Peter A Clarke

Since the amendments to the Privacy Act took effect on 12 March 2014 there has been some, muted, talk of enforcement but not much in the way of actual use of the powers made available to the Privacy Commissioner.  Given the laxity of compliance that has been an unusual policy and practical response. Then again there is a tradition amongst regulators to allow a year for organisations affected by changes to comply.  That may be the explanation for this approach to date though it should be noted between passing of the amendments and them taking effect 18 months elapsed.  That was done specifically to permit organisations to get their houses in order.

According to Mumbrella in Marketers warned to expect privacy breach crackdown as new laws enter second year a change of regulatory action may be in the offing.  It provides:

Marketers have been warned to expect a more aggressive approach from Australia’s privacy commissioner as authorities begin to crack down on breaches following the introduction of new regulations.

The Association of Data Driven Marketing and Advertising (ADMA) predicted authorities will take a harder line after spending the first 12 months bedding down, and helping companies comply with the new rules.

Changes to the Privacy Act came into force last March with the creation of 13 Australian Privacy Principles (APPs) outlining how personal information can be collected, handled, processed and used for marketing purposes.

The shake-up also gave power to Privacy Commissioner Timothy Pilgrim to investigate companies regardless of whether a complaint has been made, with each privacy breach subject to fines of up to $1.7m.

Until now, Pilgrim has adopted a softly softly approach as firms grappled with reform. But according to ADMA regulatory affairs director Jeannette Scott, that is likely to change as she warned the commissioner is likely to use those powers as reform enter their second year.

“For the first year there was an emphasis on developing guidance, answering questions and bedding down reform, not only for businesses but for the regulator. But there comes a point when the laws will be bedded down and that will free up some of the commissioner’s resources,” Scott said.

“In the last 12 months we have not seen many fines or regulatory activity and while there hasn’t been a honeymoon period per se the regulatory approach has been to try and work with people to address compliance.

“But over the next 12 months you can expect to see a few more fines and investigations come to the fore. The Privacy Commissioner has got the teeth and my understanding is that while he was working initially to help businesses comply, that will change.

“I think we’ll see a tightening of the glove and I think we can expect more [investigations].”

Proactive

The Office of the Australian Information Officer (OAIC) declined to comment on the approach over the next 12 months and beyond. But in a speech earlier this year to the International Association of Privacy Professionals (IAPP), Pilgrim revealed it was soon to “conduct an assessment” on 21 companies to determine whether their privacy policies were “clearly expressed and up-to-date”.

“This demonstrates that the OAIC is proactively looking at entities’ responses to the new requirements,” he said. “We have had almost a year to settle into the changes to privacy law [and] we’d like to start talking about more than just basic compliance and shift the conversation to ongoing governance.”

Among the major changes included greater transparency, with brands required to explicitly tell people they have their data and what purposes they intend to use it for. Clearer opt-out statements are also required while marketers must be wary of identifying some through “context”.

“Something that started its journey as not being personal information might become so through context, so marketers must look at the life cycle of data, not at one particular touch point,” Scott said. “You are having to be conscious of the data the whole way through.”

Scott said ADMA members have demonstrated a “commitment” to adhere to the new policies, but suggested smaller companies – many of whom are not members of  ADMA – are struggling to understand and implement the changes.

“If you own a small family business and don’t have an in-house privacy team or legal counsel or regulatory compliance how do you take the time to go through 260 pages of guidance and understand it yourself?” Scott said.

“We have gone a small way to doing our bit in that space [by providing information for non-members] but from questions I’m being asked there is still a great deal of understanding to be built at the small business end of town.

“Smaller businesses don’t tend to be part of our membership base but we have built tools that we have made available to the public, which inherently means small businesses, to try and give them a helping hand. They are the ones who are struggling.”

There is a “greater sense of frustration among smaller business”, Scott added, with the word ‘change’ giving rise to fear over the complexities, time and cost of compliance.

Confusion as to what falls under the act

She said the issue can be confusing with many concerns raised by small and medium size entities not even relating to the Privacy Act.

“The question they have about the new privacy laws actually don’t relate to the new provisions at all and in many cases don’t even relate to the Privacy Act,” Scott explained. “I’ll often hear someone say ‘I have been at an event as an exhibitor, I’ve got a copy of the attendee list can I email them?’.

“But emails don’t fall under the Privacy Act, it comes under the Spam Act. For small business it is basic principles, rather than the new changes, they are struggling with.”

Despite the challenges, Scott stressed it was imperative for firms, however onerous they find the issue, to get to grips with the laws.

“Privacy is such a topical issue because it’s emotive, and if companies hit the media as having a privacy breach it is hard to recover from that,” she said. “Even if you survive the investigation process, if there is a social media campaign against you saying don’t give your details to X, don’t deal with them because your details are insecure’, then it’s hard to come back from.”

Beyond the Privacy Policy

She said some firms are misunderstanding they can no longer rely on a privacy policy on their website but must “let people know you are collecting their personal information”.

But smart marketers can use the stricter regulations surrounding opt-outs to their advantage and create a point of difference from competitors,” Scott said.

Rather than simply creating an unsubscribe link – which will ensure compliance – firms should build preferences into their opt-outs, a practice which could mean the difference between retaining and losing a customer.

“If, as a consumer, I can unsubscribe then the company will have complied but then I won’t hear from them at all. It may well have been that I was happy to hear from them, but maybe once a week rather than every day, or monthly rather than weekly. ”

“It’s not a mandate, but if you provide preferences then you are allowing the consumer to make a choice and you are ending up with target data that is far more responsive to your communications

“It is an opportunity to create a point of distinction, and we are starting to see more and more companies do this.”

Scott said some firms “over-complicate” privacy, and ignore simple business practices that could prevent a whopping $1.7m fine.

“Sometimes sales people will come back from a business meeting and want to add a person to the newsletter distribution. But they then ask ‘ how do I get consent to do that?’ Companies need to make it a practice to ask at the time of the meeting whether you can add their name.”

The article tends to be short on specific sourcing of a change in attitude.  One piece of evidence seems to be the speech given by the Privacy Commissioner earlier this year in Sydney at an IAAP event where he spoke of an assessment of 21 companies.  I was at that event.  I heard what the Privacy Commissioner said and I doubt one can take a new focus from that speech.  It was in keeping with previous speeches he has given over the last few years, a bit of something for everybody and a keen desire not to scare the horses.  That does not give rise to a more assertive approach akin to ASIC or ACCC.  That is a shame.  The laxity of compliance requires a more proactive approach.  Or maybe just a proactive one.  In fact an active one would be a, baby, step in the right direction.