Well we’re joined once again by Michael Pattison who heads up the Technology, Media and Telecommunications Group at Allens and joins us from Melbourne. Michael welcome back to BRR Media.
Thank you Kate nice to be here.
Well Michael the Privacy Amendment enhancing Privacy Protection Bill 2012 was of course introduced to Parliament yesterday morning by the Attorney-General Nicola Roxon. Now the name of the Bill suggests that it will be introducing stronger privacy protections, will organisation therefore need to pay more attention to complying with privacy legislation as a result of these amendments?
I think they will Kate. There’s been a constant criticism of Australia’s privacy regime that it really lacks any teeth. And there’s been very few determinations requiring payment of compensation by the Privacy Commissioner since the regime was introduced. We’re now going to have a regime that introduces both civil penalties and also in some cases criminal offences for breaching privacy. In the case of civil penalties the penalty for an individual breaching the Act is going to be $220,000, so it’s a significant sum of money, but in the case of a corporation it’s increased to $1.1 million. These penalties only apply where there’s a serious or repeated interference with privacy, so they’re not going to be applied lightly but where they apply I think we’re going to find organisations will have to treat them much more seriously than they have in the past.
So certainly they’ll be standing and taking notice. Well if we look then at the National Privacy Principles, what are the major changes here?
The first is a change of name, they’re now going to be called the Australian Privacy Principles and I think the reason that’s being done is to show that the same principles are going to apply both to the public sector and also to the private sector, in the past we had one set of principles for one and another set of principles for the other, now they’re all going to be subject to the same privacy principles, the Australian Privacy Principles, so that’s another term we’re all going to have to get used to. Dealing with the substance of the changes, one of the most significant changes is the rules relating to data transfers overseas. Now at present data transfers overseas are forbidden, unless an exception applies. The good news is that they’re now going to be permitted provided you’ve taken reasonable steps to ensure that the overseas recipient will not breach the Australian Privacy Principles; so that’s a step forward. The bad news is that when you do disclose information to someone overseas you’re going to remain forever accountable for their acts with that information. So even if the relationship between you and say your cloud service provider has terminated, if some years down the track there’s a breach of privacy by that cloud service provider you will still remain liable for those breaches. The major exception is going to be if the individual has consented to the transfer of the information overseas after being told that you aren’t going to try to make the overseas recipient comply with the Privacy Principles and I’m just not sure how practical that’s going to be in practice, telling people that and then asking them nonetheless to disclose their personal information to you. So I think the change with respect to the data transfer obligations is going to require many entities to rethink the way they approach activities such as outsourcing, cloud computing and general interactions with people located overseas including members of the same corporate group.
Yes certainly and another thing that’s gained a lot of attention has been the credit reporting provisions of the Privacy Act, they gained significant attention during the Law Reform Process, how is that regime going to change?
In a nutshell Kate it’s going to be completely revamped and it will probably take over an hour to go through all the changes that have been proposed to that, so I’m not going to try and do that now. But yeah in essence what’s happened is that the Act has expanded the type of information that now can be collected by credit reporting agencies, so they’re now going to be able to collect information to do with an individual’s positive data relating to their credit history, not just the negative data to do with their defaults in the past, so that will be of use to people involved in the credit reporting industry. However there are going to be enhanced privacy protections in relation to the data which is disclosed to those credit reporting agencies.
And Michael just finally when will companies need to start reviewing their data handling procedures to ensure that they will be complying with the amended legislation?
Kate the Bill states that it commences nine months after it receives Royal consent, and I’m not expecting that there’s going to be a lot of difficulty getting the Bill through Parliament. So provided there is in fact time for it to be processed through Parliament it should get through Parliament in the winter session and certainly that’s the Government’s aim. And then I’d imagine Royal assent will be given fairly soon after that, and then companies are going to have to start complying with it you know nine months after that date. So probably the first or second quarter of the next calendar year.
Well it certainly seems like there’ll be a number of things for companies to consider, so thank you once again for joining us and giving us your insights on the matter.
Not at all Kate.
That was Michael Pattison who heads up the Technology, Media and Telecommunications Group at Allens. Now listeners if you have any questions for Michael, of course you can send them in either using the panel on your screen or otherwise via email to email@example.com.