected by credit reporting bodies. However, those bodies will need to ensure they comply with tighter restrictions on the handling of that information.
  • Companies that engage in direct marketing will need to comply with the stricter regulation of that activity.
  • The changes are likely to come into force during the first quarter of 2013. Since the new laws will impose penalties of up to $1.1 million, companies should start planning now.

Background

The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 is the culmination of a long process of law reform focused on the Privacy Act 1988 (Cth). Almost four years have elapsed since the Australian Law Reform Commission's comprehensive 2008 For Your Information report, and the recommended changes have been subject to Federal Government and Senate committee review since that time. The Bill replaces the National Privacy Principles (NPPs) and Information Privacy Principles under the Privacy Act with Australian Privacy Principles (APPs) and re-writes the credit reporting regime.

Even after that lengthy period, there are some notable reforms recommended by the ALRC that have not yet been acted upon. The Government has expressed an intention to deal with these in a 'second stage' response: this include proposals to remove certain exceptions such as the small business exception, make data breach notification mandatory, and introduce a statutory cause of action for interference with an individual's privacy. Given the delays in implementing the first stage of privacy reforms, any further amendments are unlikely to be introduced for quite some time.

Privacy protections with teeth

One of the Bill's most significant aspects is the introduction of a regime providing that if an entity engages in serious or repeated breaches of privacy (such as serious or repeated breaches of the APPs or a registered privacy code), the Commissioner may apply to the Federal Court or Federal Magistrates Court for an order that the entity pay to the Commonwealth a penalty of up to $220,000 for individuals or up to $1.1 million for corporations.

The Bill does not provide any specific guidance as to when serious or repeated breaches of privacy are likely to occur for the purposes of determining contravention. However, the broad language used in the Bill is likely to provide courts with significant latitude in construing the scope of its operation and effect. The potential impact of this new regime is further enhanced by the introduction of a new 'ancillary contravention provision' which provides that an entity contravenes a civil penalty provision in the Privacy Act if, among other things, it attempts to contravene a civil penalty provision or contributes to such contravention (eg by aiding, procuring, inducing, conspiring or being knowingly concerned in a contravention of a civil penalty provision).

Another significant matter is the introduction of a number of other criminal offences and civil penalty provisions in the new credit reporting section (see below). Under these provisions, a court may order penalties ranging from $22,000 for individuals (up to $110,000 for corporations) up to $220,000 for individuals (up to $1.1 million for corporations).

The Bill also provides the Commissioner with a number of significant new powers:

  • Audit powers: the Commissioner may conduct an assessment regarding whether personal information held by an entity is being maintained and handled in accordance with the APPs or a registered code.
  • Enforceable undertakings: the Commissioner may accept a written undertaking given by an entity that the entity will, or will not, do certain things in order to comply with the Act. These undertakings are likely to be offered as part of the resolution of an investigation into a privacy breach. Breach of such an undertaking may lead to a court ordering compensation to be paid and a court order requiring compliance with the undertaking in the future.
  • Develop and register binding privacy codes: the Commissioner may request an entity to develop a privacy code and where the entity fails to do so or the code is not registered, the Commissioner may develop and register its own privacy code.
  • Make determinations as a result of own motion investigations: the Commissioner may make determinations following investigations that the Commissioner has conducted on their own initiative.
  • Commence proceedings in the Federal Court or the Federal Magistrates Court: the Commissioner may commence proceedings for serious or repeated breaches of the APPs or registered privacy codes and for the purpose of enforcing undertakings and determinations (including, for the first time, for own motion investigations).

A key criticism of the current Privacy Act is that it fails to give the Commissioner any real power to enforce serious privacy breaches. The Bill undoubtedly alters the existing state of affairs by providing the Commissioner with a range of increased powers that will enable the Commissioner to proactively monitor, investigate and enforce breaches of the Act with the assistance of the Federal Court. As such, this Bill may mark a shift in the role of the Commissioner from one of conciliation and recommendation to one of regulatory oversight and enforcement.

Australian Privacy Principles

As mentioned above, the Bill provides for the APPs to replace the NPPs and the Information Privacy Principles, which currently apply to private sector organisations and government agencies respectively. Both organisations and agencies will now generally be referred to as 'APP entities' under the amended legislation, and the APPs will apply to both.

The APPs echo the NPPs in many respects but are structured differently, stepping through the data-handling process from the stage of planning the collection of personal information, collecting the information, using and handling it, and finally disposing of it. The most significant substantive departures the APPs take from the NPPs are summarised below.

Cross-border disclosure of personal information
The new APP 8 is arguably one of the most significant amendments to the Privacy Act, fundamentally altering the current liability regime applying to the transfer of personal information to recipients outside of Australia. Despite a number of concerns previously raised in connection with APP 8, the Government has pressed ahead with the new cross-border disclosure regime.

Under the new APP 8, an APP entity may 'disclose' (as opposed to 'transfer' in the current NPP 9) personal information to an overseas recipient, provided it takes such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the APPs in relation to that information. However, even where the APP entity does so, the APP entity will, in certain circumstances, be deemed to be liable for any subsequent breaches of the Privacy Act committed by the overseas recipient.

The only way an APP entity can escape the effect of the deeming provision is by relying on one of the relatively narrow exceptions, namely:

  • (reasonable belief): the APP entity reasonably believes that: (i) the recipient of the information is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the APPs protect the information; and (ii) there are mechanisms that the individual can access to enforce the protection of that law or binding scheme; or
  • (consent): the APP entity expressly informs the individual that if they consent to the disclosure of the information, the requirement to take reasonable steps will not apply to the disclosure and, after being so informed, the individual consents to the disclosure.

