Tag Archive: Australia

AUSTRALIA: Increased focus on global privacy and data protection for Australian organisations

Authors: Sinead Lynch and Jessica Noakesmith

Regulators around the world are, and will be, taking a much closer look at rules on the protection of individual personal data and the security of their citizen’s information. The onslaught of the new and arduous General Data Protection Regulation (GDPR) regime in Europe, the recent ‘protectionist’ changes to the PRC Cybersecurity Laws in China on 1 June 2017, anticipated changes in Singapore’s data privacy regime, as well as rumblings from other Asia-Pac countries in this area, all confirm that these are issues where national regulators are sitting up and taking action. Recent cyber events, including the much-reported ‘Wannacry’ cyber-attack, add to global unrest in this area.

Traditionally to date, Australia has adopted a more transparent and conciliatory approach to privacy and security. However, this is a position that is likely to face challenge now in light of international developments in this area. The introduction in Australia of the long awaited new mandatory Privacy Amendment (Notifiable Data Breaches) Act 2017 (NDB) in February 2017 commencing from, at the latest, February 2018, as well as the Government’s budget confirmation of the Productivity Commission’s new law on personal data sharing and release go some way to support Australia’s renewed focus in this area.

The Office of the Australian Information Commissioner (OAIC) has also just released their updated resource, General Data Protection Regulation Guidance for Australian Businesses (the Guide) to confirm that Australian businesses should, as a matter of priority, review the extent of their compliance obligations under the GDPR and take steps now to ensure their handling practices comply, prior to its commencement from 25 May 2018. At a conference hosted last month by the OAIC, the Privacy Commissioner, Timothy Pilgrim, expressly underlined the importance of GDPR for Australian businesses, and advised that the OAIC will be taking a closer look at compliance in this area.

Therefore, to the extent that an Australian company handles or processes EU individual data in the course of its operations and this processing falls within the scope of the extra-territorial reach of the GDPR (as described further below), this company will be required to comply with the onerous requirements of GDPR and may be subject to its sanctions.

The Guide

The Guide confirms that Australian businesses “of any size” may need to comply with the GDPR if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.

The guide helpfully compares the GDPR and Privacy Act 1988 (Cth) principles in an easy to read comparison table. Certain similarities are highlighted and both laws contain a shared focus on fostering transparent information handling practices and business accountability, to give individuals confidence that their privacy is being protected.

However, there are notable differences in the GDPR. In addition to the myriad of broadly defined terms and wide scope of personal data, there are enhanced rights for individuals to their data, data portability obligations, a right “to be forgotten”, enhanced consent requirements and a 72 hour mandatory data breach requirement in certain cases, not to mention the unwieldly fines and sanctions.

While some Australian businesses may already have certain measures in place that will be required under the GDPR, the Guide recommends that all organisations should begin taking steps to evaluate their information handling practices and governance structures, seeking legal advice where necessary, to implement the necessary changes well before commencement of the GDPR.

We take a closer look here at the GDPR and its implication for Australian businesses processing EU personal data / global organisations operating in Australia with the required relationship to the EU, who handle personal information of EU/UK citizens.

So, what is GDPR?

You will no doubt have read multitudes of reports and analysis on this new legislation and what it may mean for both European and global organisations. In brief, the GDPR is a wide-ranging piece of (directly applicable) privacy legislation recently adopted by the EU institutions, which mandates a significant rise in personal data protection compliance obligations for all organisations coming within its reach – both inside and outside the EU.

Notably, due to its new extra-territorial effect, a large number of global organisations operating across borders who were not previously caught by the existing regime will be affected. This will also be directly applicable in the UK for a period, despite Brexit considerations. It is widely accepted that the same / a similar regime will apply in the UK post-separation.

The GDPR was adopted on 26 April 2016 and is due to come into effect on 25 May 2018. As the legislation took over five years of intense lobbying and debate (inside & outside the EU) prior to its adoption, there are a number of interpretative issues and unanswered questions (including extra-territorial issues). Although only less than a year to go, guidance to date has been relatively sporadic from the EU.

Why is GDPR so important?

