The Attorney-General has released the Privacy Act Review Report (Report), which proposes expansive reforms to the Privacy Act 1988 (Cth) (Act) intended to strengthen and modernise privacy protections for Australians. The proposed reforms are all encompassing and touch on every aspect on how personal information is collected and managed, and introduce a multitude of new rights for individuals.
The new Government has already significantly increased penalties and strengthened the enforcement powers of the Office of the Australian Information Commissioner (OAIC) in the December 2022 amendments to the Privacy Act. These amendments were framed as an initial response to several high-profile ransomware attacks that took place last year, such as the Optus data breach. The next round of reforms is set to go much further.
While the latest Report highlights the areas for reform, it is still relatively light on specific detail and does not include draft language for legislative changes. The Attorney General’s Department has kicked-off another round of industry consultation which is expected to culminate in the release of an Exposure Draft and new legislation before the Parliament in the next 12 months.
Expanded scope of the Privacy Act
Expansion of the definition of personal information
As it currently stands, the definition of ‘personal information’ under the Act captures information or an opinion ‘about’ an individual who is identified or reasonably identifiable. Information about an individual may include information such as their name, date of birth and contact details.
The Report recommends expanding the definition of ‘personal information’ by replacing the word ‘about’ with the phrase ‘relates to’ to clarify that personal information will include information such as technical information (e.g. IP addresses and location data) and inferred information (e.g. predictions of behaviour or preferences). This will help resolve uncertainty which had existed over the treatment of certain categories of data under the Act.
The Report seeks to allay concerns that such updates would make the definition too broad and clarifies that information relating to an individual will not automatically be considered personal information as it must be connected to a specific individual and not be too tenuous or remote.
Removal of small business and employee records exemption
The Report also recommends that the Act be extended to apply to personal information handled by small businesses, which are currently subject to exemptions from the Act. The Report proposes consulting with small businesses about what support and resources may be needed to help ensure that those businesses are able to comply when the exemption is removed.
On the employee record exemption, the Report recommends that enhanced privacy protections should be extended to private sector employees, however it does not seem to endorse the removal of the exemption entirely. It recommends extending transparency and security requirements to employee records, as well as making them subject to the notifiable data breach regime. It suggests that further consultation is required to determine whether employee record-specific requirements should be implemented in privacy legislation or a code, or in the Fair Work Act.
Collection, use and disclosure of personal information
Notice and record keeping requirements
The Report proposes strengthened notice requirements for businesses when they collect personal information. This includes requiring a business to disclose in its privacy collection notice if an individual’s information is to be collected, used or disclosed for a high privacy risk activity (i.e. one which is likely to have a significant impact on the privacy of an individual). It would also need to provide details on how an individual can exercise any applicable ‘rights of an individual’ (explained further below) and set out the types of personal information that may be disclosed by the entity to overseas recipients.
It is proposed that businesses be required to keep records of the primary purposes for which it will collect, use and disclose personal information – this information should reflect what is set out in the business’ privacy collection notice. If the business subsequently wants to use or disclose the personal information for a secondary purpose, it must also make a record of that secondary purpose prior to or at the time the information is used or disclosed.
Fair and reasonable test
A new ‘fair and reasonable’ test is proposed to be used to determine whether the collection, use and disclosure of personal information is necessary for an entity’s function and activities. Previously, a business was required to consider whether collection was reasonably necessary for the entity’s functions or activities.
When conducting this balancing exercise, the Report recommends that a business consider:
- the reasonable expectations of the individual;
- the kind, sensitivity and amount of personal information being collected, used or disclosed; and
- whether the impact on privacy is proportionate to the benefit (among other factors).
The Report recommends that the OAIC develop guidance on how online services should design consent requests. This guidance (which could be codified in future) would outline specific layouts, wording or icons which could be used when obtaining consent, and could set out how the elements of valid consent should be interpreted in an online context.
The Report also specifies additional circumstances in which a business may need to obtain an individual’s consent, including where the business is trading the individual’s personal information for some benefit.
