Direct Marketing and Data Sharing: Shahin v BP Australia

Direct marketing is a prevalent and ever-increasing aspect of life in this digital age. Direct marketing does not, of course, have to be digital but that is generally the method used to get marketing material out to the widest audience in the quickest and easiest way.

Direct marketing can only happen if a business that wants to market products or services has contact information for potential customers that it wants to market to, and it will be more effective if it is targeted to the potential needs or preferences of potential customers.

So, data with contact details and useful information about habits, needs and preferences of individuals can be very valuable to a business seeking to use direct marketing.

Can businesses use direct marketing?

Given the prevalence of direct marketing, it may seem an odd question to ask whether a business can market directly to individuals. The question is really whether the business can use personal information, particularly names, addresses or other contact details, or personal information to do this. This is governed by the Australian Privacy Principles (“APPs”) in the Privacy Act 1988 (Cth)(“the Privacy Act”).

The APPs apply to personal information of individuals, that is real people, so information about firms, companies or other entities is not personal information and the APPs do not apply to marketing to them.


The starting point is APP 7, which deals expressly with direct marketing. APP 7.1 prohibits an organisation that holds personal information about an individual from using or disclosing the information for the purpose of direct marketing. This absolute prohibition, however, is qualified by some exceptions in APPs 7.2-7.5.

The exceptions that will most commonly apply are those in APP 7.2 and APP 7.3 relating to the use or disclosure of personal information, other than sensitive information, about an individual for the purpose of direct marketing. APP 7.4 deals with sensitive information about an individual and requires consent of the individual for use or disclosure of the sensitive information for direct marketing.


APP 6 also deals with use or disclosure of personal information by an organisation, and APP 6.1 prohibits use or disclosure of the information that was collected for a particular purpose (the primary purpose) for another purpose (the secondary purpose) unless the individual has consented or (for an organisation) exceptions in APP 6.2 apply. The main exception in APP 6.2 for information, other than sensitive information, is that the individual would reasonably expect the APP entity to use or disclose the information for the secondary purpose and the secondary purpose is related to the primary purpose.

Shahin Enterprises v BP Australia

A recent judgment of Justice Blue in the Supreme Court of South Australia has clarified the operation of some of the provisions of APP 7, and the interaction of APP 7 and APP 6.[i]

For those who may have had some difficulty understanding APP 7 and APP 6, it may be some comfort that Justice Blue has observed that:

“…Principle 7 is unhappily drafted: the draftsperson has not adequately grappled with the various dichotomies created or sought to be created within Principle 7 or between Principle 7 and Principle 6 or with the situation in which an organisation discloses personal information to another organisation for the purpose of direct marketing by that other organisation.”

In his concluding remarks, the Judge went even further, saying:

I have observed that in several respects Principle 7 is unhappily drafted. It is desirable that the Commonwealth review whether Principle 7 should be comprehensively redrafted to manifest more clearly the legislative intention sought to be effected by it”.

The issues in Shahin v BP Australia

The litigation between Shahin Enterprises and BP Australia arose out of an agreement between these companies entitled “BP Branded Privately Owned Sites Agreement” (“the agreement”). This Agreement was completed following the acquisition by Shahin Enterprises from BP Australia (“BP”) of 25 service stations operated by BP in South Australia.

The litigation involved the construction of clauses of the Agreement relating to the branding of sites operated by Shahin as BP service stations and, in relation to direct marketing, clause SC21 which provided that:

Subject to relevant privacy legislation, BP will regularly provide to the Dealer information reasonably requested about BP cardholders who visit Dealer sites so that the Dealer may market goods and services to these customers.

Relying on clause SC21, Shahin made a written request to BP requesting personal information about BP Plus card customers who visited Shahin petrol stations in the previous 24 months. Shahin said expressly that its purpose in making the request was to market goods and services at its service stations directly to the BP cardholders.

BP refused the request of Shahin on the basis that it would breach the applicable privacy legislation referred to in clause SC21, which was acknowledged to be the Privacy Act and the APPs. In the proceedings, BP contended that the disclosure by it to Shahin of the requested information would have been a breach of the legislation, and that the use by Shahin of the information, if disclosed, for direct marketing would also have been a breach of the legislation.

Shahin asserted that the refusal of BP to provide the information was a breach of clause SC 21, and asserted that the disclosure of the information by BP would not have been contrary to the legislation. The Judge found that the disclosure of the information by BP would have been contrary to the APPs, and that BP did not therefore breach clause SC 21 by this refusal, but this was not a straightforward conclusion because of the wording of the APPs.

Some of the findings of the Judge in relation to the direct marketing and privacy issues are:

  • Disclosure by an organization (primary organisation) to another organisation (secondary organisation) for the purpose of direct marketing by the secondary organisation is governed by solely by APP 7, not APP 6. As APP 6.7 provides that APP 6 does not apply to the use or disclosure by an organisation of personal information for the purpose of direct marketing, this may have seemed obvious. However, this is one of the areas in which the Judge observed that APP 7 is “unhappily drafted”.