There are some key reasons:

  • The significantly increased fines for personal data breach for all organisations caught by GDPR (of up to €10-20mil or 2-4% of global annual group turnover) means that it is a group board-level issue for many organisations. Non-compliance in even smaller companies in a group may lead to significant ramifications where GDPR applies to that group / company within the group
  • A host of new obligations on data controllers and data processors (for the first time) are introduced, which include enhanced rights for individuals to their data, data portability obligations, the right to be forgotten, enhanced consent requirements to name but a few
  • Underpinning the GDPR are ‘accountability’ and ‘transparency’ obligations which require a holistic approach to be taken to privacy compliance – around the world. Getting prepared may require internal re-organisation of each group member business activities and procedures – on a wholesale group basis
  • Even where a group / company may not currently fall within the scope of GDPR, continuous review and re-organisation may still be required so as to avoid company activities falling under its scope in the future
  • A group / company’s partners and third party suppliers and customers may be caught by the GDPR and additional compliance requirements / contractual obligations on companies may be forthcoming from such organisations
  • Fundamentally, protecting the reputation and brand of the wider group where any breach or suspected data breach / security / information governance issues arise remains an ever-present and key driver

Why does GDPR concern Australian operations?

In determining whether activities fall within its geographical reach, the GDPR considers not only the location of where information is being processed (as was the case under the old EU Data Protection Directive), but now also the location of the individual whose data is being processed.

Under the existing regime, non-EU businesses only fall within the scope of the Directive if processing took place using equipment in the EU (e.g. using servers/ employees located in the EU). This will no longer be the test and the ambit of the GDPR seeks to capture all processing of EU individual data, regardless of where such processing takes place.

The GDPR will apply to any Australian business who processes personal data:

  • “In the context of the activities of an establishment of any organisation in the EU”
  • “Of EU individuals where the processing activities relate to the:
    • Offering or goods or services to individuals in the EU (including where no payment is required); or
    • Monitoring the behaviour of individuals in the EU (where such behaviour takes place in the EU)”

Both “personal data” and “processing” under GDPR are broadly interpreted and go much further than the analogous definitions of “personal information” and “handling” under the Privacy Act /APPs in Australia.

A review of your existing use, handling and processing of EU individual personal data and the targeting of services outside of Australia to the EU is recommended. Reviewing both existing and anticipated data flows (e.g. which may arise as a result of group company acquisitions, disposals or new third party contracts) is also recommended.

Referencing specific GDPR recitals, the OAIC provides some examples of GDPR application on Australian businesses that may fall under this test in its recently published Guide .

To determine if GDPR impacts your business, the fundamental question to ask at the outset is “Do you target EU individuals or organisations and if so, what percentage of personal information is processed related to such activities?” If you are likely to be at risk, the time to act to ensure compliance is now.

Enforceability?

This extra-territorial effect of GDPR has been well publicised (and criticised) and organisations outside of the EU are now taking stock to review their privacy compliance obligations.

While there are still question marks over the practical enforceability of the GDPR regime and its sanctions outside of the EU (with ongoing discussion of extra-territorial co-operation agreements with EU supervisory authorities), the OAIC has confirmed that it will continue to use its enforcement powers under the Australian Privacy Principles (APPs) where a privacy breach arises.

It has also recently confirmed that it is committed to internationally coordinated approaches to privacy regulation, recognising that APP entities carry on their business globally and that personal information is regularly disclosed, handled and stored overseas. The OAIC also participates in several international forums and arrangements to promote best privacy practice internationally, address emerging privacy issues in Australia and cooperate on cross-border privacy regulation and enforcement matters.

As such, if an Australian business is found to contravene the GDPR in respect of data / security breach (for example) this may be sufficient to bring it to the attention of the OAIC, who may take action under the APPs in respect of that data / security breach (without prejudice to any EU enforcement capability).

While we have yet to see the full impact that GDPR will have on non-EU businesses, for market-leading organisations operating in Australia, reviewing your privacy compliance obligations with the GDPR will be crucial to ensure the protection of your reputation and brand and to minimise any risks of exposure to exponential fines and sanctions for breach.

As the Privacy Commissioner has confirmed, privacy and data protection is an area that is likely to see further change in the coming years for Australian companies. This is one area where organisations can get ahead of the game by applying additional measures under the GDPR (even where not mandatory / required) to enhance privacy practices, engage consumer trust and ensure consistent internal privacy practices, procedures and systems across all businesses.

We are currently completing GDPR gap analysis, data flow mapping and risk compliance audits for our clients and would be delighted to answer any questions you may have on this area and on whether GDPR is likely to impact your business in Australia.