Rights of an individual
To align with community expectations that individuals should have greater transparency and control over their personal information, which has been fuelled in recent months by high profile data breaches, the Report proposes a number of new rights for individuals in relation to personal information about them.
- an expanded right to access personal information that relates to them and to receive an explanation of how the business collected that information and what it is used for;
- a right to object to the collection, use and disclosure of their personal information;
- a right to have their personal information erased by a business that holds it; and
- a right to have internet search results about them de-indexed and to correct personal information published in online publications.
Right of erasure
A right to erasure is being touted as the most significant of these new individual powers.
The Report has made a number of more granular recommendations about how this right would work. This includes a 30 day window for businesses to comply with the request to delete all of the personal information that relates to the relevant individual and inform any third parties to whom the personal information has been disclosed of the deletion request.
There are also some limited exceptions to the right of erasure including where there is public interest in retaining the information (e.g. required for law enforcement) or where the information is required to be retained at law. Information that has already been de-identified does not need to be erased unless it is subsequently re-identified (e.g. the business is not required to re-identify information in order to action an erasure request).
We expect that these new ‘rights of an individual’, including the right to erasure, are likely to require businesses to uplift their data governance systems and processes to be able to respond to these erasure requests.
Overseas data flows
The Report recommends broad updates to the overseas disclosure provisions in Australian Privacy Principle (APP) 8 which would see it adopt several concepts from the General Data Protection Regulation (GDPR) overseas transfer regime. If passed, APP entities (i.e. businesses covered by the Act) would be permitted to disclose personal information to an overseas recipient if:
- the overseas recipient is located in a ‘whitelisted’ jurisdiction (which we expect would likely include, at a minimum, all countries which are subject to an adequacy decision under the GDPR) or is subject to a prescribed certification scheme;
- the APP entity entered into standard contractual clauses with the overseas recipient; and
- the individual gives their informed consent to the disclosure, having been informed that privacy protections will not apply to their information if disclosed (which is already a requirement according to the APP Guidelines).
The availability of whitelisted jurisdictions and standard contractual clauses is likely to make it significantly easier for organisations to streamline compliance with APP 8 when dealing with overseas entities.
New cybersecurity measures
It is proposed that a new baseline set of privacy outcomes be included and to clarify that ‘reasonable steps’ to protect personal information (as well as de-identified information, per the proposals) includes both and organisational measures. This focus on cybersecurity reflects industry calls for greater clarity on technical controls will be necessary to combat malicious and criminal attacks (which the Report notes are the primary cause of data breaches), as well as increased public concern over cybersecurity.
For entities with reporting obligations under multiple frameworks, like the Security of Critical Infrastructure Act 2018, it is proposed that further work be done in harmonising security requirements across different regimes.
The Report proposes changes to data retention requirements, aimed at creating a culture of deleting personal information when it is no longer required. The Report highlights current practices of longer-than-necessary data retention as a key driver in the severity and scope of the impact of data breaches.
There is a new requirement for entities to establish minimum and maximum data retention periods, and to include these periods in privacy policies.
The disparate patchwork of statutory obligations to retain data is also proposed to be reviewed, particularly in light of the Australian Government Digital Identity System. This might see a raft of changes to a variety of pieces of legislation, like the Archives Act 1983, under which entities are exempted from Privacy Act requirements to delete or de-identify data that is no longer necessary.
72-hour notification timeframe
The Report proposes a new 72-hour window for APP entities to report eligible data breaches to the OAIC, starting from when they become aware that there are reasonable grounds to believe an eligible data breach has occurred, in line with the time window imposed by the GDPR. This tightens an existing obligation to report eligible data breaches to the OAIC as soon as reasonably practicable, but which included an assessment of up to 30 days.
The Report also suggests tackling confusion regarding which party makes notifications in cases of multi-party data breaches using the proposed ‘processor’ and ‘controller’ distinction, with all parties required to notify the OAIC, but only controllers required to notify affected individuals.