    BP argued that APP 6, not APP 7, applied to any disclosure of personal information by BP to Shahin for the purposes of direct marketing by Shahin (not BP). The Judge thought that the construction advanced by BP was arguable, but that although the “various dichotomies” within APPs 7 and 6 made this position arguable, on the balance, BP’s argument did not succeed and APP 6 was held not to apply to the disclosure by BP of information to Shahin for the purpose of direct marketing by Shahin, which disclosure was exclusively governed by APP 7.
  • APP 7.2 only authorises the use or disclosure of personal information about an individual for the purpose of direct marketing by the organisation which collected the information from the individual. It does not authorise an organisation that collected information (primary organisation) to disclose personal information to another organisation (secondary organisation) for the purpose of direct marketing by the secondary organisation.

    The Judge considered that this conclusion was reinforced by APP 7.3 which applies (among other situations) to use or disclosure of personal information by a secondary organisation when the organisation has collected information from a source other than the individual.
  • The requirement of APP 7.2(a) that an organisation has collected information from an individual only applies when the organisation collects information from the individual (by the organisation or its agent) and does not apply when the information was collected from someone other than the individual, but the individual was the ultimate source of the information. The Judge observed that although the text of APP 7.2(a) does not refer to the collection of information “directly” from an individual, this is the proper construction of APP 7.2(a).
  • The requirement of APP 7.3(b)(i) that an individual has consented to the use or disclosure of information requires that the consent should be to the use of the information for direct marketing by the organisation seeking to use the information. BP’s terms and conditions and Privacy Policy contained terms which allowed BP to send direct marketing communications. The Judge held, however, that these terms were not a consent by a cardholder to the disclosure of personal information by BP to Shahin for the purpose of direct marketing by Shahin.
  • The requirement in APP 7.3(b)(ii) that it is impractical to obtain the consent of an individual is not satisfied if an organisation holding personal information lacks the power to unilaterally change terms and conditions to provide for consent or if it is difficult to do so. If BP was not able to change its terms and conditions for cardholders it could still have obtained consent, even if this was difficult. The Judge observed that “It is not clear what circumstances the legislature had in mind in obviating the need for consent when it is impracticable to obtain that consent”.

    Shahin contended at trial that BP had an implied obligation to amend its cardholder conditions to provide for consent, but as this was not pleaded, the Judge did not make any finding.
  • The primary purpose for which information is held in accordance with APP 6.1 may include more than one purpose, not just a single primary use. The Judge, however, rejected the contention of Shahin that the primary purpose of information collected by BP was disclosure to Shahin for the purposes of direct marketing.

The reference in clause SC 21 of the Agreement to the “relevant privacy legislation” meant that as a matter of construction of the Agreement BP was not in breach by refusing to supply the requested personal information to Shahin. This leaves open the question of what would have been situation if there had been no reference to privacy legislation in the Agreement. The Judge observed, although noting that this was not strictly necessary for the decision, that a disclosure by BP would have been unlawful, and the result would, presumably, have been the same.

Perhaps the clearest lesson from this case is that terms and conditions of organisations providing for consent by individuals to the use of personal information for direct marketing should be very clearly expressed, and that this is particularly the case if data will be shared with other organisations for the purpose of direct marketing by other organisations.

Other legislation

Apart from the APPs, there are other requirements which must be considered if direct marketing is to be undertaken. These include:

  • Compliance with the Spam Act 2003 (Cth) (“the Spam Act”) if the direct marketing is to be undertaken by way of electronic messages. APP 7.8 provides that APP 7 does not apply to the extent that the Spam Act or the Do Not Call Register Act 2006 apply. This leaves the interaction of the APPs and those Acts somewhat up in the air, and may be another example of “unhappy drafting”.
  • Section 20G of the Privacy Act provides that a credit reporting body holding credit reporting information about an individual must not use or disclose that information for the purposes of direct marketing, subject to some limited exceptions.

Time to review contracts and privacy policies

It may be prudent for organisations to review their terms and conditions and privacy policies to consider the consents that are given by individuals for use of personal information for direct marketing.

[i] Shahin Enterprises Pty Ltd v BP Australia Pty Ltd [2019] SASC 12.

For more information, please contact:
Sandy Donaldson

Sandy Donaldson
p.  +61 8 8124 1954
e.  Email me

This communication provides general information which is current as at the time of production. The information contained in this communication does not constitute advice and should not be relied upon as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Should you wish to discuss any matter raised in this report, or what it means for you, your business or your clients' businesses, please feel free to contact us.

Legal Enquiry

Need assistance? Describe the matter and we’ll be in touch asap.

Legal Enquiry Form

News Subscription

Stay up to date. Key legal developments, firm news and events.

Subscribe Now


Level 14, 96-100 King William Street Adelaide SA 5000

CALL +61 8 8124 1811

Connect with us

© Copyright - DW Fox Tucker Lawyers - Commercial Lawyers Adelaide