23 July 2018
In the age of third party Application Programming Interfaces (“APIs”) such as internet banking applications, Facebook and Google Maps, the collection and distribution of personal data is shrouded in mystery. Unless of course you take the time to read the masses of information included in privacy policies. With recent media surrounding the issue it is clear that a large portion of the public may not be educated about the applications and the businesses behind them can collect and/or disclose their information.
What are the privacy rights under the law?
The Privacy Act 1988 (Cth) (“the Privacy Act”), and the 13 Australian Privacy Principles (“APP”) contained within it, are the relevant guidelines for privacy in Australia.
Definition of an APP Entity
These 13 principles are applicable to “APP entities”. An APP entity encompasses:
An APP entity does not include:
The Privacy Principles[iii]
The Principles as a whole are wide-ranging and cover a whole array of issues. However, the Principles specifically relevant to how your information may be collected and distributed and include:
APP 3: Collection of solicited personal information
An APP entity must not collect personal information (other than sensitive information) unless the information is reasonably necessary for, or directly related to, one or more of the APP sentity’s functions or activities. Sensitive information must not be collected unless there is consent or the information is reasonably necessary for the APP entity’s functions. Sensitive information can include, but is not limited to:
APP 6: Use or disclosure of personal information
An APP entity cannot disclose the information for a purpose (other than the purpose it was collected for), unless there is consent or one of the following applies:
APP 7: Direct marketing
An organisation must not use or disclose personal information for the purpose of direct marketing. Exceptions to this include:
Sensitive information has more stringent requirements allowing for consent to be the only exception to the disclosure of sensitive information for the purposes of direct marketing.
What amounts to a breach of privacy?
If the business or organisation you are dealing with falls into the category of an APP entity, and collects, uses or discloses your information in a way that is conflicting with the Principles (and no relevant exception applies), this may amount to a breach.[iv]
Taking applications for example, you will commonly find the privacy policies and relevant information being grouped together. This is referred to as bundled consent, or a “click-wrap”. It is a common practice amongst software licenses and online transactions. The potential issue of a “click-wrap” is the effect it has on consent.
There is an argument that being unable to use a service until a “click-wrap” is accepted, or an inability to withhold consent on specific terms may have an influence on whether informed consent was provided.
The penalties for breaching the Privacy Act can amount to $1.8 million for corporate bodies or $360,000 for non-corporate bodies (including government departments/agencies, sole-traders, partnerships, trusts, unincorporated associations).
What can I do if I believe my privacy has been compromised?
If you believe that your privacy has been breached under the Act, you are an APP entity that might be in breach of the Principles, or would like further information, please contact your local JHK Legal office.
The above article is not intended to be a substitute for legal advice.
[i] Section 6 of the Privacy Act 1988 (Cth).
[iii] Schedule 1 of the Privacy Act 1988 (Cth).
[iv] Section 6A of the Privacy Act 1988 (Cth).