On 12 March, 2014, new privacy
laws will come in effect in Australia. The Privacy Amendment (Enhancing
Privacy Protection) Act includes a set of thirteen Australian Privacy Principles (APPs). It is a combination of the old Information Privacy
Principles, for government, and National Privacy Principles, for business. Some
of the most significant changes affecting Australian online businesses are APP
7 on the use and disclosure of personal information for direct marketing, and
APP 8 on cross-border disclosure of personal information. For the first time
in Australian privacy law, a civil penalty regime for breaches of privacy will
be implemented.
Specifically, the key changes
which will affect online businesses are:
- More
complex privacy policies. It will no longer be sufficient for an entity to just
have a basic privacy policy regarding the management of personal information.
Businesses will be required to take reasonable steps to implement procedures
and systems that comply with the APPs. Website privacy policies will have to
cover specific types of information.
- Cross-border
disclosures. Australian entity may now be liable for privacy breaches of an
overseas recipient of personal information received from that Australian
entity. To avoid such liability for the actions of an overseas recipient,
an Australian entity shall ensure that the overseas entity is subject to an
equivalent privacy protection regime, AND there is a mechanism in place for an
Australian entity to enforce such protection (e.g. pursuant to a written
agreement).
- De-identification
of unsolicited information. Businesses
will be required to destroy or de-identify any unsolicited personal information
as soon as practicable.
- Higher
degree of protection for “sensitive information.” The new law will require an entity to obtain
the individual’s consent prior to collection of sensitive information (such as
race, trade association membership, sexual preferences or practices, criminal
record).
-
Security measures required. Businesses will have to take reasonable steps to
protect personal information from interference, such as attacks on their
computer systems. This is in addition to the existing obligations to protect
personal information from loss, misuse, unauthorised access and disclosure.
- Direct
marketing. Narrow exceptions to when and how businesses may use personal
information for direct marketing purposes. Recipients of unsolicited direct
marketing will now have a new right to require the sender to disclose the
source of personal information. Individuals must be given the free option to
opt-out of direct marketing.
Australian businesses shall review and update their privacy
policies, cloud computing policies, and contracts involving disclosure of
personal information (particularly to overseas recipients) to ensure compliance
with the new Australian Privacy Principles (APPs).
