Following the Attorney-General’s Department’s Privacy Act Review Report published in February 2023 (Report), the Australian Government has just published its response to the Report (Response). The Response follows submissions from various stakeholders (including by Gadens) on the 116 proposals in the Report that look to overhaul the current Privacy Act 1988 (Cth) (Privacy Act).
Whilst it’s fair to say that the Government has agreed with many, if not all, of the Attorney-General’s proposals for reform, there are still many proposals where the finer detail has yet to be worked through.
Prioritised changes where we should expect to see draft legislation released either later this year or early 2024 broadly include:
- greater enforcement and code powers for the Office of the Australian Information Commissioner (OAIC),
- new tiered civil penalties for breach;
- enhanced security and data breach reporting requirements (which is not a surprise noting the current threat environment);
- greater transparency requirements for automated decision-making, particularly in privacy policies;
- improved protection for children’s data, including a Children’s Online Privacy Code – with a ‘child’ now confirmed as being a person under the age of 18 years old (a marked change from previous OAIC guidance on this point);
- introducing a form of ‘white list’ for cross-border data transfers; and
- criminalisation of the act of malicious re-identification of previously de-identified information.
Although this is a step in the right direction, the Government has indicated that further work is required before it can proceed with many of the more significant reforms in the Report. Further engagement with regulated entities, a comprehensive impact analysis and a ‘benefits and economic costs’ review are to be undertaken by the Attorney-General’s Department and Treasury, before we see further proposals on those remaining reforms. We are also likely to see some transition period(s) for material changes as the Government recognises the significant uplift the reforms will have for many industries and sectors (taking lesson no doubt from EU GDPR fallouts).
Although many may be disappointed with the slower pace, it is clear that the Government has agreed to these proposals in principle, and organisations should therefore expect a busy privacy-focused 12 to 18 months ahead, as the Government rolls out phased changes to the Privacy Act, in alignment with related, but separate changes focused on strengthening cyber security, the adoption of artificial intelligence (AI), and greater detail around digital identity.
The Response sets out the initial proposals for change with which the Government agrees, which will form the basis of first tranche of legislative reforms to be implemented in 2024. This will follow targeted consultation. We expect that the period of consultation on these measures is likely to be limited, given the lengthy review timeframe to date.
Some of the key reforms that we anticipate will be included in this first tranche of reforms are:
- Children and a new Children’s Online Privacy Code – Protections for children and a new APP code to clarify how the best interests of a child should be managed in the design of any online service that is likely to be accessed by children. The code is likely to align with approaches taken internationally, including the UK’s Age Appropriate Design Code. A ‘child’ will also be defined for the purposes of the Privacy Act as being a person under the age of 18 years old – which is a marked departure from existing privacy laws which do not specify an age, but appears to be aligned with the OAIC’s guidance on the appropriate age for capacity to give consent in a privacy context. This will be an impactful change for many digitised organisations offering goods and services online.
- Greater enforcement of privacy protections – Strengthening OAIC and Court enforcement powers for interferences with privacy through:
- enhanced OAIC powers to take action for ‘serious’ breaches of privacy – as opposed to the current requirement for an interference to be both ‘serious’ and ‘repeated’ (the OAIC is to provide further guidance on factors it considers when determining an action);
- a new mid-tier civil penalty provision to cover interferences with privacy that do not meet the newly defined ‘serious’ threshold;
- a new low-level civil penalty provision for specific administrative breaches of the Privacy Act and Australian Privacy Principles (APPs) with set penalties to be issued by the OAIC;
- a requirement for entities to identify, mitigate and provide redress for actual or foreseeable loss suffered by an individual as a result of any serious interference with privacy (with expected OAIC guidance on how this can be achieved); and
- expanded powers for the OAIC to investigate civil penalty provisions and undertake public inquiries and reviews (with approval or direction by the Attorney-General).
