australia’s online privacy bill: impact on australian and overseas businesses
Privacy legislation is once again the topic of public discourse as the Federal Government has undertaken a broad review of Australia’s Privacy legislation. The Government has proposed major reforms that could substantially alter the regulatory landscape – especially within the online privacy space.
In response to the review, and following its own commitment to strengthen privacy protections, the exposure draft for the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Online Privacy Bill) was released in October 2021.
The Online Privacy Bill proposes to strengthen the existing provisions of the Federal Privacy Act 1988 (Cth) (the Privacy Act) by better protecting against the misuse of personal information by social media companies, data brokerage companies and other large online platforms.
The proposed changes under the Online Privacy Bill impact not just Australian businesses, but also foreign organisations who carry on business in Australia. The Online Privacy Bill proposes to clarify an existing aspect of the Privacy Act which can be a common source of confusion, being to what extent the Privacy Act applies extraterritorially.
proposed changes in the online privacy bill
The key changes proposed by the Online Privacy Bill include the following:
- the introduction of the Online Privacy Code (OP Code) to better regulate social media and online platforms that collect or trade in personal information;
- updating the enforcement powers of the Office of the Australian Information Commissioner (OAIC), by allowing for wider investigative powers and steeper penalties for breaches of the Privacy Act; and
- clarifying the extraterritorial scope of the Privacy Act, to make it clear that foreign businesses who carry on a business in Australia must meet the obligations under the Privacy Act, even if they do not collect or hold Australians’ information directly from a source in Australia.
The Online Privacy Bill is currently in the ‘exposure draft’ stage, and is likely to be introduced to Parliament (pending election priorities). For this reason, we recommend that businesses start to think about how they will be impacted by the proposed changes and take any steps necessary to prepare.
who will these changes impact?
All businesses who are already subject to the Privacy Act will be impacted by the greater penalties available and expanded investigative powers of the OAIC. The OP code only impacts three categories of private sector organisations (also referred to as OP organisations).
- Organisations that provide social media services
An organisation will be considered as a social media service where they provide an electronic service, with the primary purpose of enabling online social interaction between users.
- Organisations that provide data brokerage services
Data brokerage service organisations collect personal information from either an electronic service or another entity that collected the personal information from an electronic service, for the primary purpose of disclosure in the course of providing a service.
- Large online platforms
A large online platform is one that collects personal information by use of an electronic service in connection with providing access to information, goods or services, and has over 2,500,000 end-users in Australia in the past or current year.
- Overseas Exemption
OP organisations will not breach the OP code for actions that are undertaken outside of Australia.
impact on businesses
If the Online Privacy Bill is passed, there will be a series of changes that will require businesses to adapt their existing privacy practices or develop new practices.
Businesses should ensure that they have policies and protocols in place that can be easily adapted and strengthened in accordance with any forthcoming changes to the Privacy Act. If a business fails to comply with its obligations under the Privacy Act, it may be subject to greater regulatory and enforcement powers available to the OAIC currently proposed under the Online Privacy Bill.
what is the OP code?
The code proposes two significant changes for OP organisations:
Firstly, in the circumstance where an individual makes a reasonable request to an OP organisation to not use or disclose their personal information, the organisation is obligated to take the necessary steps to meet that request.
Secondly, the OP Code will include stronger privacy protections for children and vulnerable groups. The code will specify how consent can be given from individuals in these groups. Social media services in addition are required to:
- take all reasonable steps to verify the age of an individual;
- ensure that the collection, use or disclosure of a child’s personal information is fair and reasonable in the circumstances (the best interests of the child are the primary consideration of what is fair and reasonable); and
- obtain parental or guardian express consent before the collection, use or disclosure of a child’s personal information who is under the age of 16. If a social media service becomes aware an individual is under the age of 16, they must take all reasonable steps to obtain and verify the parent’s or guardian’s consent.
greater investigative and enforcement powers
The Online Privacy Bill addresses recommendations made in the ACCC’s Digital Platforms report by expanding the civil penalties available for a serious and repeated interference with privacy to 2,400 penalty units ($532,800 on current penalty unit values) for an individual. The maximum penalty for a body corporate is increased to an amount not exceeding the greater of:
- $10,000,000;
- three times the value of the benefit obtained from the conduct constituting the serious and repeated interference with privacy; or
- if the value cannot be determined, 10% of the annual turnover.
