US authorities are evoking legislation similar to Australian Consumer Law in privacy matters, revealed DLA Piper partner Alec Christie (pictured). He explained that businesses that don’t comply with their own privacy policies face charges of misleading or deceptive conduct under the country’s unfair trade laws.
Christie learnt of the strategy at the International Association of Privacy Professionals’ Privacy Academy held in California in October. He told Lawyers Weekly that it provides “a direct route for consumers to seek redress for privacy breaches”, rather than having to rely on toothless privacy laws that are failing to keep up with technology.
Australia’s Privacy Amendment (Enhancing Privacy Protection) Bill 2012 currently before Parliament will, if passed, introduce fines of up to $220,000 for an individual and up to $1.1 million for an organisation, but only covers “a serious invasion or repeated invasions of privacy”, said Christie.
Under Section 18 of Australian Consumer Law, however, consumers can seek remedies (e.g. injunctions and damages) for misleading or deceptive conduct without having to meet a threshold of severity.
“Consumer law has a lot more potential teeth than current and possibly the future regime under privacy where you have to demonstrate serious breaches,” Christie said.
The Australian Competition and Consumer Commission, which regulates consumer law, may be a more intimidating watchdog than the privacy commissioner, but it is unlikely to move into this space, according to Christie. He predicts that consumer groups will more likely be the instigators of legal action against businesses, which translates into more work for lawyers on both sides.
Most legal action in California has centred on the statement that a business will take “reasonable measures” to protect information provided to it, a term commonly used in Australian privacy policies. In cases of a data breach, the courts have held that, if an investigation finds the company’s security measures were inadequate, “reasonable measures” is an unfair or misleading statement.
Christie, whose corporate clients could be on the receiving end of a lawsuit, is warning businesses to ensure they have the necessary checks and balances in place to ensure privacy policies are implemented.
“If they prepare and implement privacy policies there will hopefully be little scope for this kind of action,” he said.