On 12 December 2019, the Treasury, as part of its response to the Australian Competition and Consumer Commission (ACCC) Digital Platforms Inquiry final report (DPI Report), made commitments to improve consumer protection and rights under, and increase the penalties for breaches of, privacy laws.
The measures set out in the response to the DPI Report come on the back of, and tie in with, the Federal Government's announcement in March 2019 of its plans to reform the Privacy Act to increase maximum penalties, introduce new powers for the Office of the Australian Information Commissioner (OAIC), as well as increase funding to the OAIC.
The March 2019 Announcement
On 25 March 2019, the Government in a joint media release stated that
"Existing protections and penalties for misuse of Australians' personal information under the Privacy Act fall short of community expectations..."
and announced that it would take steps to enhance protections and penalties.
This included proposed amendments to the Privacy Act to:
- Increase penalties from the current maximum penalty of $2.1 million for serious or repeated breaches, to the greater of:
- $10 million;
- 3 x the value of any benefit obtained through the misuse of information; or
- 10% of a company's annual domestic turnover.
- Provide the OAIC with new powers to issue infringement notices for failures to cooperate with efforts to resolve minor breaches of the Act, with penalties of up to $63,000 for bodies corporate and $12,600 for individuals.
- Expand options available to the OAIC to investigate and respond to breaches, including through third-party reviews, the publication of notices about specific breaches and to ensure those directly affected are advised.
- Introduce a right for individuals to request their personal information stop being used or disclosed by social media and online platforms.
- Introduce rules to protect the personal information of children and other vulnerable groups.
It was also announced that the OAIC would receive an additional $25 million in funding over three years, which has already commenced.
The ACCC Digital Platforms Inquiry
On 26 July 2019, the ACCC released the DPI Report released, which contained 23 recommendations that go towards addressing the impact of digital platforms on consumer rights and competition in the media and advertising industries.
Of the 23 recommendations, the Government in its 12 December 2019 response supported 6 entirely, 10 in principle, noted 5 and rejected 2. The response also included a roadmap for the implementation of the undertakings to all be completed by 2021.
While many of the recommendations focus on the impact of digital platforms on the choice and quality of news and journalism, a few key recommendations will impact privacy rights and obligations more generally across all industries.
Increasing civil penalties
The Government in its response confirmed that it will look to increase penalties under the Privacy Act to match the penalties of the Australian Consumer Law. This is consistent with the Government announcement in March 2019 of the intention to increase penalties under the Privacy Act.
Broadening the personal information definition
The Government will also look at broadening the current definition of personal information under the Privacy Act to include technical data.
The parameters of what technical data encompasses will have to be examined when proposed legislation is released for consultation. However, it is most likely to include IP addresses and other forms of digital fingerprints. It will be interesting to assess how the inclusion of IP addresses will be implemented into the definition given their dynamic nature.
The amendment of the personal information definition is intended to create greater transparency between digital platforms, who use technical data for tracking and monitoring purposes, and consumers to ensure that such information is not being stored without consent.
Right of erasure
The Government will also look to introduce a right for consumers to request the erasure of their personal information from company databases. Once again, the mechanics will need to be assessed when proposed legislation containing the right is released. However, they may align closely with the 'right to be forgotten' that was introduced by Article 17 of the General Data Protection Regulation (GDPR).
Under Article 17 of the GDPR, individuals have a right to have their data erased on various grounds (which are subject to overriding exceptions around legitimate use of data), including if:
- the data is no longer necessary for the original purpose that the data was collected for;
- consent of the individual was originally relied upon to collect their data and they have since withdrawn their consent;
- the individual objects to data collected on legitimate interest grounds and there is no legitimate interest worthy of overriding the objection; and
- the data is being used for direct marketing and the individual objects.
Once implemented, the new right will hand greater control to consumers over the use of their data and will require digital platforms (and companies more generally) to have effective systems in place that can delete personal information of any individual throughout their network or systems on request.
Consumer cause of action
The Government has also agreed with the ACCC recommendation to introduce a statutory cause of action that will allow consumers to seek compensation for matters of interference with their privacy under the Privacy Act.
There is not presently a statutory right under Australian laws to facilitate the pursuit of privacy breaches, which can make it difficult for individuals to seek compensation for such breaches. The introduction of a statutory tort should give consumers greater control over their personal information, make it easier for them to seek redress for privacy breaches and make businesses more accountable for their data security and handling practices.
Steps in the Right Direction?
Australia is currently lagging behind many parts of the world in the regulation of information and data security and handling. The proposed reforms are intended to enhance business practices and give greater rights to consumers in a manner likely to be similar to those available in regulations of other countries.
The proposed reforms should also continue to push data handling and security and cyber risks onto the agendas of boards and directors, who are becoming wearier of cyber risks and privacy breaches, with a recent report finding 61% of the directors surveyed believed a cyber-attack would be the most damaging hit to their company's reputation.1
How the Government implements the proposed reforms will significantly impact their effectiveness. We look forward to reviewing the proposed legislation that are aimed to give effect to the proposed steps.
1 Liz Main, 'What keeps business leaders up at night' Australian Financial Review (Sydney) 16 December 2019.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.