Some estimates predict that by the year 2020, over 26 billion electronic devices all over the world will be able to connect to the internet. While the statistic no doubt excites technology aficionados, the products and services that comprise the ‘Internet of Things‘ could significantly affect our privacy. Privacy requirements are a major issue for commercial entities whose business is part of the Internet of Things. This article discusses the recent report, what it means for these businesses and how they can meet their privacy obligations.

Global Privacy Enforcement Network Report

The Global Privacy Enforcement Network has (GPEN) recently released the results of its global sweep of products and services making up the Internet of Things, some of which are used daily by Australians. GPEN is an organisation made up of 26 national privacy enforcement authorities. These enforcement authorities, including the Australian Privacy Commissioner, scrutinised the privacy policies of over 300 businesses around the world. Australians use the devices and services of approximately 45 of these entities regularly. The Australian Report revealed some concerning statistics:

  • 71% did not explain properly how they stored information (no privacy policy);
  • 69% did not adequately explain how consumers could delete their information off the device; 
  • 38% did not include easily identifiable contact details in cases where a customer had a privacy concern; and
  • 91% did not advise a customer to customise their privacy settings.

Also, the Australian businesses assessed in the sweep did not typically inform customers about how the organisations managed their information. Over 50% did not adequately explain how they collected, used and disclosed data.

In response to these findings, the Australian Privacy Commissioner reminded Australians that while the Internet of Things provides some great products and convenience, consumers should not integrate the technology into their lives before considering whether they are comfortable with how their personal data is collected and managed. The Commissioner recommended all consumers check the business’ privacy policy before using any device.

This report and the Commissioner’s words are a timely reminder to all businesses who fall under the Australian Privacy Principles that they are obliged to have a clearly expressed and up-to-date privacy policy. Even if an entity does not formally have to comply with the APP, it is best practice for them to ensure that consumers know how a particular business handles their data. This can increase confidence and trust on the part of customers.

Australian Privacy Principles

The Australian Privacy Principles (APP) are located in Schedule 1 of the Privacy Act 1988 (Cth) (The Act). A business must comply with the APP if they are an APP entity under the Act. APP 1 requires all APP entities to manage their personal information openly and transparently. They must put in place practices, procedures and systems relating to their activities that ensure the business complies with the APP (and any relevant APP Code) and can deal with customer queries and complaints about their compliance with an APP or relevant Code. APP 1.3 mandates that all APP entities have a clearly expressed and up-to-date privacy policy which lets consumers know about that business’ management of personal information. Under the Act, personal information refers to information or an opinion about an identified individual or a person reasonably identifiable irrespective of whether it is true or not or whether it is recorded in a material form or not.

At a minimum, a privacy policy must include information about the type of personal information an entity collects and retains and include how it collects and holds that data. It must specify the purposes for which the entity collects, holds, uses and discloses personal information as well as how a person can access retained information about themselves and correct it. The policy should also detail how a person can complain about a breach of the APP or a registered APP Code applicable to the entity and how the entity will manage that complaint. If a business is likely to disclose personal information to an overseas recipient, their policy must set out how this information and data will be managed.

The entity must by law take all reasonable steps in the circumstances to ensure that its policy is available at no cost and in an appropriate form. Making a policy available on an business’s website is a common means of assuring that consumers can access it. 

Key Takeaways

The recent survey of devices and services that make up the Internet of Things reveals that many businesses in the area do not provide a privacy policy correct under the prescribed form. It serves as a reminder that all entities covered by the Australian Privacy Principles must have an up-to-date and clearly expressed privacy policy. The consequences of non-compliance with privacy requirements can not only result in action from governing bodies but also leaves businesses vulnerable to privacy breaches and litigation. If you’d like to speak with a lawyer about your business’s privacy obligations, get in touch with LegalVision today. Questions? Call us on 1300 544 755 or fill out the form on this page.

Carole Hemingway

Next Steps

If you would like further information on any of the topics mentioned in this article, please get in touch using the form on this page.