The Australian Government has released comprehensive terms of reference and an issues paper ("Issues Paper") as part of its long-awaited review of the Australian Privacy Act 1988 (Cth) ("Privacy Act"). The review forms part of the government's response in December 2019 to recommendations in the Australian Competition and Consumer Commission's (ACCC) Digital Platforms Inquiry ("DPI Report") to strengthen privacy laws in Australia. It marks the first of two papers seeking public input on the Privacy Act.
The Issues Paper outlines the current state of play in Australian privacy law and seeks feedback on numerous issues. These issues are largely framed by reference to the findings and recommendations in the DPI Report (some of which the government has already agreed to in principle), as well as earlier privacy reviews such as the ALRC's 2008 'For Your Information, Australian Privacy Law and Practice Report 208' and other privacy-relevant developments.
The review effectively covers all of the Privacy Act, other than the credit reporting regime and the operation of the provisions relating to the COVIDSafe app. The key areas where feedback is sought include:
- the scope and application of the Privacy Act (including the definition of personal information, exemptions from the privacy regime and the general permitted situations for collection, use and disclosure)
- the privacy framework (including notice and consent requirements, requirements for overseas data flows and a potential right of erasure)
- a potential direct right of action
- a potential statutory tort for serious invasions of privacy
- the notifiable data breach scheme
- enforcement powers
- a potential independent certification scheme for monitoring compliance
Given the continued emphasis on consumer protection and corresponding focus on strengthening privacy protections for individuals evident in the Issues Paper, as a result of this process, there is likely to be an uplift in compliance obligations for businesses that handle personal information. However, this review has a long way to run. The government's position on the various issues will become clearer when it releases a planned Discussion Paper in the new year, setting out potential options for reform. The key question will be whether the government strikes the right balance between its stated aims of improving the privacy rights of individuals while maintaining a regime that "operates effectively for all elements of the community" and "allows for innovation and growth of the digital economy".
The review is wide ranging and the questions posed in the Issues Paper are relatively open-ended in nature at this stage. However, the key themes that emerge from the Issues Paper include the following:
- An increased focus on the consumer and the user experience which is unsurprising given the origins of this review in the DPI Report. The questions seek views on whether the current balance between individual privacy and an entity's interest in carrying out its functions and activities needs to become more emphatically pro-consumer. Consideration is given to how to best strengthen existing privacy protections, provide additional rights for individuals, and, ultimately, how to allow consumers to make more informed choices about the collection and use of their information. Of particular note, the Issues Paper focuses on:
- potential ways to avoid "information overload" while ensuring that individuals are aware and notified of relevant matters. For example, the Issues Paper asks whether a standardised framework of notice (such as icons or phrases) would be effective to facilitate comprehension of collection notices by consumers.
- potentially strengthening current consent requirements while also addressing consent "fatigue". Of particular note, the Issues Paper picks up the ACCC's concerns around bundling consent (including the risk of preventing meaningful consent) and around whether pro-consumer privacy defaults should be implemented to provide a more protective position to consumers. In addition, consideration is given to more prescriptive requirements for seeking consent from minors.
- potentially introducing a direct right of action enabling individuals to seek compensation in court for a breach of their privacy. The introduction of a direct right of action was supported in principle by the government in its response to the DPI Report.
- Widening the scope of who and what is caught under the Privacy Act. The Issues Paper considers a general widening of the scope of the Privacy Act to, most notably, expand the definition of "personal information" and alter the existing exemptions from compliance.
Of particular note, the government has focused on:
- potentially expanding the definition of "personal information" to capture technical data and other online identifiers, and also inferred personal information. Changes to the scope of information covered could result in a significant uplift in compliance obligations for businesses in relation to additional data sets, particularly in relation to data-matching activities using inferred information (i.e., combining information to reveal personal information about an individual). This in part stems from the Full Federal Court decision in the 2017 Grubb case, which held that telecommunications metadata was not “personal information”, and highlighted the absence of a legislative basis for some technical data to be classified as "personal information” — a position which is at odds with the EU General Data Protection Regulation (GDPR).
- the scope and application of all current exceptions to the Privacy Act and potentially carving-back exceptions, including:
- the impact of the employee records exemption on the protection afforded to employee personal information, as well as the challenges of obtaining genuine consent (where necessary) in the context of an employment relationship
- whether the journalism exemption continues to balance media freedoms with individual privacy
- the suitability of the small business exception, including whether the definition of a small business remains appropriate or should be re-conceptualised to reflect modern, technology-driven business models to ensure that businesses with significant holdings of personal information (including sensitive information), and which pose an increased privacy risk, are subject to the Privacy Act. The Issues Paper highlights that no other comparable jurisdiction provides this exemption.
- Alignment to GDPR concepts, and potential GDPR "plus" compliance. The Issues Paper revisits DPI Report recommendations for a shift from a principles-based privacy regime towards a more GDPR-style compliance regime in Australia. However, the questions posed leave open the possibility that the government may consider the introduction of certain regulatory standards that go beyond GDPR to a GDPR “plus” level of compliance.
Of particular note, the Issues Paper poses questions relating to:
- consent as the primary legal basis for handling personal information, including whether separate consent should be required for each purpose of collection, use and disclosure of information. Adopting this kind of approach could result in a more stringent regime than the GDPR and other GDPR-based regimes, which tend to provide for alternative legal bases for processing, such as legitimate interests.
- whether Australia should adopt a right to erasure (or the "right to be forgotten"), similar to that provided for under the GDPR. The Issues Paper seeks input on how this right could be implemented without negatively impacting other public interests, such as freedom of expression and the free flow of information.
- the benefits of Australia obtaining "adequacy" status under the GDPR to facilitate cross-border transfers of data between the EU and Australia and to promote the strength of Australia's privacy regime. Currently, Australia's privacy laws are not recognised as adequate by the EU due, in part, to the operation of the small business and employee records exemptions. However, the recent decision of the European Court of Justice in Shrems II underscores the importance of also considering national security and surveillance laws in any decision by the government to seek adequacy for Australia.
- Adoption of a certification scheme for compliance. The Issues Paper discusses the formal implementation of a regional certification scheme, such as the APEC CBPR system, with the aim of better upholding an individual's privacy protections when personal information travels across borders. One proposal for achieving this is to develop a separate code under Part IIIB of the Privacy Act, to operate in parallel to the Australian Privacy Principles. Businesses covered by its provisions could voluntarily obtain CBPR certification status at a cost. The Issues Paper also considers the possibility of an additional domestic privacy certification scheme.
- Increased civil penalties. The Issues Paper reasserts the government's announcement in March 2019 of significant increases to the maximum civil penalties for serious or repeated interference with an individuals' privacy to up to AUD10 million, or three times the value of any benefit obtained, or 10% of the company's annual domestic turnover — whichever is greater.
Submissions to the Issues Paper close on 29 November 2020 and can be made here. The Discussion Paper will be released in early 2021.