The Australian Government has announced two significant proposed privacy reforms in recent weeks.
The first is the introduction of an exposure draft for a new Online Privacy Bill (the Bill) - which would enable the creation of new binding online privacy codes for social media and other online platforms, as well as significantly increasing penalties and enforcement measures for all organisations found in breach of the Privacy Act 1988 (Cth) (“Privacy Act”).
The second is the release of an extensive Discussion Paper by the Attorney-General’s Department as part of its ongoing review into the Privacy Act, which follows a high level Issues Paper published in October 2020.
The Discussion Paper proposes a number of significant reforms to the Privacy Act, many of which are based on overseas regulations such as the European General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”). While amending legislation is yet to be released, if the proposed changes are passed it will represent a significant reshaping of privacy laws in Australia.
Exposure draft of the Online Privacy Bill
Despite the Bill’s name, and its primary focus on online platforms, it has significant ramifications for any organisation bound by the Privacy Act 1988 (Cth) (Privacy Act). As foreshadowed by the Australian government in March 2019, the Bill amends the maximum penalty for corporations that engage in a serious or repeated interference with privacy to:
- AU$10 million;
- three times the benefit of the misconduct; and
- 10% of the organisation’s turnover in the 12 month period up to the conduct.
The Bill also introduces:
- new information-gathering powers for the OAIC and an infringement notice mechanism for non-compliance); and
- new declarations that the OAIC can give when making a privacy determination – including the right to require the respondent to prepare and publish a statement about its conduct, and the right to require the respondent to be audited by a qualified independent advisor.
The Bill also provides the framework to deliver on the government’s promise to introduce specific privacy rules for online platforms.
While the Privacy Act already has a mechanism for sector-specific privacy codes to be developed, a new raft of provisions allow for the Commissioner (or an industry group) to develop an “online privacy (OP) code” for “OP organisations”. These cover a raft of different matters and additional obligations, which go beyond what a general privacy code could have covered (under existing provisions), including:
- granular requirements in relation to obtaining consent from individuals;
- giving individuals the right to object to the further use or disclosure of their personal information; and
- mandating age verification, to ensure that those giving consent are either 16 years or older, or are the person’s parent or guardian.
Organisations subject to an OP code will be:
- social media services;
- data brokerage services;
- large online platforms (which have at least 2.5 million end users in Australia); and
- any other organisations prescribed by law.
Discussion Paper for further privacy law reforms
While the Issues Paper released in October 2020 posed a number of questions about the future directions of privacy laws, the Discussion Paper refines those themes into a series of proposed amendments – a number of which will require substantive changes in organisations’ personal information handling practices, and their assessment of compliance risks. Many of the changes proposed are based on requirements or concepts found in comparable overseas regulations, such as the European GDPR and the Californian CCPA.
Some of the key highlights include:
1. Definition of personal information
The definition of personal information determines the scope of an organisations’ privacy obligations in Australia. The Discussion Paper proposes to broaden both the concepts of ‘personal information’ and ‘collection’, so that the laws apply to all information that relates to a person, and to cover personal information that is inferred or generated by an organisation. Therefore, not just information “about” a person.
2. Privacy policies
- address the use of personal information to influence an individuals’ behaviour and decisions and/or in automated decision-making;
- identify third parties involved in the provision of online marketing materials; and
- specifically identify the types of personal information that may be disclosed to recipients outside Australia.
This will mean substantial changes to existing privacy policies.
3. Collection notices
In Australia, there is inconsistent compliance with the requirement to provide personal information collection notices to individuals. The Discussion Paper includes a raft of recommendations aimed at increasing the prominence and usefulness of such notices, including that:
- notices must be clear, current and understandable;
- notices must expressly address any indirect collection of personal information (not from the individual), including the entity from whom it was collected;
- significantly narrowing the circumstances where an organisation cannot give a collection notice (meaning we can expect a proliferation of these notices in the future); and
- notices must expressly identify the primary purpose of collection, including where that purpose is to influence an individuals’ behaviour and decisions.
These changes represent a desire to provide greater transparency, and may foreshadow increased regulatory attention on organisations’ compliance with collection notice obligations.
The Discussion Paper recommends incorporating in the Privacy Act the OAIC’s definition of consent. This means consent must be voluntary, informed, current, specific and an unambiguous indication through clear actions. Interestingly, there is no recommendation for consent to be ‘freely given’ (as was recommended in the Digital Platforms Inquiry report), apparently on the basis that the Attorney-General’s Department considers that to be “equivalent” to the requirement for consent to be voluntary.
