Australia: The Privacy Amendment (Enhancing Privacy Protection) Act 2012 - New Australian Privacy Requirements - Implications for the Gambling Sector
Gambling Law & Regulation: March 2013

Executive Summary

The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) became law in December 2012. This introduces a new statutory regime with mandatory privacy principles with which all relevant businesses must comply. These principles know as the Australian Privacy Principles (or APPs) combine and replace the National Privacy Principles and the Information Privacy Principles contained in the Privacy Act 1988 (Cth).

The new APP's apply to all gambling organisations which must, by 12 March 2014:

• have a privacy policy tailored to meet the requirements of the Act;
• not use or disclose any information they may hold about an individual for direct marketing, subject to specific exceptions;
• before providing an overseas organisation (including related companies) with personal information, take reasonable steps to ensure that the overseas recipient complies with the APPs;
• have in place an adequate scheme allowing access to complaints; and
• comply with requirements regarding unsolicited information.

Moreover, the Act grants greater enforcement powers to the Australian Privacy Commissioner. The Commissioner will be able to obtain enforceable undertakings from an organisation and apply to a court for a civil penalty order against organisations in breach of the Act. These penalties can range from $110,000 up to $1.1 million.

Accordingly, gambling organisations should become familiar with their obligations under the Act and take steps to become compliant. One of the key steps which needs to be taken is to ensure that their Privacy Policies comply with the new requirements of the Act.

Australian Privacy Principles (APPs)

The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (the Act) introduces the Australian Privacy Principles (APPs), which combine and replace the National Privacy Principles and the Information Privacy Principles contained in the Privacy Act 1988 (Cth) (the Privacy Act). The APPs set out obligations with which gambling organisations must comply relating to the collection, storage, security, use, disclosure, access and correction of personal information acquired by an "organisation".¹ Broadly speaking, personal information is any information which can identify a person.

The APPs will apply to all organisations. There is an exception for small businesses (any business with an annual turnover of less than $3,000,000), but it does not apply to a reporting entity which is an entity that provides a "designated service" as defined in the AML/CTF Act.²

Accordingly, regardless of whether your business is a wagering operator, bookmaker, totalisator, lottery operator, casino operator or club, you will be required to comply with new obligations set out in the Act.

Changes to Privacy Regulation

So how will the changes impact upon the way in which your gambling organisation handles personal information?

1. Privacy Policies - You must have a privacy policy. Your privacy policy must state:

2. 1.1 Details of the kind of personal information collected;

   1.2 How it is collected and held;

   1.3 The purposes of collection;

   1.4 How individuals can seek access to and/or correct personal information;

   1.5 How a complaint may be made; and

   1.6 Whether the personal information will be disclosed to overseas recipients and, if so, the countries where the recipients are located (if practicable).³

   These requirements are considerably more prescriptive as to privacy policy content than the previous requirements. Accordingly, privacy policies need to be updated to meet the new requirements. For example, it used to be sufficient for a privacy policy to state that a company "collects personal information from its customers for the purpose of providing services to those customers". It is now necessary for the privacy policy to stipulate what kind of personal information is being collected, and the purpose of collection. Moreover, multinational gambling organisations need to take special care to meet the new obligations. This will be relevant for many leading Australian gambling organisations which are part of a global group.

2. Direct Marketing - The use of personal information in the promotion and sale of goods and services directly to new and existing customers will now be regulated.⁴

3. This means that, if you hold personal information about an individual, you must not use or disclose the information for the purpose of direct marketing.⁵ However, there are various exceptions.

   You will be permitted to use personal information for direct marketing if:

   2.1 your business collected the information from the individual;

   2.2 the individual would reasonably expect your business to use or disclose the information for the purpose of direct marketing;

   2.3 you provide a simple means for the individual to request to opt-out from receiving direct marketing communications; and

   2.4 the individual has not requested to opt out.⁶

   This exception does not apply to sensitive information (i.e. health information, genetic information, political opinions, and information about racial or ethnic origins). Care will need to be taken by gambling organisations to ensure that any marketing complies with this principle. It is particularly important in respect of online marketing targeting Australians which is often conducted from outside Australia.

