As we have previously reported, the long awaited Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (the Bill) was introduced to Parliament earlier this year.
The Bill proposes significant reforms to the Privacy Act 1988 (Cth) to:
You can read our previous article regarding the areas of reform proposed by the Bill here.
Since we last reported, the Bill has undergone substantial scrutiny and industry consultation by both a House of Representatives Committee and Senate Committee.
Ultimately, subject to the implementation of a total of 22 recommendations, both Committees recommended that the Bill should be passed by Parliament. On 17 September 2012, the House of Representatives implemented the Committee’s recommendation and passed the Bill, and on 18 September 2012 the Bill was introduced into the Senate. This marks a significant milestone in privacy reform in Australia to implement the changes recommended by the 2008 Australian Law Reform Commission’s Report which examined the extent to which the Privacy Act continued to effectively protect privacy in Australia.
However, the Senate Committee has recommended a number of further amendments to the Bill aimed at further enhancing the privacy protections in the Bill.
On 25 September 2012, the Senate Legal and Constitutional Affairs Legislation Committee tabled its report regarding the Bill. The Senate Committee’s report also recommended that the Senate should pass the Bill subject to the implementation of 20 recommendations (including a number of amendments to the Bill).
Importantly, in relation to the new Australian Privacy Principles (APPs), which will remain the cornerstone of the Privacy Act, the Senate Committee’s Report made a number of recommendations for amendments to the APPs. These recommendations include:
Notably, if the Senate’s recommendation in relation to APP8.2 is adopted, this may increase the compliance burden on organisations seeking to obtain individuals’ consent to transfer personal information overseas as part of an off-shoring or outsourcing arrangement. The Senate Committee’s report did not provide any guidance regarding the level of detail required in the explanation of the practical effect and consequences of the organisation not being required to ensure the overseas recipient does not breach the APPs.
This recommendation also appears to be at odds with the views of the House of Representatives’ Committee which acknowledged the concerns of industry that the exceptions in APP8.2 place an onerous burden on organisations wishing to transfer personal information overseas as part of their business processes, and may deter the use of cloud computing services. There were a number of other concerns raised by stakeholders regarding APP8, and so the House of Representatives Committee recommended that APP8 should be reviewed 12 months after the Bill commences to consider how the provision operates in practice, and whether new exceptions should be introduced. Therefore, the complex issues regarding cross-border disclosure of personal information may be reopened again in 12-18 months time, and further amendments to the Privacy Act may be proposed.
During the public consultation and hearings conducted by the Senate Committee in preparing its report, there were a number of detailed concerns raised by stakeholders regarding the scope and meaning of the APPs. The Senate Committee’s response to a number of these concerns was to recommend that the Office of the Australian Information Commissioner develops implementation guidelines and explanatory materials, rather than amend the APPs to address these concerns.
The Senate Committee also proposed a number of other amendments to the Bill to the credit reporting provisions of the Bill.
The Senate is expected to debate the Bill (including the recommendations proposed by the Senate Committee’s Report) within the coming weeks. If the Senate passes the Bill and adopts the recommendations of the Senate Committee, the Bill will then be returned to the House of Representatives to consider the further amendments recommended by the Senate Committee.
Once the Bill passes, most of the substantive provisions have deferred commencement until 9 months after the Bill receives Royal Assent. However, with the changes now well and truly on their way, in the coming months, organisations should start to consider what action they will need to take in relation to their own privacy policies, internal privacy procedures and contracts with service providers to meet the new requirements, and take steps to prepare.
The content of this publication is for reference purposes only. It is current at the date of publication. This content does not constitute legal advice and should not be relied upon as such. Legal advice about your specific circumstances should always be obtained before taking any action based on this publication.