With new privacy laws commencing on 12 March 2014, businesses need to review their privacy practices to ensure they comply with their new obligations.
In addition to the introduction of the Australian Privacy Principles (“APPs”), another significant change is the increase in the regulatory and enforcement powers of the Privacy Commissioner. The new powers seek to improve the Privacy Commissioner’s ability to resolve complaints, recognise and encourage the use of external dispute resolution services, conduct investigations and promote compliance with privacy obligations.
The Privacy Commissioner, Timothy Pilgrim has indicated that he will not be taking a ‘softly softly’ approach in exercising these new powers.
Privacy Commissioner’s existing powers
Currently, the Privacy Commissioner has the power to undertake an ‘own motion’ investigation into whether the actions of an agency or private sector organisation may be an interference with the privacy of an individual. These investigative powers have been used largely in response to a privacy complaint, or when a serious breach of privacy has been reported by the media.
The Privacy Commissioner’s approach is to resolve privacy complaints on a case-by-case basis through conciliation. Resolutions have included:
- an apology
- a change to the respondent’s practices or procedures
- staff counselling
- taking steps to address the matter, for example providing access to personal information, or amending records
- compensation for financial or non-financial loss or
- other non-financial options, for example, a complimentary subscription to a service.
Most resolutions of privacy complaints have involved measures other than monetary compensation. The amounts of monetary compensation awarded have generally been modest (between $500 and $3,000).
The Privacy Commissioner’s emphasis in resolving privacy complaints has been to assist organisations to comply with the Privacy Act, rather than to punish the organisations that do not, for which the Privacy Commissioner had limited powers in any event. This focus is likely to change under the new powers granted to the Privacy Commissioner.
Changes to the Privacy Commissioner’s powers
The privacy reforms equip the Privacy Commissioner with a range of new powers. Significant changes include enabling the Privacy Commissioner to:
- accept written undertakings to ensure compliance with the Privacy Act
- use the Privacy Commissioner’s enhanced enforcement powers following an investigation of an act, practice, or complaint and
- apply to the court for a civil penalty order.
The Privacy Commissioner will be able to accept undertakings from an entity to take specified action or refrain from taking specified action.
For breaches of an undertaking, the Privacy Commissioner may apply to the Court to seek orders to compel the entity to comply with the undertaking, to pay compensation for any loss or damage caused by non-compliance with an undertaking, or any other order the Court considers appropriate.
Generally, the investigative powers of the Privacy Commissioner remain the same in relation to acts or practices that may be an interference with the privacy of an individual. As always, the Privacy Commissioner may investigate an act or practice that may interfere with the privacy of an individual, in response to a complaint, or on his or her own initiative.
The Privacy Commissioner has an expanded range of powers relating to the conduct of investigations, including powers to:
- conciliate complaints (previously not formalised)
- make preliminary inquiries of any person (previously limited to the respondent)
- require a person to give information or documents, or to attend a compulsory conference (similar to existing powers) or
- transfer matters to an alternative complaint body, such as the Ombudsman or the Australian Human Rights Commission (expanded definition of alternative complaint body applies).
After an investigation, the Privacy Commissioner may make a determination which must be complied with. Determinations may include:
- a declaration that the act or practice interferes with privacy
- the person must take specified steps to ensure the act or practice is not repeated or
- a declaration that an individual is entitled to compensation for any loss or damage suffered as a result of the act or practice.
Court proceedings may be commenced by the Privacy Commissioner to enforce a determination.
The privacy reforms have granted the Privacy Commissioner a broad power to include any order that is considered necessary or appropriate. It will be interesting to see how this new power is used, considering Mr Pilgrim’s active approach to the reforms.
The reforms introduce a civil penalties regime into the Privacy Act for interferences with an individual’s privacy. This civil penalties regime is similar to those under the Competition and Consumer Act 2010 (Cth) and Corporations Act 2001 (Cth).
Under the new civil penalties regime, the Privacy Commissioner will be able to apply to the Federal Court or the Federal Circuit Court for a civil penalty order. If the Court is satisfied that the entity has breached that civil penalty provision, an individual can be liable for civil penalties of up to $340,000, and up to $1,700,000 for a body corporate.
Civil penalties will apply to breaches of the credit reporting provisions and for serious or repeated interferences with the privacy of an individual, including breaches of the APPs. There is currently no commentary on the meaning of ‘serious or repeated interferences’, so it is unclear how the Privacy Commissioner will interpret this concept.
With the increase in privacy enforcement powers, and the current Privacy Commissioner’s attitude towards the new powers, it is likely we will see an increase in action taken against businesses for interferences of privacy.
In light of these changes to the privacy laws commencing on 12 March 2014, it is important that you review your privacy practices to ensure they comply with these new obligations.