DLA Piper has released its annual Data Protection Laws of the World for 2016.  It is quite a good resource though necessarily general.

It is interesting to see that Australia is found to have “robust” protection while America has “heavy” protection. Clearly there is an element of subjectivity in the assessment. The other factor is that laws and their enforcement are two different things.  Australia’s laws may be robust but their enforcement is tepid.

The report on Australia provides:

Data privacy/protection in Australia is currently made up of a mix of Federal and State/Territory legislation. The Federal Privacy Act 1988 (Cth) (Privacy Act) and its Australian Privacy Principles (APPs) apply to private sector entities with an annual turnover of at least A$3 million and all Commonwealth Government and Australian Capital Territory Government agencies.

The Privacy Act was last amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012, which came in to force on 12 March 2014. The amendments significantly strengthened the powers of the Privacy Commissioner to conduct investigations (including own motion investigations), ensure compliance with the amended Privacy Act and, for the first time, introduced fines for a serious breach or repeated breaches of the APPs.

Australian States and Territories (except for Western Australia and South Australia) each have their own data protection legislation applying to State Government agencies (and private businesses’ interaction with them). These acts are:

• Information Privacy Act 2014 (Australian Capital Territory)

• Information Act 2002 (Northern Territory)

Collection & Processing

An organisation must not collect personal information unless the information is reasonably necessary for one or more of its business functions or activities.

Under the Privacy Act organisations must also take steps, as are reasonable in the circumstances, to ensure that the personal information that the organisation collects is accurate, up-to-date and correct.

At or before the time personal information is collected, or as soon as practicable afterwards, an organisation must take reasonable steps to make an individual aware of:

• its identity and how to contact it

• why it is collecting (or how it will use the) information about them

• to whom it might give the personal information

• any law requiring the collection of personal information

• the main consequences (if any) for the individual if all or part of the information is not provided

• the fact that the organisation’s privacy policy contains information about how the individual may access and seek correction of their personal information, how they may make a complaint about a breach of the APPs and how the organisation will deal with such complaint

• whether the organisation is likely to disclose their personal information to overseas recipients and, if so, the countries in
  • which such recipients are likely to be located.

  Organisations usually comply with these notificaitons requirements by including the above information in a privacy policy and requiring individuals to accept that privacy policy prior to collecting their personal information.

  One of the biggest issues in practice in respect of collection and compliance with the Privacy Act for organisations is the failure to appreciate that the obligations with respect to mandatory notification outlined above also apply to any personal information they collect from/via a third party. That is, a separate and independant obligation to notify the mandatory matters arises on the receipt of personal information from a third party, as though the organization had collected such personal information directly from the individual. In contrast to Europe, Australian privacy law does not distinguish between a ‘data processor’ and a ‘data controller’.

  An organisation must not use or disclose personal information about an individual unless one or more of the following applies:

  • the personal information was collected for the primary purpose of such disclosure or a secondary purpose related to (and, in the case of sensitive information, directly related to) the primary purpose of collection and the individual would reasonably expect the organisation to use or disclose the information for that secondary purpose
  • the individual consents
  • the information is not sensitive information and disclosure is for direct marketing and it is impracticable to seek the individual’s consent and (among other things) the individual is told that they can opt out of receiving marketing from the organisation
  • a ‘permitted general situation’ or ‘permitted health situation’ exists; for example, the entity has reason to suspect that unlawful activity relating to the entity’s functions has been engaged in, or there is a serious threat to the health and safety of an individual or the public
  • it is required or authorised by law or on behalf of an enforcement agency.

  In the case of use and disclosure for the purpose of direct marketing, organisations are required to also ensure that:

  • each direct marketing communication provides a simple means by which the individual can opt-out
  • the individual has not previously requested to opt-out of receiving direct marketing communications.

  Where ‘sensitive information’ is processed there are additional protections under the Privacy Act which generally provide that an organisation is not allowed to collect sensitive information from an individual unless certain limited requirements are met, including one or more of the following:

  • the individual has consented to the collection and the collection of the sensitive information is reasonably necessary for one or more of the entity’s functions or activities
  • collection is required or authorised by law or a court/tribunal order
  • a ‘permitted general situation’ or ‘permitted health situation’ exists; for example the information is required to establish or defend a legal or equitable claim or he/she is a serious treat to the life or health of the individual or the public
  • the entity is an enforcement body and the collection is reasonably necessary for that entity’s functions or activities
  • the entity is a non-profit organisation and the information relates to the activities of the organisation and solely to the members of the organisation (or to individuals who have regular contact with the organisation relating to its activities).