3. Cross-Border Disclosures of Personal Information⁷

4. Before providing an overseas organisation (including a related body corporate of a service provider) with personal information about an individual, any Australian organisation must take reasonable steps to ensure that the overseas recipient does not breach the APPs. This is because Australian organisations will remain accountable for information sent overseas and will be liable for breaches of the APPs by overseas recipients. This is a significant change to Australian's privacy regime and will impact upon Australian subsidiaries of overseas companies. Reasonable steps will not be required if the recipient is subject to a law which protects the personal information in a way which is similar to the protection provided by the APPs.

   Accordingly, adequate precautions must be in place to prevent unintended and unauthorised breaches of the APPs, particularly in a global context.

4. Access and Complaints – You must ensure that an individual is aware of:

5. 4.1 the fact that they can access their information;

   4.2 their rights of complaint;

   4.3 the purposes for which their information is collected; and

   4.4 any organisations to which the information may be disclosed, including overseas recipients and, in the case of wagering operators, Australian sports governing bodies.⁸

   This information will need to be set out specifically.

5. Unsolicited Information – If you are a gambling organisation dealing with personal information which was not solicited by your organisation, that unsolicited information will also be regulated.

6. 5.1 When unsolicited information is received, you must, within a reasonable period, determine whether or not your organisation could have lawfully collected the information in accordance with the collection rules, which require that you only collect personal information that is reasonably necessary for, or directly related to, one or more of your organisation's functions or activities.9 If so, then the personal information is then regulated by the Act in the same way as if it had been solicited.10 Unsolicited personal information might be contained in a complaint from a member of the public or personal information received from a law enforcement agency

   5.2 However, where the unsolicited personal information you have received is not reasonably necessary for, or directly related to, one or more of your gambling organisation's functions or activities, reasonable steps must be taken as soon as reasonably practical to either destroy the information or de-identify it so that it is no longer personal information (but only if it is lawful and reasonable).11

6. Undertakings and Civil Penalties - Greater powers will be held by the Australian Privacy Commissioner. Most notably, the Commissioner will be able to:

7. 6.1 obtain enforceable undertakings from an organisation; and

   6.2 apply to a court for a civil penalty order against organisations. These penalties can range from $110,000 up to $1.1 million.

How might these changes impact on your business?

The Act will impact all gambling businesses in various ways. Any gambling businesses dealing with individuals must:

• revise their privacy policy to comply with the mandatory requirements set out in the Act;
• when engaging in direct marketing, provide a clear and simple method that allows targeted consumers to opt out;
• keep more detailed, accurate and current records as to how personal information is obtained as individuals will be able to request details of how their personal information was obtained; and
• take steps to ensure appropriate measures are in place where personal information is likely to be sent overseas. Given your gambling organisation will be liable for any breach, you should take steps to ensure that, if personal information is sent overseas, the recipient complies with stringent obligations in connection with the protection of privacy.

What now?

We would recommend that all gambling organisations conduct a privacy audit to examine the extent to which the Act will apply and the changes required to ensure compliance with the Act. Privacy training for relevant staff should be coordinated. You may also wish to appoint a Privacy Officer to deal with queries and compliance issues. Adopting such measures will reduce your risk of breaching these requirements.

Conclusion

The Act will impact upon the way in which your gambling organisation collects, uses and discloses personal information. Your organisation will be expected to be fully compliant with the new obligations by March 12, 2014. Accordingly, you and your gambling organisation should be considering now the changes which you need to make to comply fully with the Act before the deadline.

Footnotes

¹ An "organisation" is an individual, body corporate, partnership or any other unincorporated association or trust, which is not a "small business"- s 6 Privacy Act 1988 (Cth).

² The Anti-Money Laundering and Counter-Terrorism Financing Act 2006

³ APP 1

⁴ APP 7

⁵ APP 7.1

⁶ APP 7.2

⁷ APP 8

⁸ APP 5

⁹ APPs 3.1 and 3.2

¹⁰ APP 4.1

¹¹ APP 4.3. Note this is not the case in relation to information contained in a Commonwealth record, (i.e. sensitive personal information contained in a Commonwealth record that is not suitable for public release).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.