By Richard Smith

In August, the Australian Law Reform Commission (ALRC) published its final report on its review of privacy laws in Australia. The report, "For your information: Australian Privacy Law and Practice," is about 2,700 pages long and recommends substantial changes to Australia's existing privacy laws and practices.

The recommended changes include:

• a call for mandatory notification for certain data protection breaches;
• the removal of exemptions in relation to employee records and small business;
• new requirements for cross-border data flows; and,
• increased penalties.

Background
Privacy in Australia is currently regulated by the Federal Privacy Act 1988 (Cth) (Act) and some states and territories also have legislation covering privacy. In January 2006, the Australian attorney general requested that the ALRC conduct an inquiry into the extent to which there is an effective framework for the protection of privacy in Australia. The ALRC carried out a substantial review with extensive public and industry consultation considering Australian privacy law and practice, as well as trends in other jurisdictions, particularly the USA and Europe. The resulting report recommends sweeping reforms to Australian privacy law.

Historically, nearly 80 percent of ALRC reports are substantially or partially implemented by the government. If the recommendations of the report subsequently become law, they will have significant consequences for Australian businesses and how they treat personal information and interact with their customers, employees and suppliers. It will also affect the way that governments and agencies carry out their functions and interact with the public.

Key recommendations of the ALRC

1. Data breach notification
In Australia today there is no mandatory obligation for entities to report instances where personal information is disclosed or compromised through a data breach. The ALRC considered legislative trends in other jurisdictions, as well as the increasing public concern about data theft and identity fraud and recommended the introduction of a mandatory data breach notification requirement. The report notes that its primary rationale for the introduction of the requirement is that '…notifying people that their personal information has been breached can help to minimise the damage caused by the breach.'

The ALRC proposes that:

• an agency or organisation be required to notify the privacy commissioner and the affected individual when a data breach has occurred that may give rise to ‘a real risk of serious harm to any affected individual;
• the notification only be required in respect of ‘specified personal information' which will be narrower in scope than normal ‘personal information;' and,
• civil penalties apply for failures to report breaches.

2. Cross-border data flows
Business process outsourcing and other business activities that rely on trans-border data flows are becoming an increasingly common part of the Australian economy. The report recognises the public concerns that arise from sending personal data to other jurisdictions where privacy laws may be less robust. The ALRC proposes that the law be amended to make the entity sending the data overseas still accountable for that data, save in circumstances where:

• there is reasonable belief that the information recipient is subject to a law, scheme or contract which upholds substantially similar privacy requirements (the ALRC wants detailed guidance published on this issue);
• the affected individual consents, after being expressly advised that the sender will no longer remain accountable for the individual's personal information once sent off-shore; or,
• the sender is required or authorised under a law to transfer the data.

3. Certain exemptions from the act to be removed
The ALRC recommends that a number of current exemptions from the act be removed, most notably the ‘small business' exemption and the ‘employee records' exemption.

Small business
Currently, businesses with a turnover of $3 million or less are generally exempt from the act. (There are a few exceptions, such as businesses that provide health services and hold health information, and businesses that are related to larger businesses.) The ALRC proposes that this exemption be removed.

To overcome compliance costs, the ALRC has proposed that the Office of the Privacy Commissioner (OPC) provide assistance to the small business sector through a national hotline, educational materials and templates to assist in preparing privacy policies.

Employee records
Private sector employers are generally exempt from the application of the act in relation to certain ‘employee records.' The ALRC proposes that the Privacy Act be amended to remove this exemption and that the OPC develop specific guidance relating to employees, including when it is appropriate to disclose to an employee third-party complaints about that employee.

4. Statutory cause of action for serious invasion of privacy
To ensure a consistent national position and approach, the ALRC proposes the introduction of a statutory cause of action for the invasion of privacy. The ALRC has suggested a three-tiered test in order to establish this proposed statutory cause of action:

(a) the two elements of the cause of action must be satisfied, namely: (i) there must be a reasonable expectation of privacy; and (ii) the act or conduct is highly offensive to a reasonable person;

(b) the relevant ‘circumstance of invasion' must exist, (e.g. a person must demonstrate interference with his or her home life, the disclosure of sensitive information about his or her private life or unauthorised surveillance); and,

(c) that, in the circumstances, the public interest in maintaining the individual‘s privacy outweighs other matters of public interest.

5. Increased penalties
The ALRC also considered the adequacy of existing remedies available to the privacy commissioner to enforce compliance with the act. While the ALRC recognised that the privacy commissioner had existing mechanisms available to ensure compliance (such as the power make determinations), it has recommended the strengthening of the enforcement powers of the privacy commissioner, including giving the commissioner the ability to:

• impose a civil penalty where there is a serious or repeated interference with the privacy of an individual; and,
• enforce undertakings to ensure compliance with the act.

Next steps
According to the Australian Cabinet Secretary Senator Faulkner, the government will consider the ALRC recommendations in stages. Firstly, the government proposes to respond to the recommendations relating to the privacy principles, health, credit reporting and education in relation to new technologies. In the second stage, the government will consider the recommendations relating to the removal of exemptions, data breach notices and the statutory cause of action for a serious invasion of privacy. It is expected that, if accepted, the government will enact the first stage of reforms within the next 12 to 18 months.

Richard Smith is a senior associate in the Technology, Media and Commercial Group at DLA Phillips Fox in Sydney, Australia. He specialises in advising clients with respect to technology and privacy compliance issues. He has also assisted clients in areas including IT service contracts, smartcard schemes, BPO and offshore outsourcing. Richard regularly speaks at industry conferences on legal developments relating to the IT industry and contributes articles to industry and legal newsletters. Richard can be reached at + 61 2 9286 8605 or richard.smith@dlaphillipsfox.com.