Privacy and the protection of data is primarily regulated in Australia by the Privacy Act 1988 (Cth) (Privacy Act) and, more specifically, the 'Australian Privacy Principles' (APPs) in Schedule 1 of the Privacy Act.
As we have reported previously,1 number of high profile privacy breaches affecting millions of people being reported in the media, including the Optus, Medibank and Latitude Financial data and privacy breaches, have increased awareness and garnered a renewed focus on strengthening protections under the Privacy Act. Of note, substantially increased maximum penalties commenced in December 2022 under the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Cth) which for a serious or repeated breach of privacy by a body corporate has been increased to the greater of:
- $50 million
- three times the value of any benefit obtained through the contravention
- if the value of the benefit obtained cannot be determined, 30 per cent of a company's domestic turnover in the 'breach turnover period'
In addition, several other amendments have been recently made to the Surveillance Devices Act 2004 (Cth), the Autonomous Sanctions Act 2011 (Cth) and the Online Safety Act 2021 (Cth) to regulate online content, grant enforcement agencies additional powers to identify and disrupt online criminal activity and impose targeted sanctions for, among other things, assisting or causing a 'significant cyber incident'.
Against this background, on 28 September 2023, the Federal Government issued its response2 to the Attorney General's Privacy Act Review Report of 2022 [3] which foreshadowed further significant amendments to the Privacy Act.
The Privacy Act Review Report made 116 recommendations designed to clarify and strengthen privacy laws in Australia, including an effort to bring the Australian laws more into line with the likes of the European GDPR.
The Government has indicated that it agrees with 38 recommendations agreed to be implemented by way of legislative amendment, and it agrees with a further 68 'in principle'. 11 recommendations have been simply noted.
The Government has indicated that it is committed to introducing legislation in 2024. However, the Government's response paper indicates that further consultation is still required, including 'targeted consultation' on the recommendations the Government has agreed to, and further 'engagement with entities' on those recommendations that are agreed in principle 'to explore whether and how they could be implemented'. The prospective changes carry significant implications for all Australian businesses, including small businesses which are currently exempted from the Privacy Act.
It's clear that the landscape of privacy laws in Australia is complicated and affects many aspects of the economy differently. The Government needs to balance the interest of individuals with the interest of business, technological innovation and national security, to mention just a few.
What are the proposed changes at this time?
Broadly speaking, although the reforms seek to strengthen privacy laws and go some way to align our laws with the likes of the GDPR, such as by introducing the concept of controllers and processors, they will stop short of an on-par approach and, indeed, it will be interesting to see if Australia receives an adequacy decision under the GDPR. Nevertheless, the proposed reforms will considerably improve privacy law in Australia for those entities subject to the Act by strengthening protections afforded and the improved enforcement of its obligations. It is also important to recognise that each Australian state and territory has enacted their own legislation to regulate privacy and data protection by state-based public sector organisations, which are not otherwise subject to the provisions of the Privacy Act.
The recommendations have been agreed and will likely be implemented in the short term include:
- Power for the Information Commissioner to make industry specific APP codes, and the OAIC to make temporary APP codes having a maximum period of 12 months.
- Requirement for businesses engaging in high privacy risk activities (including biometric information and facial recognition technology) to undertake privacy impact assessments of the like currently performed by Commonwealth departments in this case.
- The OAIC to develop practice specific guidance for new technologies and emerging privacy risks (e.g. use of biometric authentication, artificial intelligence, etc).
- Relax consent requirements and broaden scope for 'research' activities.
- Define a child as an individual under 18 years and introduce a Children's Online Privacy Code that is aligned with the UK Age Appropriate Design Code.
- The OAIC to provide guidance on how businesses should determine if an individual may be experiencing vulnerability or is at high risk of harm (including a non-exhaustive list of indicators) and also guidance on capacity and consent.
- For automated decision making processes, the requirement for privacy policies to set out the type of information used in these processes that will have a legal or significant effect on the individual's rights, with the Act to contain an outline of high-level indicators of the type of decisions with legal or similarly significant effects and introduce the right for individuals to request information about how the automated decision making processes work.
- The Act to state that reasonable steps to secure personal information include both technical and organisational measures, with the OAIC to provide guidance on what such steps could be on technical advice from the Australian Cyber Security Centre.
- The OAIC to provide guidance on what reasonable steps may be taken to destroy and de-identify personal information.
- Introduce a mechanism to prescribe countries that have similar privacy protections to Australia in respect of which transfer of information overseas requirements would be relaxed.
- Create tiers of civil penalty provisions based on seriousness of privacy offences and add clarification of what a 'serious' offence may include.
- Expand the enforcement powers under the Act including to permit the Information Commissioner to undertake public enquiries, and give the Federal Court and Family Court the right to make any order it sees fit after a civil penalty provision regarding privacy has been triggered.