Regulation and enforcement
The Report contemplates significant reforms to enforcement including the introduction of a direct right of action for individuals impacted by interferences with their privacy, a statutory tort for serious invasions of privacy, new civil penalties, increased investigation and enforcement powers for the OAIC and broadened powers of the Federal Court and Federal Circuit Court in civil penalty proceedings.
New rights for individuals
Direct right of action
The Report proposes a direct right of action for individuals in relation to an interference with privacy. This would be available to individuals who have suffered loss or damage as a result of privacy interference by an APP entity. Remedies available to complainants are not proposed to be restricted and could include damages for hurt feelings and humiliation.
However, the Report attempts to temper the potential influx of claims by requiring a complainant to make a conciliation complaint to the OAIC prior to filing proceedings. If the OAIC considers the complaint does not involve an interference with privacy or is frivolous or vexatious, the complainant must seek leave of the court to bring the claim. This indicates that the OAIC will still have a key role in the initial resolution or at least the ‘triage’ of complaints.
It is contemplated that these direct claims could also be made on a representative basis, potentially contributing to the growing prevalence of privacy class actions in Australia.
Statutory tort for serious invasions of privacy
The Report also proposes a statutory tort for serious invasions of privacy which fall outside the Act, although it does not deal precisely with the meaning of ‘serious’ in this context.
The tort is intended to address information-handling by non-APP entities, such as individuals and most small businesses. The tort also aims to provide protections that aren’t related to personal information, for instance in relation to invasions of bodily privacy such as recording private affairs and invasions of territorial privacy such as searching of a person’s home. Damages for emotional distress may be awarded.
These claims will not be subject to the same ‘gatekeeper’ involvement of the OAIC as the direct actions. However, the court must undertake a ‘balancing exercise’ that considers both the public interest in privacy and other public interests. There are also recommended defences to accompany the tort, such as necessity.
New civil penalties
In addition to the increased maximum penalties for serious or repeated interference with privacy resulting from the December 2022 reforms, the Report recommends the introduction of new low-tier and mid-tier civil penalty provisions (with the precise penalty amount to be further considered). This addresses the fact that currently, a sanction for any breach of the Act that is less than ‘serious or repeated’ can only occur by OAIC determination. A mid-tier provision is to cover interferences with privacy that are not ‘serious’ and a low-tier provision is to cover ‘administrative’ breaches. This is likely to result in increased regulatory enforcement of non-serious and one-off interferences.
Amendment to the ‘serious and repeated interferences with privacy’ provision to remove the word ‘repeated’ and clarify the circumstances that involve a serious interference with privacy (including those involving sensitive information, those affecting large groups of people, where there are repeated breaches and where there is a serious failure to take proper steps to protect personal data) is also recommended. This may be a response to the influx of data breaches in recent months.
Increased OAIC regulatory powers
Increased investigatory powers for the OAIC in relation to civil penalty provisions are also proposed. The OAIC will have the power to undertake public inquiries and conduct reviews on approval of the Attorney-General.
The OAIC may also make determinations requiring business to identify and mitigate reasonably foreseeable risks to individuals that may result from an interference with privacy. It also proposes the power to issue temporary APP codes and make an increased range of Emergency Declarations.
Widened Federal Court orders
The Report recommends that the Federal Court and Federal Circuit Court have the power to make ‘any order it sees fit’ in a civil penalty proceeding where an interference with privacy has been established.
Feedback is now being sought to inform the Government’s response to the Report. Public and private entities are invited to submit their views on the 116 proposals raised, which are due on 31 March. Given the relatively short timeframe for consultation, businesses should begin to review the changes and consider making submissions. Corrs is able to assist clients seeking to make a submission to the consultation process.
In the meantime, businesses should review their complete suite of controls and policies relating to the collection, use, storage and de-identification of personal information to prepare for significant change in Australia’s privacy regime. Businesses should also note that increased maximum penalties for serious or repeated breaches of the privacy of an individual and strengthened OAIC enforcement powers have already commenced.