The Discussion Paper also proposes to incorporate the OAIC’s guidance that individuals can generally give consent on their own behalf from when they are 16 years old, and otherwise consent is required to be given by a child’s parent or guardian.
5. Collection, use and disclosure
The Discussion Paper proposes a number of changes which will narrow the bases on which organisations are permitted to collect, use and disclose personal information. These include:
- introducing a new overarching ‘fair and reasonable’ requirement for any collection, use and disclosure of personal information (with factors to be set out in the legislation);
- defining the ‘primary purpose’ for collection as the purpose which is notified to the individual;
- requiring a privacy impact assessment to be undertaken in relation to prescribed practices, such as large scale processing of personal information;
- for certain sectors, requiring organisations to offer pro-privacy settings by default;
- requiring organisations that collect personal information indirectly through another party to verify that personal information was originally collected by that other party lawfully; and
- requiring organisations to keep records of the secondary purposes for which they use and disclose personal information (for the purposes of demonstrating APP 6 compliance).
6. Right to object and portability
Interestingly, the Discussion Paper did not propose to introduce a general right of data portability under the Privacy Act. Australia has taken a sectoral approach to data portability through the Consumer Data Right, which currently applies to the banking sector, and will expand to other sectors over time. The paper notes that introducing a right of personal information portability under the Privacy Act may duplicate aspects of the Consumer Data Right, and create unnecessary complexity.
7. Limited rights of erasure
The Privacy Act does not currently provide a right for individuals to request erasure of their personal information, as exists under some overseas laws such as the GDPR and the CCPA. There are, however, some limited erasure rights in Australia under the Consumer Data Right framework and the My Health Record system.
The Discussion Paper proposes to introduce a limited right of erasure into the Privacy Act, which would enable individuals to request their personal information be erased in the following circumstances:
- the information must be destroyed or de-identified under APP 11.2;
- the information is sensitive information as defined in the Privacy Act;
- the individual has successfully objected to the handling of their personal information through the proposed right to object discussed above;
- the personal information has been collected, used or disclosed unlawfully;
- the organisation holding the information is required by Australian law or a court or tribunal order to destroy the information; or
- the information relates to a child and the request is made by the child, their parent, or an authorised guardian.
This right would be subject to certain exceptions, such as where the information is required to complete a transaction or to perform a contract with the individual, where deletion would be technically impractical or impossible, or where there is a public interest in retaining the information (among other proposed exceptions).
8. Right to request source of collection
The paper suggests expanding the existing access rights under the Privacy Act to enable individuals to request, and to require organisations to provide, the source of any personal information about the individual that has been collected by the organisation indirectly through a third party – unless this is impossible or would involve disproportionate effort.
9. Information security
The Privacy Act currently requires organisations that hold personal information to take such steps as are reasonable in the circumstances to protect that information from misuse, interference and loss and from unauthorised access, modification or disclosure.
The Discussion Paper suggests clarifying that ‘reasonable steps’ includes both technical and organisational measures. It also suggests including a list of factors to be considered when determining what reasonable steps are required, such as:
- the nature of the organisation;
- the amount or sensitivity of the personal information held;
- the possible consequences for an individual in the case of a breach; and
- the relative complexity involved in implementing a security measure against the net benefits that measure may provide.
The paper also proposes strengthening the information destruction requirements under the Privacy Act, by requiring organisations to take all reasonable steps to destroy or anonymise personal information when it is no longer needed or required (as opposed to taking such steps as are reasonable in the circumstances).
The OAIC is, in any event, currently undertaking a review of its Guide to Protecting Personal Information.
10. Overseas data flows and standard contractual clauses
The Privacy Act requires organisations that disclose personal information overseas to take reasonable steps to ensure the overseas recipient does not breach the Australian Privacy Principles in relation to the information.
An exception to this requirement is where the organisation reasonably believes the overseas recipient is subject to a law or binding scheme that, overall, is at least substantially similar to the Australian Privacy Principles, and there are mechanisms that an individual can access to take action to enforce those protections.
The Discussion Paper suggests introducing a mechanism to prescribe countries and certification schemes that will satisfy this exception. This would provide greater certainty to organisations when disclosing information to prescribed countries, and would operate like the ‘adequacy’ system under the GDPR.