The OAIC will be granted stronger regulatory and enforcement powers that include greater declarations, infringement notices and information-sharing powers which encourage greater collaboration with other regulators such as ASIC, APRA, and the ACCC.
extraterritoriality
Currently under Australia’s privacy legislation, overseas businesses are required to comply with the Privacy Act if they have an “Australian link” (i.e. they carry on business in Australia and collect or hold information from a source in Australia).
This has been the source of confusion, as it is not always clear whether an overseas business “collects or holds personal information from a source in Australia”. For example, the personal details of Australian customers are routinely collected directly by companies based overseas. It can be unclear as multinational companies may collect or hold personal information from Australia, without being incorporated in Australia.
The Online Privacy Bill proposes to clarify the extraterritorial application of the Privacy Act by removing the requirement for an overseas organisation to “collect or hold personal information from sources inside of Australia.” It is proposed that foreign corporations who carry on business in Australia and collect the personal information of Australians will be subject to the Privacy Act, even if they do not have servers in Australia.
application to overseas businesses
The practical impact of this proposed change is that many businesses overseas, who have not previously considered themselves subject to Australia’s privacy law regime, will owe obligations under the Privacy Act. This would extend to overseas businesses that collect basic personal information about Australian individuals, such as name, date of birth, address and credit card details.
As aforementioned, overseas businesses that are also an OP organisation will not breach Australia’s regulations for actions taken overseas. This exemption however only applies in foreign jurisdictions, and overseas OP organisations are still required to comply with the OP regulations when operating in Australia.
If the Online Privacy Bill is passed, it is crucial that overseas businesses that collect the personal information of Australians are aware of their obligations under the Privacy Act and are taking the necessary steps to support their compliance.
need assistance?
If you are a business that has a social media or online presence, we recommend that you consider implementing practices that will support you to comply with the proposed updates to the Privacy Act.
Additionally, if you are an overseas business that collects the personal information of Australians and do not have up-to-date policies and protocols that comply with Australia’s privacy laws, we strongly recommend that you seek legal assistance.
For assistance, please reach out to Kelly Dickson of our Intellectual Property and Trade team in Dandenong, or Damian Kelly if you are a business based in the Pacific Islands.
The information contained in this article is general in nature and cannot be relied on as legal advice nor does it create an engagement. Please contact one of our lawyers listed above for advice about your specific situation.
more
insights
stay up to date with our news & insights
australia’s online privacy bill: impact on australian and overseas businesses
Privacy legislation is once again the topic of public discourse as the Federal Government has undertaken a broad review of Australia’s Privacy legislation. The Government has proposed major reforms that could substantially alter the regulatory landscape – especially within the online privacy space.
In response to the review, and following its own commitment to strengthen privacy protections, the exposure draft for the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Online Privacy Bill) was released in October 2021.
The Online Privacy Bill proposes to strengthen the existing provisions of the Federal Privacy Act 1988 (Cth) (the Privacy Act) by better protecting against the misuse of personal information by social media companies, data brokerage companies and other large online platforms.
The proposed changes under the Online Privacy Bill impact not just Australian businesses, but also foreign organisations who carry on business in Australia. The Online Privacy Bill proposes to clarify an existing aspect of the Privacy Act which can be a common source of confusion, being to what extent the Privacy Act applies extraterritorially.
proposed changes in the online privacy bill
The key changes proposed by the Online Privacy Bill include the following:
- the introduction of the Online Privacy Code (OP Code) to better regulate social media and online platforms that collect or trade in personal information;
- updating the enforcement powers of the Office of the Australian Information Commissioner (OAIC), by allowing for wider investigative powers and steeper penalties for breaches of the Privacy Act; and
- clarifying the extraterritorial scope of the Privacy Act, to make it clear that foreign businesses who carry on a business in Australia must meet the obligations under the Privacy Act, even if they do not collect or hold Australians’ information directly from a source in Australia.
The Online Privacy Bill is currently in the ‘exposure draft’ stage, and is likely to be introduced to Parliament (pending election priorities). For this reason, we recommend that businesses start to think about how they will be impacted by the proposed changes and take any steps necessary to prepare.
who will these changes impact?
All businesses who are already subject to the Privacy Act will be impacted by the greater penalties available and expanded investigative powers of the OAIC. The OP code only impacts three categories of private sector organisations (also referred to as OP organisations).
- Organisations that provide social media services
An organisation will be considered as a social media service where they provide an electronic service, with the primary purpose of enabling online social interaction between users.