The new APP 8 results in a number of significant ramifications for Australian organisations and agencies. First, the potential interaction between deemed liability under APP 8 and the new penalties and powers of the Commissioner results in a significant increased risk to organisations and agencies. Where entities are unable to rely on the consent or reasonable belief exceptions, they could potentially be held to be liable for serious or repeated breaches of privacy by the overseas recipient. Organisations will need to manage such risk through appropriate technical measures and through including appropriate contractual provisions in their contracts with overseas recipients.

Second, the reference to disclosure rather than transfer may mean that information could be disclosed to an overseas recipient by merely allowing an overseas recipient access to personal information stored in Australia. An existing offshoring arrangement that has been based on there being no transfer of personal information because the information has remained in Australia would need to be revisited in light of this change.

It is likely that the introduction of new APP 8 will be directly relevant to many organisations, given the increasing use of technology related services that have the potential to disclose and/or transfer personal information to overseas recipients (such as off-shoring and cloud computing) and the ever-increasing reliance on the immediate exchange of information through global telecommunications networks.

Privacy policies and statements
The APPs have a greater emphasis than the NPPs on open and transparent management of personal information, with the requirement to have a privacy policy relocated from NPP 5 to APP 1.

Under APP 1, entities will need to take reasonable steps in the circumstrances to make privacy policies available for free, in an appropriate form or in the form requested by an individual – a note to APP 1 indicates this should generally be by way of publication on an entity's website. In addition, specific information will now be required to be included in privacy policies, most notably whether an entity is likely to disclose personal information to overseas recipients and, if so, the countries in which the recipients of that information are likely to be located (if it is practicable to specify).

APP 5 expands the notification required to be given to individuals when personal information is collected. Similarly to the additional privacy policy requirements, such notices will now also need to state whether the entity is likely to disclose the information to overseas recipients and to which countries.

These changes will necessitate the review of privacy policies and statements used by entities in relation to the collection and handling of personal information.

Receiving unsolicited personal information
APP 4 is a newly introduced principle, which expressly deals with the requirements applicable when personal information is received without solicitation.

Under APP 4, if an entity receives personal information without requesting it, the entity must, within a reasonable period, determine whether it could have collected the information under the APPs as if it had solicited the information. It is not clear what would be considered a 'reasonable period'.

If the entity determines that it could have collected the information, the entity must comply with the APPs regarding handling of that information, including the requirement to notify the individual of the collection of the information. If not, the entity must take steps to destroy the information or ensure it is no longer personal information (ie, by effectively de-identifying the information) as soon as practicable, if lawful and reasonable to do so.

This principle may be a burden for consumer-facing entities with various channels for receiving messages from individuals. Social media platforms in particular could be problematic, as entities have little control over the information received. Such entities may need to consider instituting procedures that set out how unsolicited information is to be dealt with as a matter of course.

Direct marketing
Direct marketing is currently dealt with as an exception to the requirement that personal information only be used for the primary purpose of collection under NPP 2. In contrast with this relatively flexible approach, APP 7 will prohibit use or disclosure of personal information for direct marketing other than where an exception applies.

The primary exception will be that an organisation may use or disclose non-sensitive personal information for direct marketing if:

  • it collected the information from the individual who is receiving the marketing;
  • that individual would reasonably expect the organisation to market to them directly; and
  • there is a simple means by which the individual can ask (but has not asked) the organisation to stop the direct marketing.

There are narrower exceptions for situations where an individual would not reasonably expect direct marketing, where the information was not collected from the individual, and where the information is sensitive information.

Credit reporting

The Bill comprehensively redrafts the credit reporting regime. Most importantly it expands the types of information that can be collected by credit reporting bodies (currently known as credit reporting agencies under the Privacy Act) and enhances the privacy protections available to individuals.

At present credit reporting agencies can only collect what is known as 'negative' data about an individual's credit history, such as information regarding credit applications, an individual's current credit providers and information about any credit defaults.

Under the Bill, credit reporting bodies will be able to collect additional information about individuals, including 'positive' data. The new types of data that will be able to be collected are:

  • the date a credit account was opened or closed;
  • the type of credit account opened;
  • the current limit of each open credit account; and
  • repayment history information.

The expanded categories of data will enable credit providers to create a more robust assessment of an individual's creditworthiness. Overseas experience shows that allowing the collection of positive data results in a decrease in credit default rates. However, the new provisions also represent an increased risk to the privacy of individuals. As such, a range of new protections will be put in place to ensure that individuals have greater access to, and control over, their personal information.

New or enhanced protections include:

  • a registered credit reporting code, which will bind all credit reporting bodies;
  • a strengthened complaints process whereby if an individual complains to a credit reporting body about a practice that may breach either the credit reporting provisions or a provision of the credit reporting code, the respondent must acknowledge and investigate the complaint;
  • restricted access to repayment history information – access will only be available to credit providers who are licensed under the National Consumer Credit Protection Act 2009 (Cth); and
  • individuals' ability to request that their credit information not be disclosed to credit providers if they believe that they have been, or are likely to be, a victim of fraud.

While the Government had stated that its aim in redrafting the credit reporting provisions was to simplify the regime, the provisions remain highly complex.

Implementation

The amendments are due to commence nine months after Royal Assent and the Bill is not expected to meet significant political objection during its passage through Parliament. In the absence of any unforeseen delay, the new rules are likely to come into force during the first quarter of 2013.

There are no special arrangements for the transition to the amended legislation, however, the civil penalties for serious or repeated privacy breaches will only apply to breaches occurring after commencement.
Entities should start reviewing compliance with the amended legislation as soon as possible, particularly in relation to direct marketing and sending information outside Australia. Privacy policies will also need to be updated to ensure all necessary information is covered. As no substantive amendment is expected to the Bill as introduced, there is no reason for entities to delay – and, given the new penalties, all the more reason to act.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.