  An organisation must, on request by an individual, give that individual access to the personal information (and the ability to correct inaccurate, out of date or irrelevant information) that is held about the individual unless particular circumstances apply which allow the organisation to limit the extent to which access is given (and to which correction is performed). These include emergency situations, specified business imperatives and law enforcement or other public interests.

  Organisations must also provide individuals with the option of not identifying themselves, or of using a pseudonym, when dealing with that organisation unless it is impractical to do so or the organisation is required (or authorised) by law to deal with identified individuals.

  Transfer

  Unless certain limited exemptions under the Privacy Act apply, personal information may only be disclosed to an organisation outside of Australia where the entity has taken reasonable steps to ensure that the overseas recipient does not breach the APPs (other than APP 1) in relation to the personal information. The disclosing/transferring entity will generally remain liable for any act(s) done or omissions by that overseas recipient that would, if done by the disclosing organization in Australia, constitute a breach of the APPs. However, this provision will not apply where:               

  • the organisation reasonably believes that the recipient of the information is subject to a law or binding scheme which effectively provides for a level of protection that is at least substantially similar to the Privacy Act, including as to access to mechanisms by the individual to take action to enforce the protections of that law or binding scheme. There can be no reliance on contractual provisions requiring the overseas entity to comply with the APPs to avoid ongoing liability (although it is a step towards ensuring compliance with the ‘reasonable steps’ requirement)

  • the individual consents to the transfer However, under the Privacy Act the organisation must, prior to receiving consent, expressly inform the individual that if he or she consents to the overseas disclosure of the information the organisation will not be required to take reasonable steps to ensure the overseas recipient does not breach the APPs

  • a ‘permitted general situation’ applies, or

  • the disclosure is required or authorised by law or a court/tribunal order.

  Security

  An organisation must have appropriate security measures in place (ie ‘take reasonable steps’) to protect any personal information it retains from misuse and loss and from unauthorised access, modification or disclosure. The Privacy Commissioner has issued a 32 page detailed guidance document on what it considers to be “reasonable steps” in the context of security of personal information, which we recommend be reviewed and implemented. An organisation must also take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for the purpose(s) for which it was collected.

  Breach Notification

  An organisation that breaches the Privacy Act is currently under no legal obligation (and it is not generally current practice) to report that breach to the affected individual(s) or the OAIC. However, the OAIC has issued a guidance on data breach notification which recommends that if there is a real risk of serious harm as a result of a data breach, the affected individuals and the OAIC should be notified.

  Enforcement

  The Privacy Commissioner is responsible for the enforcement of the Privacy Act and will investigate an act or practice if the act or practice may be an interference with the privacy of an individual and a complaint about the act or practice has been made.

  The Privacy Commissioner may also investigate any ‘interferences with the privacy of an individual’ (ie any breaches of the APPs) on its own initiative (ie where no complaint has been made) and the same remedies as below are available.

  After investigating a complaint, the Privacy Commissioner may dismiss the complaint or find the complaint substantiated and make declarations that the organisation rectify its conduct or that the organisation redress any loss or damage suffered by the complainant. Furthermore, fines of up to A$340,000 for an individual and A$1.7 million for corporations may be requested by the Privacy Commissioner and imposed by the Courts for serious or repeated interferences with the privacy of individuals.

  Electronic Marketing

  The sending of electronic marketing (which is referred to as ‘commercial electronic messages’ in Australia) is regulated under SPAM Act 2003 (Cth) (‘SPAM Act’) and enforced by the Australian Communications and Media Authority.

  Under the SPAM Act a commercial electronic message must not be sent without the prior ‘opt-in’ consent of the recipient. In addition, each electronic message (which the recipient has consented to receive) must contain a functional unsubscribe facility to enable the recipient to opt-out from receiving future electronic marketing.

  A failure to comply with the SPAM Act (including unsubscribing a recipient that uses the unsubscribe facility) may have costly consequences, with repeat offenders facing penalties of up to A$1.7 million per day.

  Online Privacy

  There are no laws or regulations in Australia specifically relating to online privacy, beyond the application of the Privacy Act and State and Territory privacy laws relating to online / e-privacy, the collection of location and traffic data, or the use of cookies (or any similar technologies). If the cookies or other similar technologies collect personal information of a user the organisation must comply with the Privacy Act in respect of collection, use, disclosure and storage of such personal information. App developers must also ensure that the collection of customers’ personal information complies with the Privacy Act and the Privacy Commissioner has released  detailed guidance on this.