You are probably aware, although it is worth a reminder, that some important changes to Australian privacy laws came into effect on 12 March 2014.
From that date, businesses stand to be liable for increased penalties of up to $1.7 million for breaches of the Privacy Act in relation to how they collect and use personal information.
There are also changes to how you can use personal information for direct marketing.
“While these changes have been coming for some time, we are finding that clients are only now becoming alert to the potential impact of these changes on their business, and we are currently advising numerous clients on privacy compliance ahead of these changes,” said Mr. Peter Karcher, Media Partner at ClarkeKann Lawyers and Privacy Law specialist.
What changes have been made to the Privacy Act?
Towards the end of 2012 the Senate passed amendments to the Privacy Act 1988 implementing changes to Australian privacy law in a number of areas. These changes included:
2. Increased liability for Australian businesses when transferring or disclosing personal information overseas; and
3. Greater penalties and enforcement powers for the Australian Information Commissioner.
How do the changes affect outsourcing of information management and storage such as Cloud Computing?
Under existing laws, a business may only transfer personal information overseas if the individual concerned consents, or if the business has taken certain steps to ensure that the overseas recipient will hold and use the information consistently with Australian law. The amendments to the Privacy Act take this a step further, so that even in circumstances where the Australian business has taken such steps, a privacy breach by the overseas recipient can be deemed to be a breach by the Australian business, giving rise to liability for the Australian business under local Australian law. Not only will this require businesses to scrutinise the consent provisions of their privacy policies, it also warrants careful consideration of contracts with out-sourced IT service providers and cloud computing services.
What should you do now?
With increased penalties of up to $1,100,000 for corporations, and the possibility of actions for misleading and deceptive conduct under the Australian Consumer Law, businesses need to be prepared for the effective start date of these new laws in March 2014 by reviewing their privacy policies, data collection and handling policies, and third party IT and data management contracts.
Peter Karcher may be contacted as follows
P: (02) 8235 1218