Privacy legislation has once again become a topic of public discourse as the federal government has undertaken a wide-ranging review of Australia’s privacy legislation. The government has proposed major reforms that could significantly change the regulatory landscape, particularly in the area of online privacy.
In response to the review and in keeping with its own commitment to strengthen privacy protections, the draft for The Privacy Legislation Amendment (Enhancing Internet Privacy and Other Measures) Bill 2021 (The Internet Privacy Bill) was released in October 2021.
The Internet Privacy Bill proposes to strengthen existing provisions of the Federal Act Privacy Act 1988 (Cth) (Privacy Act) thanks to better protections against misuse of personal information by social media companies, data brokers and other large online platforms.
The proposed changes to the Internet Privacy Act will not only affect Australian companies, but also foreign entities doing business in Australia. The Internet Privacy Bill proposes to clarify an existing aspect of the Privacy Act that can be a common source of confusion, namely the extent to which the Privacy Act applies extraterritorially.
proposed amendments to the Internet Privacy Bill
The main changes proposed by the Internet Privacy Bill include the following:
- introduction of the Internet Privacy Code (OP code) better regulate social media and online platforms that collect or trade personal information;
- renewal of the enforcement powers of the Office of the Australian Information Commissioner (OAIC), providing broader investigative powers and harsher penalties for violations of the Privacy Act; and
- clarifying the extraterritorial scope of the Privacy Act to make it clear that foreign businesses doing business in Australia must comply with obligations under the Privacy Act even if they do not collect and store Australians’ information directly from a source in Australia.
The Internet Privacy Bill is currently at the “draft for consideration” stage and is likely to be tabled in Parliament (pending election priorities). For this reason, we recommend that businesses start thinking about how they will be affected by the proposed changes and take any necessary steps to prepare.
Who will be affected by these changes?
All companies already covered by the Privacy Act will be hit by higher fines and the OAIC’s enhanced investigative powers. The OP code affects only three categories of private sector organizations (also called OP organization).
- Organizations that provide social network services
An organization will be considered a social media service if it provides an electronic service whose primary purpose is to provide online social interaction between users.
- Organizations that provide brokerage services for data processing
Organizations that provide data brokerage services collect personal information from an electronic service or another organization that has collected personal information from an electronic service primarily for the purpose of disclosure in the course of providing the service.
- Large online platforms
A large online platform is a platform that collects personal information through electronic services in connection with the provision of information, goods or services and has over 2,500,000 end users in Australia in the past or current year.
- Dismissal abroad
OP organizations will not breach the OP Code for activities that take place outside of Australia.
impact on enterprises
If the online privacy bill is passed, there will be a number of changes that will require companies to adapt their existing privacy practices or develop new ones.
Companies should ensure that they have policies and protocols in place that can be easily adapted and strengthened in line with any future changes to the Privacy Act. If a company fails to comply with its obligations under the Privacy Act, it may be subject to greater regulatory and enforcement powers than those available to the OAIC, which are currently offered under the Internet Privacy Bill.
what is the OP code?
The Code proposes two important changes for OP organizations:
First, in circumstances where a person makes a reasonable request to the OP organization not to use or disclose their personal information, the organization is obliged to take the necessary measures to satisfy this request.
Second, the OP Code will provide for stronger protection of the privacy of children and vulnerable groups. The code will specify how consent can be given by individuals in these groups. Social media services are also required to:
- take all reasonable steps to verify a person’s age;
- ensure that the collection, use or disclosure of the child’s personal information is fair and reasonable under the circumstances (the best interests of the child being the primary factor of fairness and reasonableness); and
- obtain the express consent of a parent or guardian before collecting, using or disclosing the personal information of a child under the age of 16. If a social media service learns that a person is under 16, it must take all reasonable steps to obtain and confirm the consent of a parent or guardian.
greater investigative and law enforcement powers
The Online Privacy Bill \ addresses the recommendations made in the ACCC’s report on digital platforms by expanding the civil penalties available for serious and repeated interference with privacy to 2,400 penalty units ($532,800 at current penalty unit values) for an individual. The maximum amount of the fine for a legal entity is increased to an amount that does not exceed the greater of:
- treble the value of the benefit derived from conduct that constitutes a serious and repeated invasion of privacy; or
- if the value cannot be determined, 10% of the annual turnover.
The OAIC will have stronger regulatory and enforcement powers, which include more declarations, breach notification and information sharing powers, encouraging greater cooperation with other regulators such as ASIC, APRA and the ACCC.
Currently, under Australian privacy law, overseas companies are required to comply with the Privacy Act if they have an “Australian connection” (ie they conduct business in Australia and collect or store information from an Australian source).
This has become a source of confusion as it is not always clear whether an overseas company “collects or stores personal information from a source in Australia”. For example, the personal data of Australian customers is routinely collected directly by companies located overseas. This can be confusing as multinational companies may collect or store personal information from Australia without being registered in Australia.
The Internet Privacy Bill proposes to clarify the extraterritorial application of the Privacy Act by removing the requirement for overseas organizations to “collect or store personal information from sources in Australia”. It is proposed that foreign corporations doing business in Australia and collecting the personal information of Australians will be subject to the Privacy Act, even if they do not have servers in Australia.
application for foreign companies
The practical effect of this proposed change is that many overseas companies that previously did not consider themselves subject to the Australian privacy law regime will have obligations under the Privacy Act. This will apply to overseas businesses that collect basic personal information about Australians, such as name, date of birth, address and credit card details.
As noted above, overseas businesses that are also OP entities will not be in breach of Australian regulations in relation to activities taken overseas. However, this exemption only applies in foreign jurisdictions and overseas OP organizations are still required to comply with the OP rules when operating in Australia.
If the Online Privacy Bill is passed, it is vital that overseas companies that collect the personal information of Australians are aware of their obligations under the Privacy Act and take the necessary steps to maintain compliance.
If you are a company with a social media or online presence, we encourage you to consider implementing practices to help you comply with the proposed updates to the Privacy Act.
In addition, if you are a foreign company that collects the personal information of Australians and do not have up-to-date policies and protocols that comply with Australian privacy laws, we strongly recommend that you seek legal advice.