Changes to the Privacy Act

Changes to the Privacy Act – the provision of goods on credit

Increased compliance obligations for SME’s that provide credit, including to commercial customers

As of 12 March 2014, The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (“the Act”) commenced, with the expanded definition of credit provider now applying to a number of businesses that may have been previously excluded from the old provisions.

In the past, businesses may have been excluded from the definition of credit provider based on their legal structure, or if turnover was less than $3 million, or the type of credit that was offered (commercial credit as opposed to consumer credit).

The Act now applies to businesses that provide credit, regardless of turnover, if that business meets the definition of a ‘credit provider’ under the Act or regulations. The definition now includes credit providers that provide exclusively commercial credit (and do not provide any consumer credit).

New definition of ‘credit provider’

In summary, the definition of ‘credit provider’ under s 6G of the Act covers banks, organisations or small business operators for whom a substantial part of their business is the provision of credit, retailers who provide credit cards to customers, businesses that are prescribed as credit providers by the regulations, and further includes businesses that provide goods and/or services, and where payment for those goods and/or services is deferred for at least 7 days.

Substantial part of the business or undertaking is the provision of credit

Under the new law, there are two ways in which certain businesses may meet the definition of credit provider. The business may elect to meet the definition of credit provider under the Act if “a substantial part of the business or undertaking (of the business) is the provision of credit.” Alternatively, the business may be prescribed to be a credit provider by the Act or the regulations. Where the business elects to be a ‘credit provider’ under the Act, it is also an APP entity and must adhere to the Australian Privacy Principles. However, if the business is prescribed to be a ‘credit provider’ under the Act, the Australian Privacy Principles apply, but only in relation to the credit that it provides.

Australian Privacy Principles

The Australian Privacy Principles set out how businesses should collect, use and disclose personal information of individuals, and the individual’s rights to their personal information that is held or managed by the business. More on the APPs can be found in a separate Harricks’ briefing on this topic.

 New definition of credit

The Amended Act deletes the definitions of loan and credit from s 6(1) and all references to loan from the relevant sections. The following definition of creditis inserted at s 6M(1) and (3) of the Amended Act:

(1) Credit is a contract, arrangement or understanding under which:

(a)              payment of a debt owed by one person to another person is deferred; or

(b)              one person incurs a debt to another person and defers the payment of the debt.


(3) Without limiting subsection (1), credit includes:

(a)              a hire-purchase agreement; and

(b)              a contract, arrangement or understanding of a kind referred to in that subsection that is for the hire, lease or rental of goods, or for the supply of services, other than a contract, arrangement or understanding under which:

(i)                full payment is made before, or at the same time as, the goods or services are provided; and

(ii)              in the case of goods—an amount greater than, or equal to, the value of the goods is paid as a deposit for the return of the goods.

 Compliance obligations upon credit providers

The Act requires compliance by credit providers in relation to the collection, use and disclosure of credit information and credit eligibility information. These provisions apply in addition to, and in some cases, in place of the Australian Privacy Principles.

Credit providers under the Act must have a transparent management policy for the credit information and credit eligibility information that they handle, and it must be available in a form that is accessible. In most cases, publishing the policy on the website of a business that is a credit provider will be sufficient. Credit providers must also advise as to the name and contact information of any credit reporting body to whom the credit provider is likely to disclose credit information or credit eligibility information, and must advise if the information is likely to be provided to an entity outside Australia.

Credit providers may also be required to join an accredited External Dispute Resolution Scheme.

If you have any queries or require any assistance with regards to the Privacy Act please do not hesitate to contact Harrick Lawyers on (03) 9670 2266.