- Enhanced security obligations – Existing data security and data destruction obligations under the Privacy Act to be enhanced so that the requirement for a regulated entity to take ‘reasonable steps’ will include both technical and organisational measures. The Government has said that it also agrees that the OAIC should develop further guidance on what ‘reasonable steps’ in respect of these technical and organisational security measures, and data destruction and de-identification will involve. We expect that OAIC insight is likely to draw from the EU’s General Data Protection Regulation, and parallel UK laws, noting the aligned terminology.
- Data breach responses and information sharing – Introduction of a right for ‘appropriate entities’ (such as financial institutions and banks) to share information (for designated purposes and with a time limit) in order to help reduce the risk of harm in the event of a data breach. This aligns with the approach taken by the Government when in October 2022 it implemented the temporary Telecommunications Amendment (Disclosure of Information for the Purpose of Cyber Security) Regulations 2022, to permit information sharing by telecommunications carriers and carriage service providers, following a high profile data breach last year. The Government will also give further consideration to streamlining data breach reporting for entities with multiple-reporting obligations. This is likely to include alignment of the proposed 72-hour reporting obligation for eligible data breaches with other relevant reporting frameworks, such as timelines applicable under APRA’s Prudential Standard CPS 234 and amendments to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act).
- Supporting overseas data flows – Introduction of a form of ‘white list’ mechanism to prescribe countries with substantially similar privacy laws, in which regulated entities may disclose personal information to resident recipients without the need for further contractual provisions or other measures. This is also to be supplemented by consultation on an additional requirement in subsection 5B(3) of the Privacy Act, which establishes the extraterritorial reach of the Act, to demonstrate that the information has an ‘Australian link’. This indicates recognition of the possible overreach of the extraterritoriality changes implemented under the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Cth), as highlighted by recent by the recent Clearview AI case).
- AI and Automated decision-making – Creation of the requirement to demonstrate the transparency and integrity of decisions that are made using automation or AI. This includes a requirement that regulated entities disclose in their privacy policies the types of personal information used for substantially automated decisions that have a ‘significant effect on an individual’s rights’. The types of decisions that would be captured by this may include decisions on whether or not to accept an application for financial or lending services, housing, or insurance, with supplementary by OAIC guidance. Further enhancements will include an obligation to provide ‘jargon-free’ information on how automated decisions of this nature are made.
- OAIC to have power to make APP codes – Where there is no appropriate industry representative to develop the code or the code is urgently required, the OAIC will unilaterally be able to introduce new APP codes to supplement the APPs, and to make Emergency Declarations for specific entities, classes of entities or classes of personal information, to permit sharing of personal information in response to emergencies and disasters, without the need for any other AG or court approval.
- Continued exemption for media organisations – The Government agrees that media organisations should remain exempt from the Privacy Act, subject to enhanced self-regulation, and oversight from the ACMA, APC or IMC.
Proposals for further consultation
Although many of the touted ‘big ticket’ reforms as still subject to further consultation and impact analysis, the Government has confirmed its ‘in principle’ agreement with all of the proposals, and the manner in which they have been proposed by the Attorney-General, including (in particular):
- enhancing privacy protections for private sector employees and changes to the employee records exemption;
- a removal of the small business exemption;
- introduction of a direct right of action for breach and a statutory tort for serious invasions of privacy;
- new legislative provisions regarding the retention of personal information;
- amending the data breach notification period to 72 hours;
- introducing mandatory Privacy Impact Assessments, including for high risk activities;
- expanding each of the definitions of personal information and sensitive information;
- introducing further controls and individual rights regarding access, correction and erasure; and
- further regulation of direct marketing, targeting and trading in personal information.
It is also clear that the Government intends to take action to implement legislative reform in each of these areas over the course of 2024/2025 – no doubt to act on commitments made in their pre-2022 election promises, in the run-up to the 2025 election period.
Many will no doubt express dissatisfaction however with one proposal that the Government has not – as yet – agreed to, being the right for adults to opt-out of targeted advertising; the Government merely noting this proposal without any further comment.
We expect to see draft legislation amending the Privacy Act for the key ‘agreed proposals’ from the Attorney-General’s Office in late 2023/early 2024, as well as outcomes from further consultation presented to the Government in 2024. We will keep you updated as these reforms progress.