Guardian article on the changes to the Privacy Act

February 5, 2014 |

Even though the article is titled Internet privacy: how Australia’s new laws will work the Guardian piece is, properly, about the general changes to the Privacy Act.  In my recent experience the reaction from those who should be most concerned about making sure they are compliant is a weary “meh”.  Almost as if – it wasn’t a problem in the past why should it be a problem into the future.  The analysis is flawed of course.  Previously the Privacy Act had little impact on businesses covered by it because the powers available to the Privacy Commissioner were very limited and any exposure to penalty so slight as to be almost academic.  As of 12 March the regulatory landscape will change from peaceful meadows to tangled weeds and steep cliffs for organisations which are not compliant and come under the gaze of the Privacy Commissioner.  Enforceable undertakings and Federal Court action are potential, unpleasant, outcomes.  Lawyers active in the field estimate that at leas 50% of organisations are not compliant at this 11th hour.  That presents a target rich environment for the Privacy Commissioner.  How assertive the Privacy Commissioner chooses to be and how quickly he flexes this new regulatory muscles will be the key. If he is active from March in making his presence and power felt – a fair bet- the potential for a rush of panicked responses when the media releases of action taken get picked up by organisations will be great. And  that is not the best way to get one’s regulatory house in order.

In the meantime the article is one of the better overviews of some of the key reforms that will take effect on 12 March.  It provides:

New privacy laws will come into operation in Australia in March this year. The amendments to the Privacy Act will introduce a new and harmonised set of privacy principles. While there is still plenty of room for improvement, the new laws make some important steps in protecting privacy, particularly with the collection of data online.

The new reforms apply to all bodies that collect or store personal information about Australians. They don’t operate in a vacuum; there is a broad (if somewhat patchwork) frame of privacy laws across the globe, and the way that they interact with some of these different laws will be interesting to follow in coming years. Here’s a guide to some of the changes and some comments from Australia’s information commissioner, Professor John McMillan, on the changes.

How your data is being collected and what it’s being used for

Organisations that collect personal data must take reasonable steps to notify an individual user about that collection. They need to tell you about the circumstances of collection and its purpose. So when you visit a website they need to tell you if they are collecting information on your browsing habits, and the purpose of that collection.

There is a loophole in this principle that could give some wiggle room on this – the act also allows organisations to provide notification of data collection after it has actually been collected, “as soon as possible after”.

The information commissioner said his office would be ensuring there was oversight of those kind of retrospective collections: “The term ‘reasonable steps’ is an objective standard, and what it requires any entity to do is to point to why it gave notification and to explain why that was a reasonable step and point to evidence that backs up what it’s doing.”

Notifications that your data will be sent overseas

One of the most significant changes is stronger laws governing the sending of data overseas. Australians’ data is routinely sent overseas, and the new principles attempt to impose a greater burden to the entity that sends the data overseas, by stating the entity in Australia must take “reasonable steps” to ensure the principles are not breached overseas.

McMillan says a good example of reasonable steps could be contractual measures. So if a cloud service provider is planning on sending data overseas, it should have a contract in place to make sure data will not be misused.

Once again there is an exception that some organisations may attempt to rely on. If the overseas entity is subject to a “substantially similar” privacy law it does not have to take reasonable steps to ensure data is used in accordance with Australia’s laws. The question of what is a substantially similar regime is not clear, and McMillan said his office would not be compiling a global list of accredited regimes; each would be decided on a case by case basis.

“It’s not practical for us as a little office to do a global analysis and draw up an accredited list. Privacy regulators elsewhere have faced the same thing and they shy away from the difficulty of drawing up that list. The message you get from that is the onus is on the individual entity to ensure adequate privacy protection.”

Right to access your personal information from private entities

The reforms also create a stronger right to access personal information from private entities. While it was already possible to access personal information from government agencies under freedom of information laws, the privacy reforms take this a step further – there is now a separate right to request information from private corporations and entities that could hold personal information.

An obvious example of this is for companies such as Facebook and Google – in theory you can now find out how much data they hold on you, what format they hold it in, and whether they have disclosed that information to other parties. The entities are obliged to provide the information to you, but can impose some charges if there is a cost to retrieving the information.

The right of access is more flexible than under the Freedom of Information Act. Private organisations only need to respond in a “reasonable amount of time” but the commissioner’s guidelines suggest that 30 days would be reasonable in most situations. You also cannot appeal against an adverse decision to the commissioner’s office – but you can still lodge a complaint with the commissioner, which might be able to assist in getting hold of the information.

Enhanced powers for the information commissioner

The information commissioner’s powers have been strengthened under the reforms, allowing him to impose tougher penalties and issues binding decisions resulting from investigations and review applications. The limited resources provided to the commissioner may be an issue in enforcing this, particularly if the commissioner needs to go to the federal court to impose penalties on an entity; the court costs would have to be borne by the commissioner, a cost his office currently cannot afford under its budget.


Leave a Reply