In February, Australia's Attorney-General released a long-awaited report following a review of Australia's primary privacy law, the Privacy Act.
The Privacy Act was passed in 1988 to safeguard the personal information of individuals by establishing rules for the collection, use, disclosure and handling of data by government agencies and organisations. This act holds significant importance as it ensures the protection of our personal information in an increasingly digital world.
Over the years, The Privacy Act has tried to keep pace with the rapidly evolving landscape but it has more recently fallen behind modern privacy legislation (such as GDPR). In 2004, the scope was broadened to cover the private sector. In 2014, significant measures were taken to strengthen the protection offered by the act through the introduction of 13 guiding ‘Australian Privacy Principles’ (APPs). Most recently, in 2022 the government significantly increased the financial penalties following high-profile breaches at Optus and Medibank which impacted ~20 million Australians.
Fast forward to the present, and the government is looking to introduce the most substantial and wide-ranging set of reforms to Australian privacy law since the extension to the private sector two decades ago.
What are the proposals in the Privacy Act Report?
After a multi-year review process, the Privacy Act Report contains over 100 recommendations with far reaching consequences. The proposals offer far enhanced protections and additional rights for individuals. For organisations, the most notable changes will be the removal of exemptions for small businesses and inclusion of extra-territorial application meaning that a much larger number of businesses must now comply with the law.
“The [proposals] shift the burden from individuals … and place more responsibility on the organisations who collect and use personal information to ensure that their practices are fair and reasonable in the first place." - Angelene Falk, Australian Information Commissioner and Privacy Commissioner
Overall, it would bring Australia’s privacy legislation closer to modern standards. There is a common desire amongst the proposals to bring Australia more in line with international law, in particular EU GDPR. However, whether the changes would be sufficient for the EU to grant an adequacy decision remains unknown.
In this article, we’ve summarised the key changes proposed and what this means for businesses.
Removal of exemptions for small businesses
Under the proposal, organisations with less than $3m annual turnover would no longer be exempt from complying with the legislation. There would be a consultation to identify the necessary support and resources required for these small businesses to meet compliance.
A requirement to conduct a Privacy Impact Assessment (PIA) for high-risk activities
A ‘high privacy risk activity’ is defined as an activity ‘likely to have a significant impact on the privacy of individuals.’ On top of requiring a PIA, all entities covered must also appoint or designate a senior employee responsible for privacy.
New rights for individuals, such as the right to erasure, to be delisted from online search engines, and to opt out of certain data processing
The report would establish new individual rights, including:
- the right to request an entity explains the source and previous uses of personal information;
- to erasure;
- to object to the collection, use and disclosure of personal information (such as automated decision making); and
- to request an online search engine de-lists results containing personal information.
New rights for individuals to out-out of direct marketing and targeted advertising
An individual would have the right to an unqualified opt-out of the use and disclosure of their personal information for direct marketing and targeted advertising. An entity must also obtain an individual’s consent before trading their personal information with other parties - such as affiliates or partner organisations.
Strengthened enforcement powers for the OAIC and introducing tiered penalties
The changes would replace the existing penalty framework with a three-tiered system based on the scale of severity. Introducing lower tiers will likely facilitate greater enforcement of one-off and non-serious breaches. The OAIC will also receive the power to undertake public inquiries and conduct reviews upon approval by the Attorney-General.
Introducing a direct right of action for breaches and separate statutory tort for severe invasions of privacy
The proposals grant individuals a direct right of action to apply to the courts for compensation if they have suffered loss or damage due to a privacy infringement after following the OAIC complaints procedures. They also introduce a statutory tort for serious invasions of privacy.
Refining cross-border data transfer mechanisms
The proposals would restrict overseas data transfers to countries that provide equivalent data privacy protection. The recommendations would also standardise contractual clauses for cross-border data transfers and increase notification requirements for collection notices.
Other notable changes
Narrowing exemptions for employee records
Perhaps surprisingly, as it will likely be a barrier to achieving GDPR adequacy status, the exemption for employee records would be mostly retained. The proposals would extend transparency and security requirements to employee records and make them subject to the notifiable breach regime.
New requirements to enhance children’s privacy
The proposal introduces new provisions for children’s privacy, including a statutory definition of a ‘child’ and what constitutes valid consent. It would also prohibit direct marketing to children, trading children's personal information and targeting children (unless deemed in their best interest).
