By Daniel Cooper, Fredericka Argent and Ezra Steinhardt
On 29 November 2012, the Office of the Australian Information Commissioner announced that the Australian government passed the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) (“the Act”). The Act, due to come into force in March 2014, is the biggest reform to Australian privacy law in over 20 years, since the passing of the original Australian Privacy Act 1988. It represents the culmination of a recommendation for reform made originally by the Australian Law Reform Commission (“ALRC”) in 2005. One of the aims of the reform is to bring Australia’s privacy laws “into the digital age”. Alongside the Privacy Act reforms, the ALRC are also currently in the process of consulting on introducing a mandatory personal data breach law for Australia. It is likely that the passing of the Act will give this discussion more momentum.
One of the key changes in the new Act is the introduction of a single set of 13 harmonised “Australian Privacy Principles” (“APPs”) which will apply to government agencies as well as the private sector. The 13 APPs will replace the current bifurcated system, which includes “National Privacy Principles” (“NPPs”) for the private sector and “Information Privacy Principles” (“IPPs”) for the public sector. The APPs are intended to make it easier for businesses and consumers to understand their obligations with regard to personal data and privacy. The Act also introduces reforms that will reshape how entities may process personal information and the circumstances in which it can be used for direct marketing (APP 7), and how entities may transfer personal information overseas (APP 8). Further, the Act will introduce a higher standard of protection for “sensitive” information, including health-related information, DNA and biometric data. The Act will also bring in new powers for businesses to check individuals’ credit worthiness, by introducing more comprehensive credit reporting rules.
Under the Act, the role of the Privacy Commissioner (currently Timothy Pilgrim) has been strengthened. The Commissioner will now have the ability to, amongst other things:
- Accept enforceable undertakings from organisations that they will take or refrain from a specified action;
- Seek civil penalties in the case of serious or repeated breaches of privacy, with a new fining power of up to AU$ 1.1 million; and
- Conduct “performance assessments” of privacy practices both of the Australian public and private sectors.
The Act is expected to have a significant impact across multiple industry sectors. Businesses with operations in Australia should anticipate the need to review their current privacy policies and practices in the coming months to ensure their compliance with the new, more burdensome rules. In accordance with these changes, the OAIC has announced that they will “help businesses and government agencies by releasing guidance materials, including guidelines on the application of the new APPs and how they will apply to everyday situations. The OAIC will also provide guidance on the Commissioner’s new powers.”
If you would like a copy of the Act, please contact Covington & Burling LLP.