Last review date: 31 December 2024

☒         Yes

If yes, please provide a link

The OAIC has published brief guidance on the privacy law considerations around selling a business, with content aimed at vendors and prospective purchasers. The OAIC’s guidance on trading in personal information also clarifies that the sale of a whole business is not trading in personal information. Additionally, the OAIC's guidance for organizations and the APP Guidelines will be useful when considering how the Privacy Act applies in these (and other) contexts.

In general terms, the APPs will need to be complied with during due diligence, through completion, and beyond. Depending on the nature of the transaction and whether the purposes for which personal information will be used and disclosed will change from those already covered in notices given and/or consents obtained previously, additional notices and/or consents may be needed. Privacy-related documentation (e.g., privacy policies, data breach response plans, data processing agreements) also typically requires review and updating following a transaction. Data handling practices and sharing arrangements should also be considered to ensure they meet the business' forward-looking objectives in a compliant way.

Refer to section 10 of our Post-acquisition Integration Handbook (2023) for more discussion on the privacy, data and security considerations in a post-transaction context.

Last review date: 31 December 2024

☒         It depends (for example, on the way the asset sale is structured, and/or the assets being acquired)

The Privacy Act does not include provisions specifically on the heritability (or otherwise) of liability for previous interferences with privacy. The fact that an entity acquires data or systems (assets) that have previously been the subject of a data privacy or cybersecurity breach will not, of itself, make it liable under the Privacy Act for that pre-acquisition data breach. Nevertheless, there could be legal, financial, operational and reputational repercussions for the acquiring entity, depending on a range of case-specific factors, such as whether the transaction implicates the acquiring entity in an ongoing compliance issue (e.g., if, following the transaction, the acquiring entity collects, holds, uses and/or discloses personal information in a non-compliant manner – this may be the case where data and systems as transferred in the context of the sale of a business as a going concern, such that data handling practices of the selling entity are continued by the acquiring entity). In any event, as with many other asset types, it is common for acquirers to seek warranties and/or indemnities regarding data privacy and cybersecurity issues from a seller to try to mitigate potential risks associated with acquired data or systems.

Last review date: 31 December 2024

☒         Based on a metric other than those outlined above

Please see our responses in the penalties for non-compliance section for details of the maximum penalties that may be imposed under the Privacy Act. The legislation provides several means of calculating penalties and the facts of a specific case would determine the available means for calculating penalties. As at the time of writing, no civil penalties have been ordered under the Privacy Act.

Last review date: 31 December 2024

☒         It depends (for example, on the way the share sale is structured)

The Privacy Act does not include provisions specifically on the heritability (or otherwise) of liability for previous interferences with privacy. The fact that an entity acquires a target entity that has been connected with a pre-acquisition data privacy or cybersecurity breach, via share acquisition, will not of itself make the acquiring entity liable under the Privacy Act for that pre-acquisition data breach. Nevertheless, there could be legal, financial, operational and reputational repercussions for the acquiring entity, depending on a range of case-specific factors, such as whether the transaction implicates the acquiring entity in an ongoing compliance issue (e.g., if, following the transaction, data of the target is shared with the acquiring entity and the acquiring entity collects, holds, uses and/or discloses personal information in a non-compliant manner). In any event, it is common for acquirers to seek warranties and/or indemnities regarding data privacy and cybersecurity issues from a seller to try to mitigate potential risks associated with the compliance failings of acquired entities.

Last review date: 31 December 2024

☒         Based on a metric other than those outlined above

Please see our responses in the penalties for non-compliance section for details of the maximum penalties that may be imposed under the Privacy Act. The legislation provides several means of calculating penalties and the facts of a specific case would determine the available means for calculating penalties. As at the time of writing, no civil penalties have been ordered under the Privacy Act.