The definition of “personal information” would be broadened and brought closer to modern data protection laws (such as EU GDPR)
The definition of ‘personal information’ would no longer refer to information ‘about’ an individual but, rather, information that ‘relates’ to an individual. The new definition would encompass technical information (e.g., location data) and inferred data (e.g. predicting behaviours), which more closely aligns with international definitions.
New definitions and obligations regarding de-identified information
The changes would require organisations to take steps to protect de-identified information and ensure any overseas recipients comply with the APPs. The Report also proposes prohibiting the re-identification of de-identified data and the possibility of establishing a criminal offence for malicious re-identification.
Strengthening the Privacy Act’s notice, consent, and transparency requirements
The Report clarifies existing requirements by improving the standards of notices, amending the definition of consent, expanding the items of information provided in a collection notice, and ensuring a data subject can easily withdraw consent.
A new “fair and reasonable” test for all processing of personal information
The Privacy Act currently requires that collection of personal information must be done by lawful and fair means. The Report proposes replacing this with a much broader requirement, specifically that personal data collection, use or disclosure must be ‘fair and reasonable in the circumstances.’ These requirements would apply regardless of whether consent was obtained.
New transparency requirements for automated decision-making
Privacy policies would be required to identify the types of data and how it is used in ‘substantially’ automated decision-making whereby the decisions have a legal or material impact on an individual’s rights. Individuals could also request meaningful information about how automated decisions are made.
Introduction of the controller-processor distinction
The report introduces a distinction between processors and controllers which did not previously exist. A non-APP entity that processes the information on behalf of the data controller would only need to comply with APP obligations to process the data transparently, securely, and adhere to the notifiable breaches regime. The change would more closely align Australian regime with modern international privacy laws.
Tightening the Privacy Act’s data breach notification requirements
Notification timeframes are tightened to a 72-hour window to inform the OAIC of an eligible data breach. Previously it was as soon as reasonably practicable but included a 30-day assessment window. The statement must also set out the steps the entity has taken, or intends to take, in response to the incident including measures to mitigate any harm to impacted individuals.
What do Australians think?
The Attorney-General invited the public to provide feedback on the Report by March. The government has yet to publish a response or finalise the recommendations, but a recent OAIC survey indicates that the general public will highly support the changes.
The OAIC Community Attitudes to Privacy Survey (2023) revealed that Australians overwhelmingly support more legislation: nine in ten (89%) respondents would like the government to pass more legislation that protects their personal information.
Furthermore, there was widespread belief (above 75%) that the Act should cover small businesses, employee records, political parties and media organisations and therefore have exemptions removed. There was also overwhelming support for additional rights, including the ability to delete data, object to data practices while retaining access to services, and seek compensation in case of a breach.
However, the proposals are not without criticism. Anna Johnston, an expert in privacy law and founder of Salinger Privacy, penned a formal submission and an excellent response that raises areas of concern. Some key issues include:
- Several proposals - such as the definitions of personal information and consent, and the approaches to regulating direct marketing, targeting and trading - undermine the Act’s technological neutrality and principles-based approach. This could quickly result in the Act becoming outdated.
- A lack of precise and robust definitions (particularly for ‘personal information’, elements of consent and handling of de-identified data) will lead to more compliance burden for organisations. It will also introduce ‘wriggle room’ as some companies race to the bottom to exploit any inconsistencies in the Act for as long as possible.
- The proposed individual rights will not live up to community expectations regarding giving individuals control over their personal information.
- The decision to delay, further consult on, or conditionally retain the existing exemptions (for small businesses, employee records, political parties, and media organisations) is a missed opportunity to aim for ‘adequacy’ when measured against the GDPR and the expectations of international trading partners.
Despite the shortcomings, the proposals are a necessary step in the right direction. However, the real measure of success will be the extent to which they encourage substantial behavioural change from both organisations and regulators.
There are no committed timeframes for the next steps.
The government is yet to publish a response to the public feedback and there are likely to be various revisions before a bill is introduced to parliament. Some recommendations also indicate a need for additional consultation (such as removing small business exemptions). Certain proposals may therefore take years to implement.
However, it is clear that change is on the way. It would be prudent to begin your planning now. You can start to protect your organisation by aligning with the broad compliance requirements of the proposals and addressing your customers' expected privacy needs.
If you would like to learn more about what we are building at Onqlave to help protect sensitive data, follow our updates via LinkedIn, sign up to our newsletter or feel free to get in touch with any of our team.