Data Wars: A New Hope

    February 2014

    Overseas Businesses and the Australian Privacy Reforms

    On 12 March 2014 the new Australian privacy law amendments will come into effect. These changes to the Australian Privacy Act 1988 (Cth) were passed by the Australian Parliament in November 2012 with a 17-month “preparation period” allowing businesses to adapt and comply with the new laws before the reforms become enforceable.

    As the compliance deadline draws near, it is important for overseas businesses with Australian operations to turn their minds to how these reforms may affect them.

    New Enforcement Powers

    For many businesses, the most important change to the Australian privacy law is the introduction of new civil penalty provisions. Prior to these reforms, there was almost no way for the law to be properly enforced by the Privacy Commissioner (now called the Australian Information Commissioner). The Commissioner, thought by some to be a “toothless tiger”, now has a real way of penalising businesses for non-compliance beyond the traditional “name and shame” strategy.

    The ability of the Commissioner to seek new civil penalty orders from the Courts of up to AU$340,000 for individuals and AU$1.7m for corporations will give the Commissioner the enforcement ”teeth” he has lacked up until now, which will make privacy law an increasingly important area of compliance for businesses operating in Australia.

    Overseas Data Transfers

    For global businesses operating in Australia, the more stringent overseas data transfers may impact on the current business structures in place. Personal information collected in Australia and then transferred to another jurisdiction requires consent of the person that the information is about. This means that international companies who collect client information in Australia and then store that information on internal servers outside of Australia must have terms and conditions including customer consent to the transfer of data.

    In the absence of consent form the customer, companies must comply with a range of other rules around the transfer of data overseas. For many companies, it is standard practice to collect customer information from a variety of jurisdictions and store that information in a central global location, so these reformed overseas data requirements are likely to impact many businesses.

    Effect on International Contracts

    Global service providers with Australian clients should also prepare themselves for increased scrutiny from those Australian clients in relation to privacy compliance. The new reforms impose liability on Australian companies for the privacy breaches of their contractors overseas. This means that Australian companies dealing with overseas data storage and could computing providers are going to have heightened sensitivity to the service provider’s ability to comply with Australian data protection and privacy requirements.

    For companies that provide such services to Australian clients, an awareness of the new laws could be an important way to distinguish themselves within the market. In particular, it is expected that requests for indemnities for breaches of Australian privacy law will become very common.

    What Can You Do to Ensure You Comply?

    If you are an overseas business with operations in Australia, or you are an overseas business providing cloud computing services to Australian clients, you should:

    • review the terms and conditions that your Australian customers agree to when using your services to ensure you have the relevant consents to transfer data overseas;
    • become familiar with the new laws so that you can update your policies and procedures and give your Australian clients comfort that your business complies with Australian law;
    • implement internal policies to deal with direct marketing opt outs and requests for information about customers from those customers, as well as requests for information to be “de-identified”; and
    • update your contracts with customers and suppliers to ensure liability for the actions of third parties is appropriately addressed.

    With substantial local and international experience dealing with privacy and data protection law, Squire Sanders can help you understand these new laws and help to make sure that your business is compliant.