The federal government has released an exposure draft of legislation to amend the Privacy Act. The proposed amendments have been referred to a Senate committee, and anyone wishing to make a submission to the Committee must do so by 27 July 2010. The Committee is presently expected to report in September 2010, although this date may vary if an election is called.
The amendments were foreshadowed by the federal government in their October 2009 response to the Australian Law Reform Commission’s comprehensive report on privacy laws (summarised here). The main topic of the exposure draft is the replacement of the Information Privacy Principles (which apply to federal government agencies) and the National Privacy Principles (which apply to most Australian private sector organisations) with the Australian Privacy Principles (APPs). The exposure draft does not address the regulation of consumer credit information nor does it address health information - separate responses to these issues are proposed.
We discuss the key changes from the existing regime below.
The amendments seek to implement the ‘accountability’ principle that is part of the APEC Privacy Framework. The APEC framework requires controllers of personal information to either obtain consent to data exports or to “exercise due diligence and take reasonable steps to ensure the recipient person or organization will protect the information consistently” with applicable privacy principles.
However, the proposed section 20 goes further by providing that the Australian entity will be liable to Australian individuals if the recipient outside Australia acts inconsistently with the APPs. Liability will be imposed even where the Australian entity exercised due diligence and took reasonable steps to ensure that the recipient would abide by the principles. It appears that the government has listened to privacy advocates who criticised the ALRC’s recommendations on this point. We expect this to be a point of contention before the Senate committee.
The amendments also clarify that an offshore transfer of personal information is not necessary for the cross-border regulation to apply - the principle will apply where a person outside Australia is given remote access to personal information that remains within Australia.
In a related amendment, regulated entities will be required to take reasonable steps, at about the time of collecting personal information, to notify data subjects whether the entity is likely to disclose the personal information to an overseas recipient and, if so, the countries in which such recipients are likely to be located.
The other substantial change to the status quo proposed by the exposure draft legislation concerns the use and disclosure of personal information for the purpose of direct marketing.
Under the existing Act, if an organisation had collected personal information for the purpose of direct marketing (for example, by purchasing or renting a list), it could freely use and disclose that information for that purpose. In contrast, under the exposure draft legislation, if an organisation proposes to use or disclose personal information for the purpose of direct marketing, it must do so in accordance with APP 7. APP 7 is a general prohibition against the use or disclosure of information for the purpose of direct marketing unless one of the identified exceptions applies.
As with all privacy principles, direct marketing will be permitted where the individual concerned has consented and not withdrawn that consent. Where consent has been obtained, an opt-out facility must be available and, where consent was obtained indirectly, a prominent opt-out statement must be included with each direct marketing communication. However, in what must be a drafting error, no opt-out statement or facility is required where consent exists and the information that is used for the purpose of direct marketing is “sensitive information”. It makes no sense to afford a lower standard of protection to sensitive information than non-sensitive information.
If consent has not been obtained, direct marketing will be permitted on conditions that are very similar to those in the existing NPP 2.1(c). To be more precise, the organisation must satisfy one of the following conditions:
where the organisation collected the personal information directly from the proposed recipient of the direct marketing communication, the individual would reasonably expect the information to be used for that purpose, the organisation provides a simple means of opting out of direct marketing communications, and the recipient has not made an opt out request; or
where the organisation collected the personal information indirectly, it is impracticable for the organisation to obtain consent to the use of the information for the purpose of direct marketing, the organisation provides a simple means of opting out of direct marketing communications, a prominent opt-out statement is included in each direct marketing communication, and the recipient has not made an opt out request.
If enacted, these proposals would more closely align the Privacy Act’s provisions concerning direct marketing to the requirements of the Spam Act and the Do-Not-Call Register Act. Those regimes essentially impose a requirement for consent. If the proposals are enacted, direct marketing conducted through the mail system would be subject to requirements that would not be quite as onerous as those applying to email, SMS, phone and fax marketing, but would not be far behind. Direct marketing permitted under the Spam Act or the Do-Not-Call Register Act is likely to satisfy the requirements of APP 8.
The other potentially material change to direct marketing practices proposed by the exposure draft is to provide for a right for an individual to request an organisation who uses or discloses personal information for the purposes of direct marketing to identify the source from which the organisation collected the individual’s personal information, and to impose a corresponding obligation on the organisation to identify the source within a reasonable period of receiving the request unless it is impracticable or unreasonable to do so. This may require organisations who engage in direct marketing to change their CRM and related databases so as to record information about the source of data for each individual (but note the “impracticable or unreasonable” qualifiers, which should protect organisations against having to incur substantial expenditure on system changes solely to accommodate this provision).
Presently the Privacy Act applies to the conduct of foreign entities who carry on business in Australia to the extent they collect or hold personal information in Australia and that personal information is about Australian citizens of permanent residents. The government explains in their “companion guide” to the exposure draft legislation that they intend to remove the requirement that the personal information concerns Australian citizens and permanent residents. However, in what appears to be an unintended drafting error, the amendments purport to regulate the activities of foreign entities who carry on business in Australia, whether or not those activities have any logical connection to Australia. For example, if taken literally, the amendments would regulate the activities in Germany of a German bank that has a branch office in Australia in relation to their processing of personal data concerning German customers who have never been to Australia. Our expectation is that this anomaly will be addressed by the government.