Privacy reform in Australia is now imminent

Subscribe
26 September 2012

As we have previously reported, the long awaited Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (the Bill) was introduced to Parliament earlier this year. 

The Bill proposes significant reforms to the Privacy Act 1988 (Cth) to:

  • implement a unified set of Australian Privacy Principles (APPs) that apply to both the public and private sector;
  • modernise the credit reporting regime, including more comprehensive credit reporting; and
  • bolster the powers and functions of the Commissioner, with an improved ability to resolve complaints and promote privacy compliance.

You can read our previous article regarding the areas of reform proposed by the Bill here.

Since we last reported, the Bill has undergone substantial scrutiny and industry consultation by both a House of Representatives Committee and Senate Committee.  

Ultimately, subject to the implementation of a total of 22 recommendations, both Committees recommended that the Bill should be passed by Parliament.  On 17 September 2012, the House of Representatives implemented the Committee’s recommendation and passed the Bill, and on 18 September 2012 the Bill was introduced into the Senate.  This marks a significant milestone in privacy reform in Australia to implement the changes recommended by the 2008 Australian Law Reform Commission’s Report which examined the extent to which the Privacy Act continued to effectively protect privacy in Australia. 

However, the Senate Committee has recommended a number of further amendments to the Bill aimed at further enhancing the privacy protections in the Bill.

Senate Committee recommendations

On 25 September 2012, the Senate Legal and Constitutional Affairs Legislation Committee tabled its report regarding the Bill.  The Senate Committee’s report also recommended that the Senate should pass the Bill subject to the implementation of 20 recommendations (including a number of amendments to the Bill).

Importantly, in relation to the new Australian Privacy Principles (APPs), which will remain the cornerstone of the Privacy Act, the Senate Committee’s Report made a number of recommendations for amendments to the APPs.  These recommendations include:

  • APP2 (Anonymity and Pseudonymity)  - APP2 provides that subject to two exceptions, individuals must have the option of not identifying themselves or using a pseudonym when dealing with an organisation.  To address the concerns of stakeholders that the scope of the exceptions to APP2 requires clarity, the Senate Committee recommended that APP2 should be amended to clarify that APP2.1 does not apply where it is impracticable for the organisation to deal with individuals who have not identified themselves or who have used a pseudonym, and the Government is to consider options to enhance the clarity regarding the application of APP2.
  • APP7 (Direct Marketing) – APP7 sets out a general prohibition on use of personal information for direct marketing, and a number of exceptions to this general prohibition.  The Report recommended amendments to APP7 to avoid confusion regarding the exceptions to this general prohibition, and to allow an individual to opt-out of direct marketing at any time
  • APP8 (Cross border disclosure) – APP8.2 provides that an individual may provide their consent to an organisation disclosing their personal information to an overseas entity, provided that the organisation has informed the individual that by providing this consent the organisation is not required to ensure the overseas entity does not breach the APPs.  The Report recommended that APP8.2 be amended to provide that an organisation must also inform the individual of the practical effect and potential consequences of providing this consent. 

Notably, if the Senate’s recommendation in relation to APP8.2 is adopted, this may increase the compliance burden on organisations seeking to obtain individuals’ consent to transfer personal information overseas as part of an off-shoring or outsourcing arrangement. The Senate Committee’s report did not provide any guidance regarding the level of detail required in the explanation of the practical effect and consequences of the organisation not being required to ensure the overseas recipient does not breach the APPs.

This recommendation also appears to be at odds with the views of the House of Representatives’ Committee which acknowledged the concerns of industry that the exceptions in APP8.2 place an onerous burden on organisations wishing to transfer personal information overseas as part of their business processes, and may deter the use of cloud computing services. There were a number of other concerns raised by stakeholders regarding APP8, and so the House of Representatives Committee recommended that APP8 should be reviewed 12 months after the Bill commences to consider how the provision operates in practice, and whether new exceptions should be introduced. Therefore, the complex issues regarding cross-border disclosure of personal information may be reopened again in 12-18 months time, and further amendments to the Privacy Act may be proposed.

During the public consultation and hearings conducted by the Senate Committee in preparing its report, there were a number of detailed concerns raised by stakeholders regarding the scope and meaning of the APPs. The Senate Committee’s response to a number of these concerns was to recommend that the Office of the Australian Information Commissioner develops implementation guidelines and explanatory materials, rather than amend the APPs to address these concerns.

The Senate Committee also proposed a number of other amendments to the Bill to the credit reporting provisions of the Bill.

The Senate Committee’s report is available here and the House of Representatives report is available here.

What’s next?

The Senate is expected to debate the Bill (including the recommendations proposed by the Senate Committee’s Report) within the coming weeks. If the Senate passes the Bill and adopts the recommendations of the Senate Committee, the Bill will then be returned to the House of Representatives to consider the further amendments recommended by the Senate Committee.

Once the Bill passes, most of the substantive provisions have deferred commencement until 9 months after the Bill receives Royal Assent. However, with the changes now well and truly on their way, in the coming months, organisations should start to consider what action they will need to take in relation to their own privacy policies, internal privacy procedures and contracts with service providers to meet the new requirements, and take steps to prepare.


The content of this publication is for reference purposes only. It is current at the date of publication. This content does not constitute legal advice and should not be relied upon as such. Legal advice about your specific circumstances should always be obtained before taking any action based on this publication.


Related Content

Contacts

Eugenia Kolivos

Partner. Sydney
+61 2 9210 6316

Profile

Helen Clarke

Partner. Brisbane
+61 7 3228 9818

Profile

James North

Partner. Sydney
+61 2 9210 6734

Profile

Philip Catania

Partner. Melbourne
+61 3 9672 3333

Profile

Melissa Pratt

Senior Associate. Brisbane
+61 7 3228 9739

Email