Please see our resources which include key requirements and some practical tasks for implementation which can assist you to understand and comply with this new and significant impending legislation.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/increased-focus-on-global-privacy-and-data-protection-for-australian-organisations/

AUSTRALIA: Privacy Awareness Week Update – Industry Debrief: Mapping the community’s privacy expectations

By Sinead Lynch and Jessica Noakesmith

Today our Australian IPT team attended the ‘Industry Debrief: Mapping the community’s privacy expectations’ presented by the Australian Information and Privacy Commissioner, Timothy Pilgrim, and Principal from The Wallis Group, Jayne Van Souwe.

We heard some of the key issues raised by the 2017 Australian Community Attitudes to Privacy Survey and part of the Office of the Australian Information Commissioner’s (OAIC) plan to address rising privacy concerns in Australia. It was also notable that the survey confirmed many Australians as being comfortable with and welcoming the new mandatory data breach notification rules due to come into effect in early 2018.

Survey findings:

  • 83% of all Australians viewed online interactions are inherently more risky in privacy terms (although many privacy breaches that the OAIC currently handle are offline and low tech).
  • 25% never ask why their personal information is being collected.
  • 9 in 10 Australians are concerned about personal information being transferred overseas and confirm they do not like it.
  • 79% are uncomfortable with sharing their data in a commercial sector.
  • Young Australians under 35 are the most likely to exchange data for benefit.
  • The health sector continues to be regarded as the most trustworthy, with financial institutions and government sector following closely behind.

Some notable key points:

  • there is a considerable gap between privacy concern and actions of all Australians;
  • consumer’s decision making relies on existing goodwill and trust in an organisation over detailed policies – for example, many Australians are not likely to read a long and complex privacy policy; OAIC confirming that simplifying privacy policies will be a core focus; and
  • there is significant personal responsibility in personal information protection. Everyone has a role to play.

The Commissioner, Mr. Pilgrim, highlighted some actions the OAIC has recently undertaken and some currently in progress, including:

  • working with CSIRO to develop tools to assist with de-identification of data and information – the OAIC posing the question “Can you really de-identify personal information?”;
  • preparing the OAIC response to the Productivity Commission report on Data Availability and Use that was released last week;
  • working with the Prime Minister’s public data groups to establish how data can be used for “good purposes” and how to avoid the impact on individuals – in line with a trend towards open and effective use of data;
  • exploring the social / economic use of personal information – a possible social licence for innovative data use, including options of notice and consent;
  • their recently published guide to “personal information” on the OAIC website;
  • the final Australian businesses and the EU General Data Protection Regulation guidance is to be released within the coming weeks. See the draft resource here – according to the Privacy Commissioner, the GDPR is “extraordinarily important” to Australian businesses; and
  • educating Australians about the Right of Access to personal information, indicating a potential focus point on data subject access right here also.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/australia-privacy-awareness-week-update-industry-debrief-mapping-the-communitys-privacy-expectations/

AUSTRALIA: Mandatory data breach reporting comes to Australia

By Peter Jones (Partner, Sydney) and Josephine Gardiner (Associate, Sydney)

After a gestation period that would make African Bush Elephants proud, it is finally here…

It would be an understatement to say that data breach notification laws have been on the table for some years in Australia. The long-awaited mandatory data breach laws, which passed the Senate on Monday, are the result of a long and winding five year road through the Australian Parliament, three governments and many abandoned attempts. The Privacy Amendment (Notifiable Data Breaches) Act 2016, which amends the Privacy Act 1988, will legally compel organisations to disclose a data breach to the Australian Privacy Commissioner and affected individuals in certain circumstances.

When will the regime start?

At the time of writing, an exact commencement date has not been set (though our bet is that it will be within the next 12 months).

What’s it all about?

Basically, the legislation requires an entity to report a ‘serious data breach’ to customers, the Privacy Commissioner and, potentially, the media.

What is a ‘serious data breach’ you ask? Well, given the importance of this term to the notification regime, it is not ideal that more objective certainty has not been provided. We do know that a serious data breach includes unauthorised access to, disclosure of, or loss of customer information held by the entity (for example personal information, credit reporting information or tax file information) and puts individuals affected at ‘real risk of serious harm.’ This will require judgement calls to be made by organisations as to when notification is required to be made, introducing compliance uncertainty, at least until a number of incidents have arisen and been considered by the Privacy Commissioner.