- Organisations that provide data brokerage services
Data brokerage service organisations collect personal information from either an electronic service or another entity that collected the personal information from an electronic service, for the primary purpose of disclosure in the course of providing a service.
- Large online platforms
A large online platform is one that collects personal information by use of an electronic service in connection with providing access to information, goods or services, and has over 2,500,000 end-users in Australia in the past or current year.
- Overseas Exemption
OP organisations will not breach the OP code for actions that are undertaken outside of Australia.
impact on businesses
If the Online Privacy Bill is passed, there will be a series of changes that will require businesses to adapt their existing privacy practices or develop new practices.
Businesses should ensure that they have policies and protocols in place that can be easily adapted and strengthened in accordance with any forthcoming changes to the Privacy Act. If a business fails to comply with its obligations under the Privacy Act, it may be subject to greater regulatory and enforcement powers available to the OAIC currently proposed under the Online Privacy Bill.
what is the OP code?
The code proposes two significant changes for OP organisations:
Firstly, in the circumstance where an individual makes a reasonable request to an OP organisation to not use or disclose their personal information, the organisation is obligated to take the necessary steps to meet that request.
Secondly, the OP Code will include stronger privacy protections for children and vulnerable groups. The code will specify how consent can be given from individuals in these groups. Social media services in addition are required to:
- take all reasonable steps to verify the age of an individual;
- ensure that the collection, use or disclosure of a child’s personal information is fair and reasonable in the circumstances (the best interests of the child are the primary consideration of what is fair and reasonable); and
- obtain parental or guardian express consent before the collection, use or disclosure of a child’s personal information who is under the age of 16. If a social media service becomes aware an individual is under the age of 16, they must take all reasonable steps to obtain and verify the parent’s or guardian’s consent.
greater investigative and enforcement powers
The Online Privacy Bill addresses recommendations made in the ACCC’s Digital Platforms report by expanding the civil penalties available for a serious and repeated interference with privacy to 2,400 penalty units ($532,800 on current penalty unit values) for an individual. The maximum penalty for a body corporate is increased to an amount not exceeding the greater of:
- $10,000,000;
- three times the value of the benefit obtained from the conduct constituting the serious and repeated interference with privacy; or
- if the value cannot be determined, 10% of the annual turnover.
The OAIC will be granted stronger regulatory and enforcement powers that include greater declarations, infringement notices and information-sharing powers which encourage greater collaboration with other regulators such as ASIC, APRA, and the ACCC.
extraterritoriality
Currently under Australia’s privacy legislation, overseas businesses are required to comply with the Privacy Act if they have an “Australian link” (i.e. they carry on business in Australia and collect or hold information from a source in Australia).
This has been the source of confusion, as it is not always clear whether an overseas business “collects or holds personal information from a source in Australia”. For example, the personal details of Australian customers are routinely collected directly by companies based overseas. It can be unclear as multinational companies may collect or hold personal information from Australia, without being incorporated in Australia.
The Online Privacy Bill proposes to clarify the extraterritorial application of the Privacy Act by removing the requirement for an overseas organisation to “collect or hold personal information from sources inside of Australia.” It is proposed that foreign corporations who carry on business in Australia and collect the personal information of Australians will be subject to the Privacy Act, even if they do not have servers in Australia.
application to overseas businesses
The practical impact of this proposed change is that many businesses overseas, who have not previously considered themselves subject to Australia’s privacy law regime, will owe obligations under the Privacy Act. This would extend to overseas businesses that collect basic personal information about Australian individuals, such as name, date of birth, address and credit card details.
As aforementioned, overseas businesses that are also an OP organisation will not breach Australia’s regulations for actions taken overseas. This exemption however only applies in foreign jurisdictions, and overseas OP organisations are still required to comply with the OP regulations when operating in Australia.
If the Online Privacy Bill is passed, it is crucial that overseas businesses that collect the personal information of Australians are aware of their obligations under the Privacy Act and are taking the necessary steps to support their compliance.
need assistance?
If you are a business that has a social media or online presence, we recommend that you consider implementing practices that will support you to comply with the proposed updates to the Privacy Act.
Additionally, if you are an overseas business that collects the personal information of Australians and do not have up-to-date policies and protocols that comply with Australia’s privacy laws, we strongly recommend that you seek legal assistance.
For assistance, please reach out to Kelly Dickson of our Intellectual Property and Trade team in Dandenong, or Damian Kelly if you are a business based in the Pacific Islands.