Recent news has focused on the EU data protection laws and the Wikileaks and Edward Snowden incidents. However, there is another privacy law reform has occurred on the other side of the globe which is likely to have an impact on US corporations.
On 12 March 2014 the Australian privacy law amendments come into effect. These changes to the Privacy Act 1988 (Cth) were passed by the Australian Parliament in November 2012 with a 17-month “preparation period”. This period allows businesses to adapt and comply with the new laws before the reforms become enforceable.
As the deadline draws nearer, it is important for US businesses with Australian customers or local Australian operations to turn their minds to these reforms.
Australian versus US law
It is important for US businesses operating in Australia or dealing with Australian customers to understand that the Australian laws are structurally different from EU and US laws.
Australian privacy law covers ‘personal information’. ‘personal information’ includes any information about a person that identifies that person (such as email addresses, phone numbers, addresses or other basic personal details), even if that information is publically available, or is the kind of information that people share regularly. Information doesn’t need to be private to be personal. An email address is considered just as much personal information under Australian law as a date of birth or drivers’ licence number. There is also a category of personal information known as ‘sensitive personal information’ that includes health information, government identifiers (such as tax file numbers), union membership, race religion and other information that is sensitive.
Every business in Australia with a turnover of more than AU$3 million that collects personal information will need to have a privacy policy as part of the new law.
The Australian privacy laws are also principles based, meaning that they set out principles which apply to government and businesses dealing with personal information. This is different from laws which prescribe registration as a ‘data controller’ or a ‘data processor’.
The Australian law previously consisted of Information Privacy Principles for government agencies, and National Privacy Principles for business. These will now be 13 Australian Privacy Principles (APPs) for both government and business.
The APPs deal with how personal information should be collected, used and disclosed. The APPs say that personal information must be collected in fair, open and transparent ways, and dealt with and disclosed in similar ways. The exact way of dealing with the information is not mandated, but there are generally accepted practices. The principles dealing with the collection, use and disclosure of sensitive personal information are more restrictive.
New Enforcement Powers
For most businesses, the key change is the introduction of new civil penalty provisions. Prior to these reforms, there was no substantial way for the law to be enforced by the Australian Information Commissioner. The Commissioner, thought by some to be a “toothless tiger”, now has a real way of penalising businesses for non-compliance beyond the traditional “name and shame” strategy.
The ability of the Commissioner to seek new civil penalty orders from the Courts of up to AU$340,000 for individuals and AU$1.7m for corporations will give the Commissioner the enforcement “teeth” he has lacked up until now, which will make privacy law an increasingly important area of compliance for businesses operating in Australia.
Historically, privacy compliance in Australia has not been a priority for many international corporations, as the relative size of Australia’s population and market, and the lack of enforcement measures, have not created any major incentives or disincentives to tailor compliance policies to local law. There have also been relatively few major political issues around privacy in Australia over the past two decades. However, with US IT service companies already under the microscope due to the Snowden leaks, the new penalties coming into play, and the publicity surrounding the new reforms increasing Australian public awareness of privacy issues, no US company doing business in Australia or with Australian customers can afford to ignore this compliance issue any longer.
Australian customers are increasingly concerned with data security and compliance issues as technology becomes more and more constant in every Australian’s daily life. As this concern grows, Australian companies will come under even more market pressure to guarantee privacy for their customers. These pressures mean that US service providers who guarantee Australian privacy compliance will win work and customers from service providers who can’t give that assurance.
Overseas Data Transfers
For US businesses operating in Australia, the requirements regarding overseas data transfers may affect current business structures. Personal information collected in Australia and transferred to another jurisdiction requires consent of the person that the information is about. This means that US companies collecting personal information in Australia about customers and storing that personal information on servers outside of Australia must have terms and conditions providing customer consent to the transfer of that information.
Without consent from the customer, companies must comply with other more complex rules around the transfer of personal information overseas. For many companies, it is standard practice to collect customer information from a variety of jurisdictions and store that information in a central US location, so these reformed overseas data requirements are likely to impact many US businesses.
Effect on International Contracts
US service providers with Australian customers should also prepare themselves for increased scrutiny from those Australian customers in relation to privacy compliance. The new reforms impose liability on Australian companies for the privacy breaches of their contractors overseas. This means that Australian companies dealing with US data storage and cloud computing providers are going to have heightened sensitivity to the service provider’s ability to comply with Australian data protection and privacy requirements.
For companies that provide such services to Australian customers, an awareness of the new laws could be an important way to distinguish themselves within the market. In particular, it is expected that requests for indemnities for breaches of Australian privacy law will become very common.
What Can You Do to Ensure You Comply?
If you are a US business with operations in Australia, or you are an US business providing cloud computing services to Australian customers, you should:
- review the terms and conditions that your Australian customers agree to when using your services to ensure you have the relevant consents to transfer data overseas;
- become familiar with the new laws so that you can update your policies and procedures and give your Australian customers comfort that your business complies with Australian law;
- implement internal policies to deal with direct marketing opt outs and requests for information about customers from those customers, as well as requests for information to be “de-identified”; and
- update your contracts with customers and suppliers to ensure liability for the actions of third parties is appropriately addressed.
While the new laws may increase the compliance burden for US companies operating in Australia or with Australian customers, the Australian privacy law is still far less burdensome than the EU law. The additional compliance burden is also less difficult to deal with than the penalties for non-compliance.