The privacy landscape in Australia is rapidly changing as the Government tries to respond to changes in technology and developments in the privacy policies and practices of other countries in the developed world.
While most of the attention has been devoted to reviewing the changes contained in the Privacy Amendment (Enhancing Privacy Protection) Act 2012, which takes effect on 12 March 2014, there are a number of other areas that are likely to see changes in the near future.
This article discusses some of the areas in which development is already underway and where we are most likely to see changes in the near future.
At the time of writing, the OAIC has released two tranches of draft APP Guidelines for consultation. A table of the issues covered by the draft guidance is set out at the end of this article.
As there is less than six months to go before the APPs take effect, we expect the OAIC will soon release the remainder of its draft guidance and move very quickly to finalise it in time for the commencement of the new provisions.
In the meantime, the OAIC continues to release guidance on other aspects of privacy that may have implications for entities. For example, the OAIC recently released guidelines for Code Development and External Dispute Resolution Scheme Recognition, which are concepts relevant under the Privacy Act after March 2014. This means entities will need to continually monitor and adapt their privacy policies and procedures in line with the guidance as it is released.
Mandatory Breach Notification Bill
On 29 May 2013, the Privacy Amendment (Privacy Alerts) Bill 2013 (the Bill) to create a mandatory notification scheme for serious data breaches was introduced into Parliament.
The Bill followed on from the Australian Government's discussion paper, Australian Privacy Breach Notification, released on 17 October 2012 (see our article "Privacy breaches: mandatory notification a step closer"). The discussion paper followed the Office of the Australian Information Commissioner's (OAIC) publication, Data Breach Notifications: A Guide to Handling Personal Information Security Breaches (see our article, "Privacy: the sands continue shifting").
The Bill sets out:
- the requirement on agencies to notify individuals when there has been a serious data breach
- the notification requirements, and
- deemed it a failure to comply with the mandatory notification obligations as an interference with the privacy of an individual for the purposes of the Privacy Act, enlivening the enhanced powers of the Privacy Commissioner to investigate and pursue remedies including civil penalties.
The new Commonwealth Government may restart the process to introduce the mandatory scheme, particularly as the Senate Committee report recommended the Bill be passed. However, comments by the Coalition Senators on the Committee about the timeframe of the Bill, and "regulatory overload" concern in the industry, suggest that more time may be granted for consultation and implementation of the reforms.
Statutory cause of action for serious invasion of privacy
Following a number of high profile privacy breaches, in particular the September 2011 News International phone hacking scandal, the Government released an issues paper "A Commonwealth Statutory Cause of Action for Serious Invasion of Privacy". The paper explored some of the key issues raised by the Australian Law Reform Commission's 2008 recommendation that there be a statutory cause of action for serious invasions of privacy.
Some of the key issues that need to be considered in deciding whether a statutory cause of action should be introduced are also explored in the issues paper. These include: whether there is a need for it; what is the appropriate test; what defences should be available; should there be exemptions; and how should damages be calculated? For a detailed summary of the main recommendations of the committee report see our article "Suing for invasion of privacy: the Government releases its Issues Paper."
On 12 June 2013, the former Attorney-General referred the issue to the Australian Law Reform Commission for inquiry and report by June 2014. The ALRC released an issues paper on 8 October 2013, beginning its consultation process for the inquiry.
This issue is complex and divisive. While we expect that the Government will move carefully in this area, if there is a high-profile scandal involving breach by an Australian entity (such as evidence of widespread phone hacking), then there is likely to be public pressure for the Government to act quickly to introduce a statutory cause of action. Fortunately, to date, there is no evidence that this has occurred in Australia.
Next stage response to the ALRC Report
The March 2014 amendments to the Privacy Act reflect the first stage of the Government's response to the 2008 Australian Law Reform Commission's (ALRC) report, For Your Information: Australian Privacy Law and Practice, (which made 295 recommendations for change).
The previous Government stated that the remaining 98 recommendations of the ALRC report would be considered after the progression of the first stage reforms. Assuming the new Government continues to implement the recommendations of the report, we expect to see further consultation undertaken for the remaining recommendations. The mandatory breach notification and statutory cause of action for serious breach of privacy are two of the key issues set out in the remaining recommendations.
While it is acknowledged that keeping pace with technological and privacy developments means that the privacy landscape is likely to continue changing, it is hoped that the new Government will balance the need for changes with the need to provide all stakeholders with the opportunity for appropriate consultation and consideration of any proposed amendments.
In the meantime, agencies will need to keep on top of developments in the area, particularly the OAIC's final APP guidance, which is expected in the coming months, and ensure that the guidance is reflected in their practices and procedures under the APPs by 12 March 2014.
- Overview of the Australia Privacy Principles
- The other requirements
- Topics covered by the draft OAIC APP Guidance
- Getting started
- AAPT hacking case study: what would happen if it was an agency under the new law?
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.