An extract from The Privacy, Data Protection and Cybersecurity Law Review, 8th Edition

Overview

In Australia, the key legislation governing privacy and data protection is the Privacy Act 1988 (Cth) (the Privacy Act). It regulates the handling of personal information by:

  1. private sector organisations (with some exceptions; for example, businesses with an annual turnover of less than A$3 million); and
  2. federal government agencies (most state and territory government agencies are instead governed under various state-based regimes).

The Privacy Act is also the key legislation governing cybersecurity. However, as cybercrime is increasingly seen as a growing threat to Australia's economy and national security, lawmakers are increasingly addressing cyber issues through stand-alone legislation2 rather than by seeking amendments to the Privacy Act, which is principles-based and deals with cybersecurity only in relation to personal data (see Section IX).

There is no general charter of human rights in Australia, and as such there is no general recognition of privacy being a fundamental right under Australian law. However, some jurisdictions within Australia have enacted human rights legislation that recognises the protection of privacy as a human right.3

Privacy also receives some protection through developments to the common law, particularly developments in the law relating to confidential information.4 To date, the Australian courts have not recognised a specific cause of action to protect privacy, although there has been judicial suggestion that such a development may be open under common law.5

The introduction of a statutory tort for invasions of privacy has long been the subject of debate. Opponents of such a development point to Australia's lack of a clear, balancing statutory right of freedom of expression. The introduction of a statutory tort for invasions of privacy was recently recommended by the competition regulator, the Australian Competition and Consumer Commission (ACCC), as part of its Digital Platforms Inquiry. The proposal is under consideration by the federal government as part of its current review of the Privacy Act.

A statutory privacy tort is only one of many sweeping privacy reforms proposed by the ACCC and under review by the federal government. In parallel, we are seeing a better funded and increasingly active privacy regulator (the Office of the Australian Information Commissioner (OAIC)), as well as a competition regulator (ACCC) keen to weigh in on privacy matters in the competition and consumer context. Other regulators, such as the Australian Securities and Investments Commission (ASIC) and the Australian Prudential Regulatory Authority (APRA), are also increasingly focused on cybersecurity.

The year in review

Privacy and cybersecurity regulation in Australia is currently in a rapid state of development, which has seemingly accelerated over the past year.

In relation to privacy regulation, we have seen the following.

  1. The federal government's review of the Privacy Act (expected to result in a legislative overhaul).
  2. A number of significant enforcement actions by the OAIC (including by commencing proceedings against Facebook, seeking the imposition of pecuniary penalties for the first time).
  3. A continued interest in privacy and data handling issues by the competition and consumer regulator, the ACCC (including by successfully taking misleading conduct action against Google in relation to its collection of location data).

We have also continued to see Australian businesses grapple to navigate the extraterritorial operation of the EU's General Data Protection Regulation (but the focus of this chapter is Australian laws and regulations).

In relation to cybersecurity regulation, we have seen the following.

  1. The federal government's commitment of A$1.67 billion to uplift Australia's cybersecurity, including by strengthening Australia's cybersecurity regulatory regime. The proposals may include voluntary codes, a potential new director's duty and the broad expansion of the current critical infrastructure act.6
  2. The corporate and financial services regulator, ASIC, taking action alleging that cybersecurity issues gave rise to breaches of the Corporations Act 2001 (Cth) (an Australian first).
  3. APRA remaining focused on enforcing the comprehensive cybersecurity obligations placed on banks, insurers and superannuation entities under various prudential standards.
  4. A proposed expansion of the application of critical infrastructure legislation through the release of the Security Legislation Amendment (Critical Infrastructure) Bill 2020.

These developments are discussed in more detail throughout this chapter.

Outlook

i Privacy developments

The coming year will be significant for privacy regulation in Australia. As mentioned throughout this chapter, the federal government is currently in the process of reviewing the Privacy Act. In late 2020, the government released the first issues paper for consultation, and industry is currently awaiting the release of a second issues paper.

The Attorney General's review is likely to result in significant reform to the Privacy Act, with issues such as the removal of the small business and employee records exemption being considered. Reforms are also likely to include significantly increased penalties and stronger enforcement powers for the OAIC, stricter requirements for when and how consent is obtained, an updated definition of 'personal information' to include technical data and online identifiers, and additional protections in relation to de-identified information. We expect that these changes could require entities to undergo technological change to comply.

ii Cybersecurity developments

The coming year will also be significant for cybersecurity regulation. At present, cybersecurity is largely governed by the general, principles-based security obligations in the Privacy Act. However, 2021 has seen the proposal of prescriptive, stand-alone cyber legislation as part of a broader strategy to strengthen the security of Australia's infrastructure.

Exposure drafts of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 have been released. The proposal is to expand the application of the Security of Critical Infrastructure Act 2018 (Cth) to cover a far broader cross-section of the Australian economy. It is likely to affect entities operating in a number of sectors including communications, data storage and processing, financial services and markets, energy, transport and healthcare.

In addition, the Australian Labor party has introduced a private members ransomware bill (the Ransomware Payments Bill) to facilitate the sharing of de-identified information to assist the law enforcement response to ransomware attacks. The proposal is to require entities making ransomware payments to notify the Australian Cyber Security Centre as soon as practicable.

In summary, privacy and cybersecurity regulation in Australia is in a rapid state of development. Entities conducting business in Australia will need to pay close attention to these developments in the short to medium term.