New proposed privacy rules for global companies conducting business in Australia

The exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Bill) was recently published by the Attorney-General’s Department. The draft Bill is aimed at enhancing the protection of personal information through the introduction of an Online Privacy Code (OP Code), expansion of the extra-territorial scope of the Privacy Act 1988 (Cth) (Privacy Act) and strengthened penalties for non-compliance. The draft Bill follows a raft of recent reforms targeted at strengthening privacy and cyber security protection for all Australians. More recently, the Online Safety Bill 2021 (Cth) was passed and is due to come into effect in January 2022.

Introduction of an OP Code

The Australian Government is presently seeking feedback on the development of a new OP Code. 

It is intended the OP Code will cover additional obligations beyond the existing Australian Privacy Principles including, amongst others:

• requiring organisations to cease using or disclosing personal information upon request (e.g. for the purposes of direct marketing).  If an organisation cannot comply with the request, it will need to provide the individual with written notice providing the individual with reasons and potential avenues of complaint (including to the Privacy Commissioner);
• setting clear expectations about how organisations may handle personal information relating to children or other vulnerable groups; and
• other optional obligations such as providing for the reporting of complaints to the Privacy Commissioner.

The new OP (once developed) will be registered within 12 months after the draft Bill receives Royal Assent.

Who is impacted by the new OP Code?

The OP Code will apply to private sector organisations that are bound by the Privacy Act and who are large online platforms or organisations that provide social media services or data brokerage services.  Certain exceptions apply.

Online platforms

It is contemplated that large online platforms that collect a high volume of personal information online must comply with the OP Code.  These are organisations that:

• collect personal information about an individual in the course of or in connection with providing access to information, goods or services by use of an ‘electronic service’; and
• have over 2.5 million end-users in Australia in the past year, or if an organisation did not carry on business in the previous year, 2.5 million users in the current year.

An ‘electronic service’ includes, amongst others, hardware, software, website, mobile applications, peer-to-peer sharing platforms, email, SMS and chat services.

Social media services

The OP Code will also apply to organisations that provide an ‘electronic service’ with the sole or primary purpose of enabling online social interaction between two or more end-users, and allow interactions between end- users or to post material on the service.  This would include, amongst others, online messaging and video-teleconferencing platforms.

Data brokerage services

Data brokerage organisations that trade in personal information collected online or information derived from such personal information (e.g. data derived from rewards or loyalty programs) will also be captured by the OP Code.

Clarification to scope of Privacy Act

The draft Bill also introduces other broad amendments to the Privacy Act.  Foreign organisations who carry on business in Australia are more likely to be caught by amendments to the extraterritorial provisions in the Privacy Act. 

Presently, organisations with an ‘Australian link’ must comply with the Privacy Act.  An ‘Australian link’ will exist if:

• the organisation is, amongst others, a body corporate, partnership or trust incorporated/formed in Australia or an unincorporated association that has its central management and control in Australia; or
• if the above does not apply:
  • the organisation or operator carries on business in Australia; and
  • the personal information was collected or held by the organisation in Australia, either before or at the time of the act or practice.

In practice, global corporations may not necessarily have a subsidiary in Australia and/or may not collect personal information about Australian individuals directly from Australia.  Rather, they may collect information about Australian individuals from other sources or digital platforms.  The Australian Government recognises this. 

The draft Bill removes the last requirement for personal information to have been collected or held by the organisation in Australia, either before or at the time of the act or practice.  This amendment is intended to capture activities of foreign organisations even if they do not collect or hold personal information about an Australian directly from a source in Australia.  

Increased penalties

The expanded scope of the extra-territorial provisions in the Privacy Act exposes a greater number of organisations to the new proposed penalty regime. As foreshadowed in 2019, the penalties for privacy contraventions were set to increase to align with the penalties set out in the Competition and Consumer Act 2010 (Cth).

For body corporates, the penalty will increase from A$2.2 million to an amount not more than the greater of the following:

• A$10,000,000;
• if the court can determine the value of the benefit that the body corporate, and any related body corporate, have obtained directly or indirectly and that is reasonably attributable to the conduct constituting the contravention—3 times the value of that benefit;
• if the court cannot determine the value of that benefit—10% of the relevant turnover of the body corporate during the 12‑month period ending at the end of the month in which the body corporate engaged, or began engaging, in the conduct constituting the contravention.

Other enforcement powers of the Privacy Commissioner will also be strengthened.  These include expanding the types of declarations that the Privacy Commissioner can make, new infringement penalty notices for failing to give information as part of an investigation and enhancing the Privacy Commissioner’s information-sharing arrangements with relevant enforcement authorities.  These new provisions will allow the Privacy Commissioner to share information with the eSafety Commissioner when dealing with any cyberbullying and cyber abuse matters.

Next steps

The Australian Government have invited relevant stakeholders to make submissions on the draft Bill by 6 December 2021. ¹This feedback will be considered before the draft Bill is introduced to Parliament. 

The Attorney-General’s Department is also undertaking a review of the Privacy Act. The Department have released a Discussion Paper which seeks feedback on the proposals for privacy reform.  These proposed changes include, amongst others, the introduction of mechanisms to prescribe and certify countries with substantially similar privacy laws when sharing information outside of Australia and the use of standardised notices and consents.  Submissions are open until 10 January 2022.²

Please contact us for more information.

Authored by Mandi Jacobson and Angell Zhang.