On 12 March this year Australia’s Privacy Amendment Act, aimed at establishing principles ‘that will regulate the handling of personal information by both Australian government agencies and businesses,’ will come into force.
Although not as far reaching as many privacy advocates had hoped for (the Australian Law Reform Commission originally made almost 300 recommendations, about only half of which have made it into the new Amendment), it is hoped that the new laws will provide some measure of protection for Australian citizens’ online data.
‘Australia’s privacy laws have been brought into the digital age,’ according to the Attorney-General’s Department, and in response to the increasing role that the internet plays people’s lives, will ‘give consumers more power to opt out of direct marketing.’
So if you are Australian, how will these changes affect you?
Data collection and what it is used for
Whenever an organization collects personal data it must take ‘reasonable steps’ to notify you that it is doing so, and also to explain why the information is being collected.
Guidelines are provided about what ‘reasonable steps’ means, and despite some danger of subjectivity in their implementation, they are intended to be ‘an objective test: namely, whether a reasonable person in those circumstances would agree that an [organization] has acted reasonably in providing a notice or ensuring awareness.’
Concern has been raised over a clause that allows collection of data before you are notified, as long as you are notified ‘as soon as possible after’. Australia’s information commissioner, Professor John McMillan, has responded by saying that his office will provide oversight over these retrospective collections.
Data sent overseas
An important aim of the new laws is to protect Australian’s data when it is sent overseas, ensuring that it receives similar privacy protections abroad at does at home. Organizations are therefore required take ‘reasonable steps’ to ensure privacy principles are not breached overseas., such as entering into contractual agreements with relevant companies that data will not be misused,
A somewhat worrying exception to this rule, as it is vaguely worded and potentially open to abuse, is if ‘the overseas recipient is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to way the APPs (Australian Privacy Principles’ protect the information.’
McMillan has offered assurances that oversight will be provided on a case-by-case basis, with ‘the onus [being] on the individual entity to ensure adequate privacy protection.’
Your right to access personal data help by private companies
The new laws extend your existing right to access personal information held by government agencies under the Freedom of Information Act to also include, as a separate right, access personal information held by private companies such as Facebook or Google.
Private companies must respond to such a request ‘in reasonable time’ (with the guidelines suggesting a 30 day timeframe as reasonable), and you have the right to appeal to the commissioner’s office is a company is not forthcoming with the information. If providing you with the information cost the company money however, it may impose a charge for the service.
The information commissioner gets beefed up powers
The information commissioner can now impose tougher penalties and issue binding decisions, but these new powers are somewhat undercut by the limited resources available to enforce these. If, for example, he needs to go to the federal court to impose penalties on a company then his office will need to cover the court costs, something it cannot currently afford to do.
The new privacy law reforms are far from perfect, being both overdue and inadequate, but they should nevertheless be seen as a move in the right direction, a beginning to a wider strengthening of Australian’s right to privacy rather than as an endpoint solution. As such however, they do represent something for Australians to celebrate.