Australia's First Privacy Compliance Sweep Starts Next Month

Businesses found to have non-compliant privacy policies could face infringement notices and fines of up to 66,000 Australian dollars ($44,000), said the regulator: The investigative sweep will begin in the first week of January.

Sectors and practices involving in-person collection of personal information often involve power and information asymmetries, the office said. "When confronted with in-person requests for their personal information from retailers, licenced venues, car hire companies or real estate agents, consumers often don't have access to all the information they might need to make an informed decision," said Privacy Commissioner Carly Kind. That makes them vulnerable to overcollection of personal data, creating risks to their security and privacy, she said.

With Australians increasingly concerned about the lack of choice and control they have over their personal information, Kind said she hopes the sweep will cause businesses to think about how robust their privacy policies are and whether they could do more to comply with the Privacy Act.

The action will involve around 60 companies from the rental and property, chemist and pharmacist, licensed venue, car rental, car dealership, pawnbroker and second-hand dealer sectors. Targeted businesses will be identified by considering their size and location, and by high-profile and high-risk entities within each sector, including those that may previously have been subject to a data breach, the DPA said.

They'll be assessed to ensure they meet the requirements of Australian Privacy Principle 1.4, which sets out what a privacy policy must include. The office recently updated its guidance on the principle, it noted.