On 16 February 2023, the Australian Government released the report of the Attorney-General’s Department’s review of the Privacy Act 1988 (Privacy Act) (the Report). The Report follows two years of consultation and review considering whether the Privacy Act and its enforcement mechanisms are fit for purpose and adequately protect Australians in the digital age. The Report introduces 116 proposals for reform aimed at strengthening the protection of personal information and the control individuals have over their personal information. The Australian Government believes these reforms, drawn from both stakeholder feedback and external sources, will “support digital innovation and enhance Australia’s reputation as a trusted trading partner”. There is a number of proposals to bring Australia’s privacy laws more into line with Europe’s General Data Protection Regulation (GDPR), a comparatively stricter privacy regime.
Before any changes are brought into effect, the Report needs to go through public consultation which is open until 31 March 2023. The release of legislative amendments and other new/updated regulatory guidelines and codes to implement the extensive list of proposals will follow afterwards. Those amendments, guidelines and codes will also go through their own process of review and consultation. Organisations will therefore have some time to consider the impact of the changes and consider what will need to be done (and what resources will be required) to ensure they are prepared.
However, it is never too early to get started with preparations. The changes proposed are thorough and expansive and will have a significant impact on the way organisations collect, use and disclose personal information throughout the data life cycle. Putting in place the right business models, processes and measures now will minimise the need to unwind or correct any that are not effective when the changes do come into effect.
Organisations should at least ensure they are compliant with their obligations under the current form of the Privacy Act. This will provide at least a head start with preparations. Organisations that already have practices in place which are better than the requirements of the Privacy Act and are aligned to international standards will be even better placed and may need less effort to catch up.
Compliant organisations will also have the benefit of avoiding penalties for non-compliance which are now substantial, with organisations facing new penalties of up to AU$50 million; three times the value of the benefit obtained; or 30 percent of adjusted turnover in the relevant period for serious or repeated breaches. These new penalties are the result of urgent reforms pushed through by the Australian government late last year under the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022, as a reaction to certain high-profile cyber breaches.
For those who do not have the time to do a deep dive into the 300-plus page Report, we thought it would be helpful to do a brief roundup of some of the key changes proposed by the Report.
1. More expansive definition of personal information
The Privacy Act protects the personal information of Australians. The Report proposes to broaden the current definition of personal information, which is currently personal information “about” an identifiable individual or reasonably identifiable individual, to personal information that “relates to” an individual. The purpose of this change will make it clear that personal information extends to technical and inferred information, such as IP addresses, device identifiers, location data and other online identifiers. This change would bring the terminology and practice into line with the GDPR and other federal legislation. It is also intended that privacy protections will be extended to private employee records which are currently not covered by the Privacy Act.
2. De-identified information to be protected
De-identified information currently sits outside the scope of the Privacy Act. The Report acknowledges there is a risk that de-identified information can be re-identified and should therefore be afforded some protection. For example, one proposal is that Australian Privacy Principle (APP) 11 should extend to de-identified information. This would require an APP entity to take reasonable steps to protect de-identified information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure. Further, it is proposed that re-identification of de-identified information collected in a de-identified state should be prohibited. These are significant changes to the current position whereby an organisation has full discretion as to how they use, manage and protect de-identified information.
3. Small business exemption to be overturned
There is currently an exemption in the Privacy Act which provides that entities with an annual turnover of $3 million or less do not need to comply with the Privacy Act. The plan is for the exemption to eventually be removed, however the government first requires an impact analysis to be undertaken to determine how this change will impact on small businesses and ensure appropriate support is in place so that compliance is possible. For now, the collection of biometric information for use in facial recognition technology will not be an exception to the small business exemption. Small businesses will also be required to obtain consent to trade in personal information. Certain exemptions that apply to political parties and journalists will also be adjusted moving forward.
4. Privacy policies and collection notices to be more standardised
APP5 requires the use of collection notices. A new requirement is proposed to be included that requires collection notices to be clear, up-to-date, concise and understandable. There is also some support for standardisation of privacy policies and collection notices through the provision of government templates.
5. Consent – clarification on requirements
Currently, consent is required for a limited range of collections, uses and disclosures of personal information. For example, consent is needed to collect sensitive information and may also allow entities to use or disclose personal information for a secondary purpose, direct marketing and cross border disclosures. There are no proposed changes to broaden the circumstances in which consent is required under the Privacy Act. It is however proposed that the requirements for consent be updated to provide that the consent must be voluntary, informed, current, specific and unambiguous to improve their quality. There is also support for the government providing template consents or guidance about the format and design of consent requests in an online context.
For consents involving cross border disclosures, entities may be required to inform individuals that privacy protections may not apply to the information if they consent to disclosures and to specify the types of personal information that will be disclosed to recipients located overseas (both of these are not current requirements).
6. Introduction of fair and reasonable test
There is also the proposed introduction of a new standard – that the collection, use and disclosure of personal information is to be fair and reasonable in the circumstances. This is to be an objective test and the Report covers the matters to be taken into account to determine what is fair and reasonable in the circumstances. It is proposed that this requirement will apply regardless of whether consent has been obtained.
7. Impact assessments for high risk activities
A high privacy risk activity is one that is likely to have a significant impact on the privacy of individuals. A new privacy impact assessment is proposed for activities with high privacy risks.
8. Accountability at the start of the data life cycle
At the time of collecting personal information, an organisation will be required to determine and record the purposes for which it will collect, use and disclose this information. Similarly, if the organisation wants to use or disclose the personal information for a secondary purpose, it must record that secondary purpose at or before the time of undertaking the secondary use.
