This week, two publications by the Australian Attorney-General's Department mark significant steps forward on the long road to reform of Australian privacy legislation:

  1. An exposure draft introducing amendments to the Privacy Act 1988 (Cth) (Online Privacy Bill), which will strengthen penalties and enforcement measures and introduce a binding privacy code for online platforms.1
  2. A discussion paper seeking submissions on 67 proposals for, and further questions in relation to, broader reforms to Australian privacy legislation (Discussion Paper).2

Submissions on the Online Privacy Bill and the Discussion Paper are due by 6 December 20214 and 10 January 2022 respectively.

The publications follow the release of an issue paper in November 2020 outlining and seeking feedback on the Privacy Act, and the Government’s December 2019 announcement that it would conduct a review of the Act as part of its response to the Australian Competition and Consumer Commission's Digital Platforms Inquiry report (ACCC Report).3 We published a detailed overview of the ACCC Report’s privacy recommendations and Government response in early 2020, comparing key recommendations to the European Union’s General Data Protection Regulation (GDPR) and the 2008 Australian Law Reform Commission report on Australian privacy law (ALRC Report).4

We have noted some key issues and themes below, with the two tables which follow summarising the proposals under the Bill and Discussion Paper. We will also separately be publishing further commentary on specific topics raised by the Discussion Paper.

We will be publishing further commentary on specific topics raised by the Bill and the Discussion Paper.

Increased Penalties and Enforcement

As foreshadowed in earlier Government announcements and the ACCC Report, maximum penalties under the Privacy Act will increase to $10 million, three times the value of the benefit obtained from the breach, or in some cases 10% of domestic annual turnover. This aligns with penalties under the Australian Consumer Law. Other changes to the enforcement powers of the Office of the Australian Information Commissioner (OAIC) will likely encourage actions by the OAIC and greater collaboration with other regulators (such as ASIC, APRA, the ACMA and the ACCC), some of which have been increasingly active in dealing with privacy and data issues in recent years.

Third Party Collection

The Discussion Paper proposes requiring privacy notices to identify the specific third parties from which personal information is collected. Entities should also provide this on request in respect of particular personal information unless impossible or it would involve disproportionate effort.

Fairness Requirements

The Discussion Paper appears to move away from the ACCC Report’s suggestion to make consent the principal basis for collection, use and disclosure. Instead, the Discussion Paper makes recommendations which place greater responsibility on entities handling personal information to ensure that handling is fair and reasonable. These may include requiring them to introduce pro-privacy defaults on a sectoral or other specified basis and take ‘reasonable steps’ to identify and mitigate risks associated with:

  • the collection, use or disclosure, on a large scale, of certain types of information (biometric or genetic data and other sensitive information, children’s personal information, location data),

  • certain purposes (direct marketing, targeted advertising, profiling, sale, influencing individuals’ behaviour or decisions), or

  • activities that are otherwise likely to result in a high privacy risk or risk of harm to an individual.

  • The paper also considers measures to increase an individual’s capacity to self-manage their privacy in relation to these practices, including consent and the right to opt-out in respect of an expanded set of sensitive information and restricted practices.

Overseas Data Flows

Individuals’ Rights

Similarly, the Discussion Paper introduces greater flexibility around some of the GDPR-inspired rights that the ACCC Report had proposed to introduce, having taken into account some of the submissions made around the challenges of introducing such rights (including legal retention requirements and technical challenges). For example, it proposes that individuals may only request erasure of their personal information where certain specified grounds apply, such as where the personal information must be destroyed or de-identified under Australian Privacy Principle (APP) 11.2, is sensitive or relates to a child, and subject to some exceptions (this could include where personal information is required for a transaction, erasure is technically impractical or for public interest reasons).

Direct marketing

The Discussion Paper proposes to repeal the current APP 7 (direct marketing) in favour of a number of proposed reforms. These proposals include greater transparency where an individual’s personal information will be used to influence their behaviour, risk assessments for large scale direct marketing (including online targeted advertising) and an unqualified right to object to direct marketing.

Employee Records and Small Businesses Exemptions

The Discussion Paper does not make specific proposals in respect of the current exemptions under the Privacy Act, noting further consideration on those issues is required.5 Rather, it seeks submissions on some suggested options to reform (rather than remove) those exemptions:

  • In particular, the paper notes that completely removing the small business exemption could prove too burdensome but options that could be considered include: a reduction of the annual turnover threshold (currently $3 million), limiting the scope of the exemption to some but not all of the APPs, and requiring small businesses to comply with simplified rules or only in relation to high risk activities.

  • Likewise, the paper notes that removing the employee exemption would make it difficult to administer the employment relationship, but suggests modification to allow better protection of employee records while retaining sufficient flexibility. For example, this paper suggests introducing a standalone exception into APPs 3 (collection) and 6 (use and disclosure) in relation to the collection, use and disclosure of an employee’s personal and sensitive information by a current or former employer for any act or practice directly related to the employment relationship while allowing enhanced protection of employee privacy through the application of other APPs, such as APPs 8 (cross-border disclosure) and 11 (security/retention), as well as through workplace relations legislation.

Controllers and processors of personal information

The Discussion Paper acknowledges a number of submissions recommended introducing into the Privacy Act the concepts of data controllers and data processors, found in overseas data protection frameworks including the GDPR, to clarify allocation of responsibilities relating to notification, consent and security, but noting this may present challenges including due to the small business exemption. The paper does not make any specific proposals on this issue but poses a number of questions to be considered in submissions.

Direct Right of Action

The Discussion Paper proposes creating a direct right of action for interferences with privacy, as a further avenue for impacted individuals and groups following their initial privacy complaint.

Table 1 - Online Privacy Bill Amendments