In addition, the paper also proposes the introduction of ‘standard contractual clauses’ for transfers to overseas countries that are not prescribed, similar to the mechanism under the GDPR. These standard clauses would stipulate how an overseas recipient is expected to handle personal information, and would reduce the regulatory burden on organisations to negotiate appropriate data protection clauses when contracting with overseas entities. Like the GDPR standard contractual clauses, they may also give individuals a direct right to enforce compliance with, or claim damages for non-compliance with, those clauses.
The Discussion Paper proposes a bevy of new investigative and enforcement powers for the OAIC, in particular::
- the introduction of two new civil penalty provisions, to complement the existing civil penalty provision for serious or repeated interferences with privacy. The new civil penalty provisions would include:
- a mid-tier civil penalty provision for any interference with privacy with, a lesser maximum penalty than for a serious and repeated interference with privacy; and
- a series of new low-level and clearly defined breaches of certain Australian Privacy Principles, with an attached infringement notice regime to enable the OAIC to issue infringement notices without initiating court proceedings;
- enhanced investigative powers which would give the OAIC new powers similar to those exercisable by law enforcement – such as the power to search premises for evidential material, make copies of information and documents specified in a warrant, and to seize evidential material to prevent the destruction of evidence.
- the introduction of a new power for the OAIC to undertake public inquiries and reviews into specified matters; and
- enhanced powers to make determinations requiring an organisation to identify, mitigate, and redress actual or reasonably foreseeable loss.
12. Industry funding arrangement for the OAIC
Under the proposed arrangement, all organisations that receive the benefit of the OAIC’s services would pay a cost recovery levy to help fund the OAIC’s provision of guidance, advice and assessments.
A narrower group of entities which operate in a high privacy risk environment (such as social media platforms and organisations that trade in personal information) could also contribute a statutory levy to support the OAIC’s management of public inquiries and investigation into their acts or practices.
13. Direct right of action and statutory tort
Currently, there is no direct right of action under the Privacy Act which enables individuals to initiate proceedings in court for breaches of the Act. The Discussion Paper proposes to allow individuals or groups of individuals whose privacy has been interfered with to commence proceedings in the Federal Court or Federal Circuit Court.
Claimants would first need to make a complaint to the OAIC, or the proposed new Federal Privacy Ombudsman, and have their complaint assessed for conciliation, before commencing action in court. Complainants would also need the leave of the court to make an application.
In addition to this statutory right, the paper also considers the introduction of a new tort for invasions of privacy. Four options are considered:
- a statutory tort for invasion of privacy with two limbs – intrusion upon seclusion and misuse of private information;
- a minimalist statutory tort that recognises the existence of the cause of action but leaves the scope and application of the tort to be developed by the courts;
- do not introduce a statutory tort, but extend the application of the Privacy Act to individuals in a non-business capacity for collection, use, or disclosure of personal information which would be highly offensive to an objective reasonable person; and
- legislating that damages for emotional distress are available for equitable breaches of confidence.
14. Controller and processor distinction
Although no specific proposals are put forward, the Discussion Paper raises the question as to whether the Privacy Act should introduce a distinction between ‘controllers’ (entities who determine the purpose and means of any processing) and ‘processors’ (entities that process personal information on the instructions of a controller). The controller / processor distinction is recognised in many overseas privacy laws, such as the GDPR.
The Discussion Paper also considers whether there is a need to modify or remove the exemptions currently in the Privacy Act for employee records, registered political parties, and journalism, in light of the other proposed changes in the paper. However, no specific proposal has been put forward in the Discussion Paper regarding these exemptions at this stage.
What happens next?
Submissions on the exposure draft of the Online Privacy Bill are due by 3 December 2021, after which time the Bill will be updated and introduced to Parliament.
If passed, the enforcement and penalties changes will take effect immediately on the Act receiving Royal Assent. The online privacy code provisions will take effect on a date fixed by proclamation, within 12 months of the Act receiving Royal Assent.
Submissions on the Discussion Paper for the Privacy Act review can be made to the Attorney-General’s Department until 10 January 2022. The Discussion Paper contemplates that there will be a further Final Report following the public consultation process, which will be considered by the Australian government. The government will then consider what reforms, if any, it wishes to make to the Privacy Act following its review of the Final Report.