A primer to Australia's new privacy laws

In its last sitting day for the year, Parliament passed its widely anticipated amendments to Australia's Privacy Act. This is an Act that was first made in 1988, well before most of the world joined the information superhighway and the new reforms are a major milestone and the most significant changes to the Act since the National Privacy Principles were passed in 2000.

Most of the amendments passed by Parliament yesterday were of little surprise to the technology and wider business communities, after all, the reforms were developed on the back of hefty industry consultation. The passage of the reforms is the culmination of a process that was originally set to start back in 2003, when the Privacy Commissioner was due to review the operation of the National Privacy Principles.

In 2008, 295 recommendations were made by the Australian Law Reform Commission in a 3000-page report. More than half of these recommendations were passed yesterday. A significant change was the expansion of enforcement powers, which could see companies liable for penalties of up to $1.1 million.

Luckily, for those corporates that may now need to revaluate their current privacy standing, the timeframe in which they have to comply has also been extended from the nine months which was originally anticipated. Companies will now have 15 months to prepare for the changes, with the key new provisions likely to be effective from March 2014.

The key areas that companies will need to look at to ensure that they are fully compliant with the new reforms relate to direct marketing, cross-border data disclosure, privacy policies and notices, credit checks and having systems and procedures to manage compliance and handle complaints.

The new direct marketing requirements do not interfere with the Spam Act but may apply to other forms of targeted online marketing that are not message-based, as well as more traditional forms like direct mail. Individuals will now have the right to know the source of their personal information obtained by direct marketers, opt out of direct marketing and opt out of disclosure of their information to other direct marketers. These requirements are likely to have system impacts as many databases are unlikely to be tracking all of these fields today.

Some concerns had been raised by the direct marketing industry relating to a potential interpretation that would require all direct marketing messages to contain opt-out wording, even those on short-message services like Twitter. While the relevant sections were not further amended in this regard, the Government does appear to have acknowledged that for some types of direct marketing, the right to opt-out may not need to be stated in each message. The office of the Australian information commissioner (OIAC) is expected to provide further guidance on this point.

When it comes to cross-border disclosure, Australian companies will now have greater responsibility when sending personal information offshore. Whereas suitable contractual clauses are sufficient to meet this requirement today, under the new regime it won't be enough to stop Australian entities being held accountable for breaches by their offshore data recipients (or their subcontractors).

This has raised concerns that the new rules might hinder the use of offshore cloud computing services, but in fact it's unlikely to change this significantly. While retaining data in Australia or a jurisdiction with similar laws will be more attractive because of accountability issues, cloud computing customers can still use contractual measures to protect themselves against a third party breach. This is not to say that cloud computing won't raise concerns for Australian entities, but that is already the case today.

The fact that these reforms have now been passed through Parliament is indeed a significant milestone for Australia's venture in to the digital age. But, it's a milestone that has been a long time coming and is likely to have further to go with proposals relating to data breach notification and statutory cause of action for serious invasions of privacy still being considered.

In addition, many of the Australian Law Reform Commission's recommendations are yet to be responded to by the government. A number of countries with more stringent privacy laws also don't have some the exemptions that Australia has, for example the employee records exemption and small business exemption. This is another area that may be addressed in the future.

But despite the possibility for further future reform, now is the time for Australian businesses that will be covered by the act to start preparing for the new age of privacy compliance. So what do you need to do?

• Determine who should have responsibility for managing your organisation's privacy review project and which other internal stakeholders should be engaged.
• Update privacy policies, notices and consents, aligning and consolidating where appropriate, with lead times for printing and distribution.
• Review outsourcing practices and other disclosures of personal information to third parties and foreign countries. Develop standard clauses and review ongoing contracts.
• Review direct marketing practices and databases to ensure the new opt out and other requirements can be met.
• Review personal information flows and handling practices generally, including storage and security.
• Review commercial and consumer credit applications and arrangements, particularly where your organisation conducts consumer credit checks.
• Develop internal procedures for key processes.
• Train staff on your organisation's privacy obligations.
• Allow enough time to implement necessary IT changes before the new requirements take effect.
• Look out for guidance material being developed by the Office of the Australian Information Commissioner.

This article was written by Kaman Tsoi, Special Counsel, Herbert Smith Freehills.