07 Jun 2012
Revamped Privacy Act gives the Privacy Commissioner more bite
The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 will give the Privacy Commissioner a clearer regulatory mandate, and more options in its regulatory, investigatory and enforcement functions.
The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 represents the Federal Government's first stage response to the Australian Law Reform Commission's review of Australian privacy laws.
In its report, the ALRC noted that the Privacy Commissioner needed a combination of persuasive, restorative and punitive strategies to promote, foster, secure and, where necessary, enforce compliance with the Privacy Act 1988.
Amongst other things, the Bill amends the Act to clarify the Privacy Commissioner's functions and expands its regulatory options and powers. It is intended that the amendments will improve the Commissioner's ability to, at first instance, monitor compliance as an ongoing concern, and then enforce compliance if required.
Changes to the Privacy Commissioner's functions
The Bill's provisions will clarify the Commissioner's functions, categorised as:
guidance-related - including publishing guidelines, promotion and education;
monitoring-relating - including monitoring security and accuracy, evaluating compliance, and examining proposed enactments for potential privacy impact; and
advice-related – including advising and reporting to the Minister on matters relating to the Privacy Act, informing the Minister of the actions a Commonwealth agency needs to take to comply with the Australian Privacy Principles (APPs).
Changes to the Privacy Commissioner's powers
In addition, the Bill's amendments will allow the Commissioner to:
compliance assessment: conduct an assessment of whether an entity's handling of personal information complies with the APPS;
privacy impact assessments: direct a Commonwealth agency to conduct a privacy impact assessment of any proposed activity which could have impact on privacy;
enforceable undertakings: accept enforceable undertakings from an entity to take certain actions or to refrain from taking certain actions. The Commissioner may apply to the Federal Court or the Federal Magistrates Court to compel an entity to comply with an undertaking or to pay compensation for any loss or damage caused by non-compliance with an undertaking;
external dispute resolution: recognise external dispute resolution schemes which are capable of dealing with privacy related complaints. The amendments will also allow the Commissioner to decline to investigate a complaint if it is already being, or would be more effectively or appropriately, dealt with by a recognised external dispute resolution scheme;
"own motion" investigations:
on its own motion, investigate any act or practice which may be an interference with an individual's privacy (being a breach of an APP or a registered APP code binding on the entity) and which the Commissioner considers desirable to investigate. Significantly, the Commissioner may commence proceedings in the Federal Court or the Federal Magistrates Court to enforce such determinations. Actions available to the Commissioner after such an investigation include:
making a declaration that an interference of privacy has occurred;
ordering an entity to take specific actions to prevent further repeats of the acts or practices investigated;
ordering an entity to redress or compensate any loss or damage suffered (loss or damage may include humiliation suffered by the complainant or injury to the complainant's feelings); and
making any order the Commissioner considers appropriate.
conciliation: conciliate complaints lodged with the Commissioner.
Civil penalty regime
The Bill also introduces into the Act for the first time a civil penalties regime.
Certain provisions in the Act will be designated as civil penalty provisions. Where a direct or ancillary contravention of a civil penalty provision has occurred, the Commissioner will be able to apply to the Federal Court or the Federal Magistrates Court for a civil penalty order.
Such provisions are mainly concerned with credit reporting, but a serious or repeated interference with the privacy of individuals (ie. a breach of an APP or a registered APP Code binding on the entity) will now carry civil penalty provisions.
Under the Bill, civil penalties of up to $220,000 for an individual or $1.1 million for a company can be imposed.
The changes proposed by the Bill represent an increase in the Commissioner's regulatory and enforcement powers and options. The Bill also removes some of the existing pre-conditions to the Commissioner's exercise of powers.
In a speech by the Privacy Commissioner to the Emerging Challenges in Privacy Law Conference on 23 February 2012, the Commissioner stated that he will not shy away from exercising his powers under the existing provisions of the Act, and regarded any additional powers granted to him as having "significant implications for privacy compliance in Australia".
In our view, the new powers and discretions under the Bill will enable the Commissioner to take an even more proactive and direct approach to regulation and enforcement of the Act. It is anticipated that the Commissioner will release guidelines on the exercise of certain of these powers and discretions.
Entities should particularly note the Commissioner's new powers and discretions to conduct "own motion investigations", require enforceable undertakings, and to apply to the Court for civil penalty orders. These enforcement tools are currently being used by other regulators (such as ASIC and the ACCC) to enforce different legal regimes, and the Bill will bring the Commissioner's powers closer in line with those of his regulatory counterparts.
You might also be interested in...