Australian businesses prepare for the new privacy regime
Minter Ellison’s privacy and data protection team advises clients across different industry sectors on local and international privacy and data protection issues.
We regularly assist with the development of privacy compliance tools and privacy policies and statements, conduct privacy audits of organisations to assist with compliance, advise financial institutions in relation to privacy implications associated with credit reporting and providing financial services, advise on marketing and promotional strategies (including email spam and other direct marketing), assist multinational organisations in relation to trans-border data flows and advise and assist organisations in the event of data and information security breaches.
In light of continuing proposals to change privacy laws in Australia, we keep abreast of developments and are able to advise clients on the possible future changes to the law.
As the policy debate rages on the future direction of tertiary education and its institutions, Australian universities are grappling with a raft of regulatory changes that will materially affect their day to day operations.
Under the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) (the Privacy Amendment Act), Australian Privacy Principle 8 (APP 8) will replace National Privacy Principle (NPP) 9 and cover the cross-borders disclosures of personal information by APP entities and agencies. The new APP 8 is much broader in its application, contains some significant differences to NPP 9, and as such Australian disclosing entities will need to carefully consider how they wish to meet the requirements of APP 8 in trans border transactions.
Cybercrime poses a significant challenge for law enforcement agencies and criminal justice systems across the globe. The borderless nature of the internet makes it easier for cyber attacks to be externally instigated. In response, Australia, together with a number of other nations, has taken steps to harmonise laws intended to combat cyber threats and facilitate greater international cooperation between law enforcement agencies.
In this edition of the Privacy Update we look at:
In advance of Privacy Awareness Week, the OAIC released a Guide summarising and analysing the key differences between the National Privacy Principles (NPPs) and the new Australian Privacy Principles (APPs) which will replace the NPPs for private sector (APP) entities from 12 March 2014. While it does not provide detailed guidelines on each of the new obligations in the APPs, it reinforces where the real differences exist between old and new privacy obligations for APP entities when they consider the impact of the new APPs and prepare for compliance.
When the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) commences in March 2014 there will be a new definition of 'personal information' in the Privacy Act 1988 (Cth) that includes information about an individual which, when combined with other information (which may not be controlled by the same entity), identifies an individual or renders the individual reasonably identifiable. This is a significant development as the current definition of 'personal information' requires that the identity of the individual concerned be apparent, or reasonably ascertainable, from the subject information or opinion. If multiple documents potentially controlled by different entities may be considered in determining whether an individual is reasonable identifiable under the Amending Act, a key issue that will face entities is how to determine whether the threshold of 'reasonably identifiable' has been reached.
Australia's new cybercrime law, which came into force on 1 March 2013, establishes the legislative framework for Australia's accession to the Council of Europe Convention on Cybercrime (Convention). The essence of the new cybercrime law is to empower Australia's law enforcement and intelligence agencies to compel carriers to preserve the communication records of persons suspected of cyber-based crimes. The new law also expands the Commonwealth cybercrime offences and facilitates international cooperation between State parties to the Convention through the cross-border sharing of communication records.
Today, 29 April 2013, the Asia Pacific Privacy Authorities forum launched Privacy Awareness Week 2013, an annual initiative promoting greater privacy awareness for business, government and individuals.
In Australia, business and government agencies alike are gearing up for the new privacy regime, which will come into effect in March 2014. We comment on some of the issues that continue to shape the evolving privacy landscape.
The Australasian Retail Credit Association has released for public consultation a draft of the new Credit Reporting Code of Conduct that it is developing at the Privacy Commissioner's request. The release of the draft Code follows the passing of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 last November, which made substantial changes to the Commonwealth Privacy Act 1988 including the replacement of the current credit reporting system by Part IIIA of the amended Act and the requirement for a new Code to be developed.
The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 was passed by the Parliament today, making substantial amendments to the Commonwealth Privacy Act 1988. The Bill has changed somewhat as it has passed through Parliament as a result of the Government accepting a number of the Senate Committee recommendations. We examine the key elements of the reforms and outline what you need to do now to get your organisation ready for the new regime.
The Federal Attorney-General has released a Discussion Paper seeking comment on whether to introduce laws to make notification of data breaches by government agencies and large private sector entities mandatory in Australia. The Government is calling for submissions by 23 November 2012, asking what the triggers should be and what penalties should apply for failure to comply. The Federal Privacy Commissioner has given his support to the Discussion Paper and a mandatory notification scheme.