In addition, organisations will be required to appoint or designate a senior employee responsible for privacy.
9. Children to have more protection
The Report considers the introduction of a children’s online privacy code. The code is expected to address how the best interests of a child can be supported in the design of online services. Other amendments to the Privacy Act are also considered. For example, there’s a preference for the Privacy Act to codify the principle that valid consent must be given with capacity and that collection notices and privacy policies need to be clear and understandable in particular for any information addressed specifically to a child. There are also changes proposed regarding direct marketing to children. Direct marketing will be prohibited unless the personal information used for the marketing was collected directly from the child and the direct marketing is in the child’s best interest. Trading the personal information of children is prohibited. Targeting to a child is also prohibited except for targeting which is in the child’s best interests.
10. Stronger individual rights
Individuals currently have some control and transparency over their personal information. This is through the use of collection notices, privacy policies and requirements for entities to implement practices to deal with complaints and inquiries and ensure some access and correction rights. Stakeholder feedback has demonstrated individuals want stronger rights similar to the stronger frameworks overseas, such as the GDPR’s data subjects’ rights which include, for example, the right to be forgotten. Bolstered new individual rights could see individuals granted rights to both access and receive an explanation about their personal information if they request it; a right to object to the collection, use or disclosure of personal information (and to have a response to this objection with reasons); a right to erasure of any of their personal information; the existing right to correction being extended to generally available publications; and a right to deletion of an index of online search results containing personal information which is sensitive information, information about a child, excessively detailed, or inaccurate, out of date, incomplete, irrelevant or misleading. Some exceptions to these rights are proposed, taking into account the competing public interest, relationships with legal character and certain technical exceptions. It is expected that individuals will be notified at the point of collection about their rights; how to obtain further information about their rights; and how to exercise them. Privacy policies will need to be clear on the rights available to individuals.
11. Targeting and direct marketing
Individual consent must be obtained before trading personal information. It is proposed individuals will get an unqualified right to opt out of their personal information being used or disclosed for direct marketing purposes, similar to existing requirements under the Privacy Act. Organisations will still have the ability to collect personal information for direct marketing without consent, provided it is not sensitive information and the individual has the ability to opt out. Individuals will also have an unqualified right to opt out of receiving targeted advertising. Any targeting needs to be fair and reasonable within the circumstances and targeting individuals based on sensitive information is prohibited with an exception for “socially beneficial content”.
12. More guidance on reasonable security measures
APP 11 requires entities holding personal information to take steps as reasonable in the circumstances to protect the personal information from misuse, interference, loss and from unauthorised access, modification or disclosure. The Report suggests more guidance is needed as to what are reasonable steps. Suggestions are that guidance could draw on technical advice from the Australian Cybersecurity Centre. In addition, the Report suggests that baseline privacy outcomes be included and that these outcomes be informed by the Australian government’s 2023-2030 Australian cybersecurity strategy.
13. More accountability with retention of personal information
Organisations will need to establish their own maximum and minimum retention periods in relation to the personal information they hold to take into account the type, sensitivity and purpose of that information and the other legal frameworks that apply to that information. These retention periods will need to be periodically reviewed, so this will not detract from the organisation’s requirement to destroy or de-identify information that they no longer need. Privacy policies will need to specify for how long an organisation will retain personal information.
14. Introduction of controllers and processors
The APPs currently apply to organisations that ‘hold’ personal information – this includes entities that control or have possession of a record of personal information. There is strong support for introducing concepts of controllers and processors in the Privacy Act to assist with clarifying the obligations or responsibilities of each and to make it clear which entity has primary responsibility for personal information. Pending removal of the small business exemption (to ensure small businesses would need to comply), it is proposed to introduce a controller-processor distinction.
15. Overseas dataflows
Recent amendments to the Privacy Act change the extraterritorial provisions so that any business that conducts business in Australia would fall under the scope of the Privacy Act. When these changes were made the Senate committee required the Australian government to consider whether further amendment was required to ensure the change was appropriate. The intention is still to capture personal information that is connected with Australia. The Report provides that further consultation will be needed to determine whether additional criteria is needed to demonstrate an Australian link that is focused on personal information being connected to Australia. A new mechanism is also proposed to be introduced which will allow certain countries to be prescribed as providing substantially similar protections. Similar to the GDPR, it is also is suggested that standard contractual clauses be used when transferring personal information to countries that are not prescribed.
16. More enforcement options
The Australian government wants to create tiers of civil penalty provisions to also capture breaches that are less than “serious”. Clarity is also proposed to be given as to what can be considered a serious interference with privacy. There is also a proposal to give the Commissioner power to undertake public inquiries and reviews into certain matters with the approval or direction of the Attorney General. Also, the Federal Court and the Federal Circuit and Family Court of Australia will be given more powers to make any orders they see fit after a civil penalty provision relating to interference with privacy is established.
17. Direct right of action and new privacy tort by individuals
A direct right of action is proposed to be introduced to allow individuals to apply to the courts for relief in relation to an interference with privacy. Also, a tort for serious invasions of privacy is recommended.
18. More government cooperation
The Australian government wants improved reporting of information and sharing between approriate entities. It would also like to see more consistency and cooperation between regulators regarding privacy and has suggested that a privacy guide may be needed. Also, with matters involving the handling of personal information, it is suggested that a Commonwealth, State and Territory working group be established to harmonise privacy laws focusing on key issues.