Tuesday, January 14, 2014

Australian Privacy Law Reform

On 12 March, 2014, new privacy laws will come in effect in Australia. The Privacy Amendment (Enhancing Privacy Protection) Act includes a set of thirteen Australian Privacy Principles (APPs). It is a combination of the old Information Privacy Principles, for government, and National Privacy Principles, for business. Some of the most significant changes affecting Australian online businesses are APP 7 on the use and disclosure of personal information for direct marketing, and APP 8 on cross-border disclosure of personal information. For the first time in Australian privacy law, a civil penalty regime for breaches of privacy will be implemented.

Specifically, the key changes which will affect online businesses are:

-           More complex privacy policies. It will no longer be sufficient for an entity to just have a basic privacy policy regarding the management of personal information. Businesses will be required to take reasonable steps to implement procedures and systems that comply with the APPs. Website privacy policies will have to cover specific types of information.

-           Cross-border disclosures. Australian entity may now be liable for privacy breaches of an overseas recipient of personal information received from that Australian entity. To avoid such liability for the actions of an overseas recipient, an Australian entity shall ensure that the overseas entity is subject to an equivalent privacy protection regime, AND there is a mechanism in place for an Australian entity to enforce such protection (e.g. pursuant to a written agreement).

-           De-identification of unsolicited information.  Businesses will be required to destroy or de-identify any unsolicited personal information as soon as practicable.

-           Higher degree of protection for “sensitive information.”  The new law will require an entity to obtain the individual’s consent prior to collection of sensitive information (such as race, trade association membership, sexual preferences or practices, criminal record).

-           Security measures required. Businesses will have to take reasonable steps to protect personal information from interference, such as attacks on their computer systems. This is in addition to the existing obligations to protect personal information from loss, misuse, unauthorised access and disclosure.

-           Direct marketing. Narrow exceptions to when and how businesses may use personal information for direct marketing purposes. Recipients of unsolicited direct marketing will now have a new right to require the sender to disclose the source of personal information. Individuals must be given the free option to opt-out of direct marketing.


Australian businesses shall review and update their privacy policies, cloud computing policies, and contracts involving disclosure of personal information (particularly to overseas recipients) to ensure compliance with the new Australian Privacy Principles (APPs).