FAL
Australian businesses should take their privacy law obligations seriously. Consumers value their privacy, and legislation clearly reflects this. Given the rapidly changing regulatory environment, it is important that Australian businesses begin updating their data collection and security processes in advance.
Privacy law in Australia
The Privacy Act 1988 (Cth) (Privacy Act) governs the way in which business entities and federal government agencies must collect, use, disclose and manage personal information in accordance with the 13 Australian Privacy Principles (APPs) set out within the Privacy Act.
Under the Privacy Act, ‘personal information’ is defined as:
information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether the information or opinion is recorded in material form or not.[1]
Examples of personal information include, but are not limited to, an individual’s name, address, telephone number, and date of birth.
The Privacy Act also governs sensitive information, a subset of personal information. ‘Sensitive information’ includes information about an individual’s racial or ethnic origin, political opinions, professional or political or religious affiliations or memberships, sexual orientation or practices, criminal record, health, genetics and/or biometrics.[2] Given the nature of and, in particular, the greater impact of unlawful disclosure and/or misuse of, sensitive information, it is generally afforded more protection by the Privacy Act.
Are you legally required to have a privacy policy?
The Privacy Act applies to most Australian Government agencies, all private sector and not-for-profit organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses (collectively referred to as the APP entities).[3]
If the Privacy Act applies to your business, then you are required to have a clearly expressed and up-to-date privacy policy which is freely available to members of the public.[4]
Even if the Privacy Act does not apply to your business, it is good practice to have a policy and procedures in place to handle and collect consumer’s personal and/or sensitive information appropriately and securely.
What must be included in a privacy policy?
A privacy policy must explain how your business manages consumer’s personal and/ or sensitive information. The APPs require your privacy policy to include the following information:
- the kinds of personal information that your business collects and holds;
- how your business collects personal information;
- how your business holds personal information;
- the purposes for which your business collects, holds, uses and discloses personal information;
- how an individual may access and correct their personal information;
- how an individual may complain if your business breaches the APPs; and
- whether your business is likely to disclose personal information to overseas recipients, and the likely countries that information may be sent to.
Does your business need to comply with international privacy laws?
You should determine whether your business needs to comply with international privacy law and, if so, seek formal legal advice to better understand your legal obligations and ensure compliance. If you’re an online business in Australia, it is likely that your privacy policy will need to comply with numerous conflicting privacy regimes.
The European Union’s General Data Protection Regulation
Australian businesses may need to comply with the European Union’s General Data Protection Regulation (EU) 2016/679 (GDPR) data protection requirements if they:
- have an establishment in the EU;
- offer goods and/or services in the EU; or
- monitor the behaviour of individuals in the EU.[5]
There are some differences between the GDPR and the Privacy Act; for example, the GDPR gives EU citizens the right to erasure of their data (which encompasses the ‘right to be forgotten’) in certain circumstances.[6] Penalties for non-compliance are a maximum fine of up to €20 million or 4% of annual turnover, whichever is greater.[7]
For more information on how your business can comply with EU privacy laws, visit here.
The United Kingdom and the effect of Brexit
The GDPR will continue to directly apply in the United Kingdom at the end of the Brexit transition period, which is currently until 31 December 2020. During this period, the GDPR will continue to apply in the UK.[8]
The UK’s Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 amends the Data Protection Act 2018 (UK) (DPA) to incorporate the requirements of the GDPR to “ensure that the legal framework for data protection within the UK continues to function correctly after exit day”.[9]
The United States of America
Privacy laws vary from state to state in the US, with California recently adopting the most comprehensive and toughest state privacy law. The California Consumer Privacy Act of 2018 (CCPA) applies to Australian businesses that do business in California, and:
- have annual revenues over $25 million;
- which collect the personal information of 50,000 Californians or more every year; or
- earn 50% or more of their annual revenue from selling Californian’s personal information.[10]
Unlike the Privacy Act, the CCPA grants Californians the right to know when their personal information is sold or disclosed and to whom, as well giving Californians the right to opt-out of the sale of their personal information.[11]
Regulator enforcement penalties include fines of up to US$2,500 for each unintentional violation and US$7,500 for each intentional violation.[12] The CCPA also grants a private right of action for data breaches, with statutory damages ranging from US$100 to US$750 per consumer per incident, or actual damages, whichever is greater.[13]
Contact
FAL Lawyers is well placed to advise you on privacy law compliance as well as how best to prepare for legislative changes around data privacy. Contact us for assistance and/or further information.
[1] Privacy Act 1988 (Cth), s 6.
[2] Ibid.
[3] Ibid, ss 6 and 6D.
[4] APP 1.
[5] General Data Protection Regulation (EU) 2016/679, Art. 3.
[6] Ibid, Art. 17.
[7] Ibid, Art. 83.
[8] Agreement on the withdrawal of the United Kingdom of Great Britain and Northern Ireland from the European Union and the European Atomic Energy Community (2019).
[9] Explanatory Memorandum to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) (No. 2) Regulations 2019, page 1.
[10] California Consumer Privacy Act (2018), s 1798.140.
[11] Ibid, ss 1798.115 and 1798.120
[12] Ibid, s 1798.155(b).
[13] Ibid, s 1798.150(a)(1).