Recommendations that have been 'agreed in principle' for which the Government wants to undertake further consultation include:
- Inclusion in the legislation of a list of information which may be personal information and circumstances in which information will be regarded as 'reasonably identifiable'.
- Expressly include 'genomic' information in the definition of sensitive information.
- Expressly mandate a consent requirement for the collection use and disclosure of geolocation tracking data.
- Removal of the small business exemption such that all businesses will be the subject of the APP principles.
- Publishing by the OAIC of media privacy standards and a template media privacy standard that media organisations may adopt.
- The OAIC to develop standard templates and layouts for privacy policies and collection notices.
- Amend the definition of consent to provide that it must be 'voluntary, informed, current, specific and unambiguous', as well as expressly recognise the ability to withdraw consent.
- Require online privacy settings to reflect the privacy by default framework of the Privacy Act, with entities required to ensure that privacy settings are clear and easily accessible.
- An express requirement that the collection of information, use and disclosure of information be fair and reasonable in all circumstances, including a prescribed list of matters to be taken into account for such determination.
- A requirement that APP entities must conduct a privacy impact assessment (PIA) for activities with high privacy risks.
- A requirement that an APP entity must determine and record the purposes for which it will collect, use and disclose personal information at or before the time of collection.
- Expressly require APP entities to appoint a senior employee responsible for privacy within the entity.
- For information relating or obtained from children, require APP entities to have regard to the best interests of the child as part of considering whether collection, use or disclosure is fair and reasonable in the circumstances.
- Introduce a right to erasure of information and to de-index certain online information, including sensitive information, information about children, and inaccurate information.
- Introduce exceptions to all rights of the individual for competing public interest, legal relations, and technical exceptions such as IT limitations and unreasonable, frivolous or vexatious requests.
- Mandatory notification to individuals about their privacy rights at the point of collection of any personal information.
- APP entities to be required to provide reasonable assistance to individuals in the exercise of their privacy rights.
- Require an express consent for trading in personal information and an unqualified right to opt out of use of information for marketing purposes.
- Prohibit direct marketing to a child except if it is in the child's best interests (eg. guidance and rights information).
- Prohibit the targeting of individuals for marketing purposes based on sensitive information.
- Introduce concepts of APP entity controllers and APP entity processors, with processors to be brought under the Act even if not responsible for the collection of the data, until such time as the small business exemption is removed and all businesses become subject to the Act.
- The OAIC to provide standard contractual clauses for use by APP entities relating to transfer of personal information overseas and a general increase in notification and awareness obligations by APP entities towards customers in the disclosure of their information overseas.
- Investigate an industry funding model for the OAIC and the establishing of a contingency litigation fund for the OAIC.
- Amend the Act to allow for a direct right of action by individuals to apply to the courts for relief in relation to an interference with privacy, as well as the introduction of a statutory tort for a serious invasion of privacy.
- A requirement to notify a possible data breach to the OAIC within 72 hours of becoming aware or forming a suspicion.
- Establish a working group to harmonise privacy laws between Commonwealth, State and Territories.
What steps should be taken by business to prepare for the likely changes?
Whilst the reforms to the Privacy Act have still some time to go before being enacted, and the final wording and definitions for the reforms are not entirely clear, it would be prudent for business' to give attention to the Government's intention to boost the Australian privacy law.
Businesses should proactively take steps including the following:
- Understand their existing privacy policies and documentation – including understanding your information collection touchpoints and what uses you are presently making with information collected. Make sure your current privacy policy is up to date and accurately reflects your business requirements and is in compliance with APP 1.
- Review current practices – consider what the risks and likely gaps may be in your data governance procedures and implement now basic upgrades where possible.
- Boost consent and privacy impact assessments – understand what instances of information collection and use in your business require consent, and consider boosting your consent collection procedures. Also consider beginning now the process of undertaking privacy impact assessment (PIA) for high risk activities.
- Budget for improved data protection systems and governance – if your current level of compliance is low, consider budgeting to increase your data protection governance framework, including cyber security, in the near future, as upcoming changes to the privacy laws will likely make certain standards fundamental.
- Consider the need for additional training across the organisation to create greater awareness of your data management and privacy policies.
- Update your data breach response plan and your responsibilities for notifiable data breach (NDB) reporting to the OAIC to assist in identifying, containing, assessing and responding to data breaches quickly, and to help mitigate potential harm to affected individuals and to comply with the NDB scheme.
Footnotes
1 https://www.bennettphilp.com.au/blog/privacy-spotlight
2 https://www.ag.gov.au/sites/default/files/2023-09/government-response-privacy-act-review-report.pdf
3 https://www.ag.gov.au/sites/default/files/2023-02/privacy-act-review-report_0.pdf
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.