The Office of the Australian Information Commissioner (“OAIC”) issued a guidance document last week on the new privacy laws taking effect on March 12, 2014. The “Australian Privacy Principles Guidelines” offer an integrated view of the Privacy Act of 1988 following 2012 amendments to the Act, most of which are only now taking effect. The 2012 amendments made several changes to Australian privacy law, including:
- Creating a unified set of privacy principles applicable to both government and private entities.
- Introducing new enforcement powers for the OAIC and creating a new civil penalty with fines up to $1.7 million (AU) for “serious” or “repeated” violations of the Privacy Act. The new civil penalty also applies to “interference” with personal data, which could include a hacker viewing personal information as part of a security breach.
- Requiring that entities subject to the law take “reasonable steps” to protect personal information from “interference.”
- Replacing the “adequacy” approach to transborder data flows with an “accountability” model to conform better to APEC privacy principles and to hold entities responsible for what happens to personal information after it has been shared with another entity.
- Introducing opt-out requirements related to direct marketing and other marketing activities.
These changes impact companies in Australia as well as any other company that conducts business in Australia. Based on the new definition of an “Australian Link”, the law and the OAIC guidance clarify that the Privacy Act has extra-territorial application and covers a website operated by a non-Australian entity on a non-Australian server if it collects personal information of a person physically located in Australia. The OAIC guidance also states that listing Australia in a drop-down menu of countries on a website, selling or making available goods or services in Australia, or having registered trademarks in Australia would also be grounds to be considered covered by the Act. Thus, companies with Australian users should carefully review the new guidance before next Wednesday. Luckily, Section 13G of the Privacy Act makes clear that acts prior to the commencement time of the new provisions will not be considered violations of the law.
