Privacy - Where are we now?
On 22 February 2018, the Notifiable Data Breaches Scheme commenced. Since that major reform there has been constant discussion about Australia's privacy laws with reports such as the Digital Platforms Inquiry Final Report released by the ACCC in June 2019.
Following the ACCC's report, the Federal Government started its long-awaited review of the Privacy Act 1988 (Cth) (Act) in 2020. The review, undertaken by the Attorney-General's office, sought to bring Australia's privacy laws into the digital era, strengthen privacy protections for individuals and streamline compliance for businesses working across international borders (Review).
This article looks at the state of play for the Act since the Review.
Why the fuss?
In 2020, the Office of the Australian Information Commissioner's (OAIC) survey titled 'Australian Community Attitudes to Privacy' revealed privacy is a major concern for 70% of Australians. Around 40% of respondents felt the privacy of their personal information is poorly protected, and 83% of responders indicated they would like the government to do more to protect the privacy of their data.
Those concerns have only increased since the high-profile 2022 Medibank and Optus data breaches. According to some reports, Australia ranks amongst the worst in the world for data breach with around 22 accounts hacked every minute.
2022 amendments to Australia's privacy law
While there has been lots of discussion about the Act since the Review commenced, the only significant changes so far were in December 2022, when the federal government increased penalties and strengthened the enforcement powers of the OAIC under the Privacy Act. Those changes are summarised in the following table:
Maximum civil penalty for companies
The greater of:
Maximum civil penalty for individuals
* 'Adjusted turnover' means the sum of the value of all supplies made by the entity in connection with Australia. The 'breach turnover period' begins at the start of the month in which the offence or contravention occurred or began occurring and ends at the end of the month in which it ceased - subject to a minimum 'breach turnover period' of 12 months.
In addition to increased enforcement powers and penalties:
- Australian privacy law now applies to organisations doing business in Australia whether or not personal information is collected in Australia.
- The OAIC has a wider set of regulatory tools and information-gathering powers at its disposal.
- Information-sharing has been improved within the OAIC and among Australian and foreign regulators.
Overview of the 2023 Privacy Act Review Report ("Report")
While the 2022 changes have been the only significant changes since the Review commenced, on 16 February 2023 the Attorney-General released a much anticipated 320-page Report following the Review that put forward 116 proposals to reform and modernise the Act. You can access a copy of the Report here.
In summary, the Report:
- Is the product of the more than two-year Review of Australia's existing privacy laws.
- Contains 116 proposals with the aim of more closely aligning Australia's privacy regime with that of other jurisdictions, including the EU and the General Data Protection Regulation (GDPR)).
- Contemplates 'whether the Act and its enforcement mechanisms are fit for purpose in an environment where Australians now live much of their lives online and their information is collected and used for a myriad of purposes in the digital economy'.
Impact of reforms proposed by the Report
The proposed reforms will have a wide reach, impacting most if not all aspects of the Australian economy and businesses that fall under the Act. We have summarised some of the proposed major changes.
The 116 proposals for amending the Act can be roughly split into three main groups:
- Extending the scope of entities and kinds of information to which the Act applies to.
- The protections provided by the Act.
- The regulation and enforcement of privacy breaches.
Key changes proposed in the Report include:
- Introducing familiar GDPR concepts of 'controller' and 'processor' to APP entities.
- Expanding the definition of 'personal information' by having a non-exhaustive list and providing additional OAIC guidance concerning what types of information are captured under the revised definition.
- Expanding the definition of 'collection' to include information obtained from any source and by any means, including inferred or generated information.
- Ensuring 'sensitive information' will include 'genomic' information going forward.
- Removing the small business exemption (for organisations with an annual turnover of less than AU$3 million), following consultation on the best way for small businesses to meet their obligations, proportionate to the privacy risks they typically face.
- Requiring regulated APP entities to ensure all collections, uses or disclosures of personal information are fair and reasonable, while ensuring increased safeguards are in place for certain high-risk information handling activities, or that these are prohibited.
Other proposals include:
- Introducing a new 72-hour window for APP entities to report eligible data breaches to the OAIC, starting from when they become aware that there are reasonable grounds to believe an eligible data breach has occurred, congruent with the GDPR's requirements. The current requirement is to 'promptly' notify the affected individual and the OAIC.
- Bolstering individuals' rights concerning their personal information, including the right to request the erasure of their personal information.
- Requiring APP entities to improve the quality of their privacy collections notices and consents, including data retention timeframes.
- Mandating privacy impact assessments for activities that attract high privacy risks.
- Introducing a right for individuals to apply directly to a court for relief of privacy interferences.
- Creating a statutory tort for serious invasions of privacy.
- Creating standard contractual clauses for use in relation to cross-border data transfers (similar to what is presently covered under the GDPR).
- Heightening the OAIC's regulatory powers.
What you can do now to stay compliant under the Act once reforms are implemented
Organisations were able to respond to the Report and the proposals put forward until 31 March 2023. The federal government will consider any proposals prior to preparing any draft legislation.
It is uncertain how many of the 116 recommendations will be implemented. However, it is likely a significant number will be adopted which will require businesses to reconsider how they define personal information and revisit the operation of their consents, policies and notification mechanisms for collecting, using and disclosing personal information. The changes are also likely to require technology changes to implement the reforms.
As this area is undergoing significant change, management, in-house legal and compliance teams need to stay alert to any incoming changes and determine how it may impact their business and operations.
In preparing for the inevitable changes, it is prudent for organisations to:
- Map their data footprint and consider the volume and types of data currently being held.
- Identify what security and protective data measures may need to be enhanced going forward.
- Consider whether any exemptions are currently being relied on under the Act and if they may be earmarked for change.
- Look at their existing contracts.
- Determine their data breach responses and how eligible data breaches will be assessed, including whether these can be notified within the newly proposed 72-hour window.
Should you require any assistance with any privacy, data or cybersecurity related issues please get in touch.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.