Online Privacy

As businesses develop and extend their online presence, many quickly find themselves collecting personal information from their website's visitors, including as a result of enquiries, signing up to an email newsletter, or online ordering and payment processing.

Long-anticipated changes to privacy law in Australia were made late last year and these changes will come into effect on 12 March 2014. The changes introduce a new set of 13 privacy rules called the Australian Privacy Principles (APPs) that replace the current credit reporting provisions, and strengthen the powers of the Australian Information Commissioner.

If the APPs apply to your business, you will need to review, and potentially change, your information handling practices to make sure that you comply with the new privacy requirements before they come into effect.

Small Businesses

The APPs will apply broadly to many types of organisations and businesses. However, small businesses (those with an annual turnover of $3 million or less) are generally not required to comply with the APPs, unless an exception applies.

Even if the APPs don't apply to your business, it can be helpful to set out how you will treat your website visitors', or customers' personal information – for example, in an online privacy policy, or with a statement displayed at the time you ask them to provide their personal information. By doing this, your business may benefit from an increase in consumer confidence and trust, and from meeting the growing expectations of Australians wishing to know how their personal information will be dealt with.

Changes to the Collection and Handling of Personal Information

The new APPs replace the existing National Privacy Principles and govern the collection, use, disclosure and maintenance of personal information. Among the important changes for businesses that currently have to comply with the Privacy Act are:

  • Open management of personal information

  • Businesses will need to include additional information in their privacy policies, including how an individual can complain about a breach of their privacy, whether the business is likely to disclose information overseas (this can include storing the information on overseas servers), and the overseas locations in which personal information is likely to be held or disclosed. Businesses will also need to ensure that their privacy policy is publicly available – usually via a link at the bottom of their website.

  • Dealing with unsolicited information

  • It is important to realise that the APPs apply even if you are given unsolicited personal information, ie personal information you did not ask for. Businesses that receive unsolicited personal information must determine whether this information could have been lawfully collected by the business itself. If the business could not have lawfully collected the information itself, it will generally need to destroy or de-identify the information.

  • Direct marketing obligations

  • There are new requirements around direct marketing to individuals, for example through telephone calls, SMS, mail, email and online advertising.

    If businesses use personal information such as contact details for direct marketing purposes, they must ensure (amongst other things) that there is a straightforward and free mechanism for individuals to opt-out from receiving the direct marketing communications.

    These requirements do not override obligations under the Spam Act, which continue to apply to electronic communications.

  • Overseas disclosure of personal information

  • If you send personal information overseas (including storing and processing information in the cloud with an overseas service provider), the obligations on you will become greater following the changes to the privacy law.

    Under the changes, before a business discloses personal information overseas (which may happen without the business even knowing), the business must take reasonable steps to ensure that the overseas recipient of the information does not breach the APPs. If it does, the business may still be held liable for any breach by the overseas recipient.

Increased powers of the Commissioner

Under the changes, the Commissioner will be given the power to seek penalties of up to A$1.7 million for serious or repeated interferences with an individual's privacy. The Commissioner will also be given the power to accept court enforceable, written undertakings from businesses to comply with agreed privacy obligations. The Commissioner's powers of investigation have also been strengthened, with the Commissioner now able to conduct investigations into potential breaches of the privacy law even if a complaint has not been made.

What next?

The new privacy laws come into effect on 12 March 2014. Even if the new privacy laws don't apply to your business, you should consider these issues and how you might address them – your business may benefit from a better relationship with its customers as a result.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

K&L Gates has been awarded a 2012 EOWA Employer of Choice for Women citation acknowledging our commitment to workplace diversity.