The Australian Government is currently conducting a comprehensive review of the Privacy Act 1988 (Cth) (Privacy Act). This Privacy Awareness Week we take a quick look at some of the possible reforms that may be made as a result of this review, and the potential influence of approaches taken in privacy regulation in other jurisdictions.
Privacy Act Review
In December 2019, in response to the Final Report from the Australian Competition and Consumer Commission's (ACCC) Digital Platforms Inquiry, the Australian Government announced that it would review the Privacy Act with the stated aim of ensuring privacy settings empower consumers, protect their data and best serve the economy.
The Terms of Reference for the Privacy Act review, together with an Issues Paper, were released by the Attorney-General's Department in October 2020. The Issues Paper provides an indication as to what reforms we may see as a result of the review.
Submissions on the Issues Paper were due in late 2020. The next stage of the review will be the release of a discussion paper, which is due in the coming months. It is hoped draft legislation will be released at the same time as that discussion paper. This timing means it is likely that we will not see reforms to the Privacy Act take effect until later in 2021 or potentially even early 2022.
Retention of the “notice and consent” model?
The “notice and consent” model which underlies the Privacy Act is one of the key areas that is likely to be considered in this review. This model reflects that individuals have responsibility to make their own decisions about what personal information is collected about them. Notice is required to be given under the Privacy Act to individuals when personal information is collected about them, so the individual may make an informed decision as to whether to provide that personal information. In some cases, express consent is also required under the Privacy Act, for example, for the collection of sensitive information.
The ACCC in its Final Report from the Digital Platforms Inquiry had suggested that this model should be strengthened in a number of respects and this is a theme that was considered in the Issues Paper.
For example, the ACCC had recommended changes to the Privacy Act to require that notices about the collection of personal information must be concise, intelligible, in an easily accessible form and prepared using clear and plain language. This reflects the notice requirements under Europe's General Data Protection Regulation (GDPR). The introduction of standardised icons and phrases to be used in notices is another reform highlighted in the Issues Paper that we are perhaps likely to see. This again was recommended by the ACCC in the Final Report from the Digital Platforms Inquiry, and also has the support of the Office of the Australian Information Commissioner.
More controversially the ACCC had recommended that the Privacy Act should be amended so that consent is required to be obtained whenever personal information is collected, used or disclosed by an entity regulated under the Privacy Act subject only to very limited exceptions such as where the personal information is required for the performance of a contract to which the relevant individual is a party, is required under law or is otherwise necessary for an overriding public policy reason. Although this would again bring Australia's privacy regulation closer to the GDPR, this does not have universal support. Many stakeholders argue that this imposes too high a regulatory burden with limited benefits for individuals. Instead, it is argued, it should remain the case that individuals should only be asked to provide consent where the proposed collection or use of personal information is “out of the ordinary” or would have significant consequences for the individual. This would limit so called “consent fatigue” for individuals, meaning it would be more likely that they would give appropriate consideration as to whether or not to provide consent in the limited circumstances where it was sought.
The Issues Paper also raised whether a reformed Privacy Act should move away from the notice and consent model. The paper refers to the approach in Canada. While the Canadian legislation is actually undergoing its own reform process and is still predominantly notice and consent based, it does have a concept of “no go” zones. This means that there are certain personal information collection and use practices that are not permitted at all because they are contrary to the interests of individuals or the public interest in general. This would be an interesting concept to explore. This may be an effective way to reduce the regulatory burden on regulated entities while at the same time protecting consumers by ensuring that at least in some circumstances there are protections within the Privacy Act itself.
US Privacy Law
Whilst there has been no indication that the Australian Government will look to the United States to inform the outcomes of the Privacy Act review, it is interesting to also look at legislative changes in the area of privacy being proposed there in the context of Australia's reform proposals.
Although there are various United States federal privacy statutes dealing with specific topics, such as the Children's Online Privacy Protection Act, the United States does not have an overarching federal privacy law which has the same general level of coverage as the Australian Privacy Act. As a consequence, the Federal Trade Commission, which is the federal agency charged with enforcing antitrust and consumer protection law, has often pursued misleading and deceptive conduct claims against organisations that have failed to adequately protect consumers' personal information as a means of protecting the privacy rights of US citizens. Many US States, led by California, have however implemented State based privacy legislation, given the absence of a generally applicable federal law, as a means of providing specific privacy protections. That US State legislation typically reflects the GDPR.
In more recent times, Congress appears also to be more interested in pursuing federal legislation addressing broad privacy protections. For example, on 29 April 2021, a US Senator introduced a Senate Bill for a Consumer Data Privacy and Security Act. This Senate Bill proposes a unified Federal privacy framework which establishes clear standards and regulations regarding the collection, processing and use of consumers' personally identifiable data. Nonetheless, given the differing approaches of the Democratic and Republican parties to privacy laws, it may still be some time before federal legislation is adopted there.
What happens next?
At a point in time when privacy is increasingly a major concern for individuals, and the environment in which personal information is collected and shared is more complex than ever, it will be interesting to observe the different privacy law approaches that are being adopted by governments around the world, and here at home in Australia.
Whilst it is not currently known exactly what the reforms to the Privacy Act will look like, given the Australian Government's stated objectives for the review, it is hoped that the reforms will strike the right balance between empowering and protecting consumers, while at the same time ensuring that economic growth is facilitated.
This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.