The future of privacy regulation

The Inquiry highlighted the shared objectives of Australia's competition and consumer regulator, the ACCC, and Australia's privacy regulator, the Office of the Australian Information Commissioner (OAIC). As the Privacy Commissioner noted in her presentation at the Law Council seminar, one very important shared objective is to secure better data protection outcomes for all Australians.

The intersection of the concerns of the two regulators with regard to this shared objective is very apparent in the area of digital platforms, and their handling of our personal data, which is under close scrutiny by both privacy and competition and consumer protection regulators around the world. The final report from the Inquiry made a number of recommendations in relation to privacy. The Privacy Commissioner sees these recommendations, particularly the recommendation for a broad review of Australia's privacy framework, as providing both a challenge and an opportunity.

This is a very important recommendation from the Inquiry, as a broad review of this framework is well overdue. The Privacy Act was first enacted in 1988. Australia, and the world, has changed significantly since that time, not least in relation to the amount of personal information that is generated and collected about individuals, particularly from their online interactions. Therefore it is the right time to ask whether the privacy framework we have adopted, known as a "notice and consent" model, where regulated entities provide information to individuals about what personal information they wish to collect and seek consent to do so, is the right model. Does this model put too much emphasis on individuals to protect their own rights, in a way that is not reflected in any other Australian consumer protection legislation? Can individual consent be truly free and informed in such cases – particularly if consumers generally have no option but to accept the privacy policy of digital platforms (and others) or not access products and services? As the Privacy Commissioner has said, these are the types of questions that we need to ask in such a review.

Another important issue that deserves close consideration is whether, as the Privacy Commissioner has noted, we should also say, as a society, that some data practices are simply "not ok". The establishment of so called "no-go zones" in a reformed Privacy Act would go a long way to providing protection to individuals, by prohibiting particularly unfair or particularly egregious practices, irrespective of whether individuals consent to these.

A robust debate on these and other privacy issues will ensure that Australia is able to adopt a regulatory framework that appropriately protects Australians during the next decade and beyond.

This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.