The notification should include specific details including the information involved and how those affected can respond to the incident (by cancelling credit cards or changing a passwords for example). The entity must not only make such a notification after a breach has been known to have occurred, but also when it becomes aware that there are reasonable grounds to believe that there has been an eligible data breach. The entity must comply with these notification steps as soon as practicable. We note too that there are also quite robust obligations to undertake investigations into whether there has been a data breach where an entity has a ‘suspicion’ that there may have been such a breach.

It is recommended that entities currently bound by the Privacy Act review their internal procedures to update data breach response plans and related requirements to align with the new requirements. Easy, huh?

Well, not so fast. We all know that privacy provides fertile ground for legal exposure but also reputation and brand damage. If an obligation to notify arises, how do you manage the potentially competing demands of legally mandated notification with PR advice which, often, recommends against notification unless you have first identified the problem, resolved it/put in place workarounds and ideally come to some view on ‘customer compensation’. Crisis management advisers may well be popping the odd champagne cork or two (although probably not Krug or Cristal just yet).

Also, in a world where personal information is increasingly the subject of third party processing and storage arrangements, how will your compliance obligations be cascaded into the agreements with those third party suppliers? Do any existing ‘compliance with law’ obligations extend to cover the operational requirements of the new regime? Are contract amendments required? What leverage do you have to require those amendments?  How can you provide for contract certainty where the legislative requirements are not themselves absolutely crystal clear? Will third party providers, particularly global vendors such as cloud providers, accept obligations to ‘self-police’ breach and disclosure matters?

Maybe not so easy after all…

Consequences of non-compliance

If an individual or business fails to comply with the new notification legislation, it can be liable for serious or repeated interferences with the privacy of an individual and can face a civil penalty of up to $360,000 and $1.8 million respectively.

How will the new laws impact your business?

The US and EU have already established advanced regulation in this area. While Australia is late to the party, the overall effect of the laws for Australia will align – to some extent – privacy requirements with a wide range of other jurisdictions. For international companies operating already under other mandatory breach notification regimes, the changes may be minimal, such as tweaking internal compliance functions. However, for companies with local footprints only, these changes may be more significant.

We realise that the legislation has not yet commenced but reviewing your business’ privacy regime would not be a bad place to start. It should also be a priority to ensure your customers information is not compromised in any way and to ensure you have operational procedures in place to adequately manage a data breach event. Thinking this through your existing and future supplier environment and the nature of required upstream contract obligations will also be needed.

Response to the new laws?

Despite the bill only being passed yesterday, concerns with the legislation have already been expressed by legislators (Senator Cory Bernardi for one). Specifically, some have criticised the ability of the Office of the Australian Information Commissioner (OAIC) to manage the new regime given its current resourcing levels.

Additionally, others are concerned that the legislation is one of the strictest disclosure laws in the world. Its threshold is relatively low as disclosure must be made by the entity not only if it knows a breach has occurred but in the event they believe a breach may have occurred (plus the onerous investigation obligations that are triggered by having a ‘suspicion’ that a breach may have occured). This can be seen as both a positive and a negative depending on what which side of the privacy debate spectrum you sit on.

Senator Bernardi has also called out what he considers to be the unnecessary red tape and the ‘lack of specificity.’ Specifically, he claims that, ‘a serious breach’ is too broadly defined in the laws suggesting that someone with a mere ‘mailing list could fall foul’ of the new rules. Some of these arguments were supported by the recently formed group, Data Governance Australia, whose CEO Graeme Samuels (former head of the ACCC) stated that the legislation was ‘heavy handed’ and suggested a voluntary industry code of conduct instead.

On the other side are those who put the privacy of the individuals above the concerns of over regulation. Senator Penny Wong for example has pointed out that before these laws commence, a government agency, a bank or an online store can incur a breach of an individual’s data and would not have to alert the individual to protect themselves (mainly out of fear of damage to the corporation’s reputation).

So, what will the OAIC do? Again, if we were placing bets we would probably place a responsible wager on the Privacy Commissioner pursuing a suitable ‘example’ in the initial 12 months of the regimes.

Commentary

In Timothy Pilgrim’s (Australia’s Privacy Commissioner as well as the Acting Information Commissioner) statement made yesterday, he welcomed the new data breach legislation and working with the government, businesses and consumer groups in preparation for commencement of the new laws.