In this edition of Privacy Update, we look at:
In August, the Senate passed the Cybercrime Legislation Amendment Bill, which will enable Australia's accession to the Council of Europe Convention on – the first international treaty dealing with crimes either against or via computer networks. The Convention targets online fraud, child pornography and unauthorised access, use or modification of data, either through or on computers. It also facilitates access to evidence of cybercrime by enforcement and interception agencies, including by mutual assistance.
Two cases brought by the US Federal Trade Commission against Google dramatically demonstrate the importance of companies' adhering to their privacy policies and other representations made to customers about the treatment of their personal information. In settling the latest case Google has agreed to pay a record US$22.5million to settle a complaint in relation to its Safari internet browser.
The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 proposes 19 regulation-making powers in addition to those already in the Privacy Act 1988. Most of the new powers enable the prescription of matters that would further define the meanings of new terms in the proposed credit reporting system.
A recent case highlighted the challenges of establishing the identity of anonymous users of social networking sites media who impersonate others. Social networking sites can be an easy means for engaging in impersonation because it is easy to set up a false account but while Facebook and Twitter have mechanisms to deal with the consequences of hacking and impersonation it may not be enough for the victim whose personal reputation or their employer's has been damaged.
On Tuesday 25 September, the Senate Legal and Constitutional Affairs Legislation Committee released its Report on the Privacy Amendment (Enhancing Privacy Protection) Bill 2012. The Senate report follows the release of the Advisory Report from the concurrent inquiry undertaken by the House of Representatives Standing Committee on Social Policy and Legal Affairs. The decisions of both committees to recommend the adoption of the Bill without major changes may cause alarm, particularly amongst credit providers. We summarise the key recommendations from each report.
On 27 June 2012, the Legislative Council of Hong Kong passed the most extensive set of amendments to the Personal Data (Privacy) Ordinance since the legislation was introduced in 1996.
The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Cth) (the Bill) amends the Privacy Act 1988 (Cth) (the Act) to implement the first tranche of responses to the Australian Law Reform Commission's (ALRC) report called 'For Your Information: Australian Privacy Law and Practice' (the ALRC report).
We consider recent decisions issued by the Office of the Australian Information Commissioner involving organisations in the telecommunications, legal, insurance and financial sectors.
The Australian Communications and Media Authority has concluded that Vodafone Hutchison Australia's dealers who made unsolicited calls to numbers on the Do Not Call Register to promote its products contravened the Do Not Call Register Act 2006 (the Act). As a result, ACMA has accepted an enforceable undertaking from under the Telecommunications Act 1997 (Cth).
On 25 January 2012, the European Commission published drafts of the two key documents implementing reform proposals for the EU data protection regime. If implemented, the reforms will have a significant impact on any organisation located in the EU or doing business with EU companies or citizens. We examine the proposed reforms and their practical implications.
On 22 February 2012, there was a further key development in the proposed amendments to the Personal Data (Privacy) Ordinance when the Bills Committee for the Personal Data (Privacy) (Amendment) Bill 2011 published a paper revising proposed amendments to provisions on the use of personal data in direct marketing and the sale of personal data.
From July 2012, Australians will have the opportunity to access their health records in a single view, where and when needed, and irrespective of the location of the consumer, healthcare provider or record. This is the first time that this type of service has been made available in Australia and it is set to transform how healthcare is delivered nationally.
Under section 52 of the Privacy Act 1988 (Cth), the Privacy Commissioner has the power to make a determination after investigation and substantiation of a complaint, which directs how a privacy complaint should be resolved. This power includes declaring that the organisation take some remedial action or pay a specified amount of compensation for loss or damage suffered. Declarations can be enforced in the Federal Court.
In Public Interest Determination 12A, the Privacy Commissioner has applies powers granted in Section 73 of the Privacy Act to allow doctors to collect health information about a third party, without their consent, on teh grounds of being in the public interest.
On 28 November 2011, the European Commission announced that it would comprehensively reform European data protection laws. The proposed reforms, which are due in January 2012, aim to unify the existing legislation of member states and significantly reduce costs for businesses in complying with data protection laws.
The US Federal Trade Commission announced in late November that it had reached a proposed settlement with global social networking site Facebook. The case sounds a warning to companies that collect personal information that they should ensure they only deal with such information as promised or risk proceedings being brought against them for misleading and deceptive conduct.
On Thursday 6 October the Senate Finance and Public Administration Legislation Committee released its highly anticipated report on the credit reporting provisions of the Exposure Draft of the Australian Privacy Amendment Legislation. The report makes 30 recommendations, many of which are quite significant, in response to numerous submissions and particularly on five key matters: simplification and clarification of language and definitions, the treatments of serious credit infringements, identity theft, the use of hardship flags and complaints handling.