However, as noted, it is difficult to escape the reality that the legislation adds further grey areas to an already difficult area of law for businesses to navigate (as the Privacy Act in Australia is largely a ‘principles-based’, as opposed to a prescriptive, regime). For example, the lack of specification as to what constitutes ‘serious harm.’ The interpretation of such ambiguities and the overall application of the laws can only be clarified through a combination of Privacy Commissioner guidance and eventual action.

On a practical level, another potential problem of this legislation is that the data breach scheme could lead to ‘notification fatigue’ among members of the public. This means that a bombardment of notifications could eventually undermine the effectiveness of the entire reporting scheme. As the cyber threat environment continues to evolve, and as ‘big data’ analytics and the internet of things continue to expand in Australia, the chances of a breaches occurring (and such breaches meeting the required standard) could increase dramatically and ‘notification fatigue’ could come with it.

Ultimately, if the new notification regime was in itself perceived to provide something of a panacea for individuals, and to provide greater clarity to business in terms of the Legislature’s requirements, in our view that perception can be challenged.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/australia-mandatory-data-breach-reporting-comes-to-australia/

AUSTRALIA: New privacy code for the market and social research industry

In late 2014 the Australian Privacy Commissioner registered the Privacy (Market and Social Research) Code 2014 (Code) in accordance with the Privacy Act 1988 (Cth) including the Australian Privacy Principles (APP) (Privacy Act).

The Code is the first code registered under the new Australian privacy regime/the APPs which became effective on 12 March 2014. The Code replaces the previous Association of Market and Social Research Organisation code of practice in force since 2003 (as amended in 2007) made under a previous part of the Privacy Act. 

Click here to read more.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/new-privacy-code-for-the-market-and-social-research-industry/

AUSTRALIA: Privacy commissioner to audit 21 privacy policies for compliance: it may be you!

The Australian Privacy Commissioner (Commissioner) is preparing to conduct an assessment of 21 online privacy policies at random. The Commissioner also noted:

“[we’ve] been talking for a long time about the need to build privacy into ‘business as usual processes’, and how essential it is to include in business and project planning … but now that we have had almost a year to settle into the changes to privacy laws, we’d like to start talking about more than just basic compliance, and shift the conversation to ongoing governance. A key component of a successful end-to-end privacy program is regular monitoring. This will ensure that privacy policies, procedures and guidance are being followed and that they remain relevant to your business and the privacy risks it faces.

Also, in a re-affirmation of prior comments and views on where the responsibility for privacy compliance lays (and possibly hinting at those individuals in a company that may be targeted for personal fines), the Commissioner said:

responsibility for privacy governance sits firmly with the CEO, the Executive, the board or the management of any organisation. It is these roles that must promote privacy as an asset to be respected, managed and protected.

Is your organisation compliant?

These audits will look at whether your online policies are clearly expressed and up-to-date, cover the content and contact requirements, are available in an appropriate form and are compliant with all other requirements of the Australian Privacy Principles (APPs). Based on our experience and our recent survey of a number of online privacy policies, we estimate that around 50 percent of the privacy policies accessible online are not compliant with the APPs.

If you would like assistance to determine if your existing privacy policy is APP compliant or advice on any of your privacy/privacy governance obligations, please do not hesitate to contact any of our Privacy & Security team.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/australia-privacy-commissioner-to-audit-21-privacy-policies-for-compliance-it-may-be-you/

Developing US privacy trend that will soon impact Australian businesses

Authors:
Alec Christie

 

Key points

  • Californian/US privacy enforcement strategy to ensure companies comply with/implement their privacy policies
  • If strategy is applied to Australian businesses on basis of similar laws, significant damages could be awarded for a first time or one–off failure to comply with/implement their privacy policies
  • Review your current practices and existing privacy policy to ensure you have implemented and are complying with your privacy policy

Background

During the author’s recent presentation and attendance at the International Association of Privacy Professionals’ Privacy Academy in San Jose California, it became apparent that a privacy enforcement strategy (Strategy) was being considered to be ‘ramped up’ by the Californian Attorney General and the Department of Justice (which may spread to other US States). The Strategy uses the Californian state and the US federal ‘misleading or deceptive conduct’ or unfair trade laws, similar to Section 18 of the Australian Consumer Law (ACL), to ‘prosecute’ those companies operating in California that do not implement or comply with their own privacy policies.

While this Strategy has occasionally been considered in Australia under the old Trade Practices Act 1975 (Cth) provisions, it has to date not been actively and vigorously pursued in Australia by the relevant regulators or by individuals. However, based on the presentation by a representative of California’s Department of Justice and a talk by a senior member of the California Attorney General’s Office, it seems that the Strategy may now be aggressively pursued, in the state of California at least, in order to ensure that companies doing business in California actually do what they say they will do in their privacy policy.

Given the similarities with the ‘misleading or deceptive conduct’/unfair trade provisions in Australian law and the expectation that use of the Strategy in California will soon become widely known to Australian regulators and individuals, we believe it is only a question of time before the Australian Competition and Consumer Commission (ACCC) and/or individuals (and possibly business competitors) in Australia start to take action for misleading or deceptive conduct under Section 18 of the ACL where a company carrying on business in Australia does not implement/comply with its privacy policy.

The previous US experience

Some of the early US federal cases have involved consideration of the statement in a company’s privacy policy that it takes ‘reasonable measures’ to protect the security of the information provided to it (a common term in Australian privacy policies). US courts have held that where information has been hacked or leaked and an investigation of the security measures actually taken by that company revealed that they were not ‘reasonable’ in the context of the (then) current industry practice, this statement has been found to be unfair/misleading and therefore actionable.

Implications for Australian business v current situation

In Australia, the Strategy could be used to maintain an action in respect of any failure by a business to implement/comply with the provisions of its privacy policy. For example, in addition to the ‘reasonable security measures’ representation, statements such as ‘we do not share your information’ (if it turns out that you do), ‘we do not use your information for marketing purposes’ (if it turns out that you do) etc will be actionable. The implementation of the Strategy could also be fuelled by the recently proposed move to mandatory breach notification for data breaches in Australia.

A contravention of the prohibition on misleading or deceptive conduct in Section 18 of the ACL is subject to remedies including injunctions, damages and compensatory orders. Using the Strategy will enable the aggrieved individuals to seek damages for the harm caused by the breach of Section 18 of the ACL by the business. These damages could include any economic loss resulting from the breach, such as losses suffered from losing an opportunity (or chance). For example, loss of a prospective employment opportunity due to disclosure of one’s personal information in circumstances where the promises/representations in the privacy policy were not actually implemented.

Even though the recently enacted Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Amendment Act) introduces fines of up to $340,000 for an individual and up to $1.7 million for an organisation for a serious invasion or repeated invasions of privacy from March 2014, the Strategy will continue to be available to aggrieved individuals, giving individuals direct redress against the business.

The concern for business if the Strategy does take off in Australia is that, whereas currently no penalties exist and even under the Amendment Act penalties will only apply to serious or repeated invasions of privacy, the Strategy may result in significant damages (including for lost opportunity/chance) being awarded against the business for a first time or one–off (and likely considered by the business as a ‘minor’) failure to implement/comply with its privacy policy

Key practical concern

In practice, the main worry at present is that the privacy policies of many Australian businesses have not been reviewed, amended/revised or updated to accord with changed circumstances (many for in excess of five years). That is, not reviewed and amended to reflect changes to the purposes for collection of/the use of the information collected, the business undertaken or the arrangements for the processing of the information and/or the security measures taken by the business in respect of such.

While the new privacy regime will, from March 2014, require companies to ‘maintain’ their privacy policies (ie keep them up to date as a living document), any failure to implement/comply (even with an updated policy) will still lend itself to an action and potentially substantial damages under the Strategy.

What action is required now?

In a previous update dealing with the amendments to be introduced from March 2014 under the Amendment Act, we suggested that you consider reviewing your privacy policy and processes and update them now in order to be ready for the new law. However, given the likelihood that the Strategy may soon come to Australia, we now advise that you urgently consider/audit your current practices and existing privacy policy to ensure that your policy is reflective of your current circumstances, business purposes and processes and your security arrangements in order to minimise the risk of an action for misleading or deceptive conduct under the ACL as a result of any failure by your business to implement or comply with its privacy policy.

Please do not hesitate to contact us if we can assist with this review/audit of your current practices and your privacy policy.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/developing-us-privacy-trend-that-will-soon-impact-australian-businesses/