Background

In March 2019, the Government made a commitment to strengthen the Privacy Act 1988 (No. 119, 1988) (as amended) ('the Privacy Act') by introducing a binding code of practice for social media and other platforms that trade in personal information online and increasing penalties and enforcement measures. The Government confirmed that the commitment was made to ensure that existing protections and penalties for misuse of Australians' personal information are updated, and adequately reflect community beliefs and expectations. The exposure draft of the Online Privacy Bill gives effect to these reforms.

Regulation impact statement

The objectives of the Government's action are to deal with the specific challenges to privacy posed by online platforms in a targeted way that does not impose a regulatory impact on other industry sectors. In the regulation impact statement ('the Statement'), the Government stated that the Privacy Act must otherwise remain principles-based and technology neutral, to continue to encompass the different ways and purposes for handling personal information.

The Government has clarified that their action is needed to ensure the Privacy Act provides adequate protection for Australians using social media platforms, and other online platforms that collect a high volume of personal information or trade in personal information. In summary, the Government has explained in the Statement that the Privacy Act does not adequately address, among other things the following main concerns:

• terms and conditions and privacy policies are often complex, vague and lengthy and can understate the extent of data-handling practices;
• consent is often given at a point in time, typically when signing up for a service. In many contexts informed consent is no longer seen by consumers as a meaningful concept. Even if they are uncomfortable with the content of a policy they may consent because that is the price of obtaining the service; and
• the penalties and enforcement mechanisms available to the Commissioner are inadequate and do not meet community expectations.

The Act does not address the above concerns because it does not:

• impose specific requirements about how notice must be provided and consent obtained;
• require online platforms to respond to requests from individuals to cease further use and disclosure of their personal information;
• provide stricter rules in relation to personal information of children and other vulnerable groups; and
• contain penalties and enforcement mechanisms that enable the Commissioner to effectively resolve privacy complaints and investigations, and deter organisations from poor data-handling practices.

Exposure draft and explanatory paper – key proposals

Who will the Online Privacy Code apply to?

These are organisations that:

• collect personal information about an individual in the course of or in connection with providing access to information, goods or services by use of an 'electronic service'; and
• have over 2.5 million end-users in Australia in the past year, or if an organisation did not carry on business in the previous year, 2.5 million users in the current year.

The categories captured by the scope of the Online Privacy Code are:

• providers of social media services;
• data brokerage services; and
• large online platforms.

According to the explanatory paper, the category of 'providers of social media services':

• would cover networking platforms;
  • dating apps; online content services;
  • online blogs or forums;
  • gaming platforms with multiplayer online games with chat functionalities; and
  • online messaging and videoconferencing platforms; and
• would not cover services that enable online communications or content sharing as an additional feature, such as online feedback facilities, however neither the Bill nor the explanatory paper clarifies that online business interactions will be excluded, unlike under the recently adopted Online Safety Act 2021 (Cth).

The explanatory paper further explains that the category of 'providers of data brokerage services' is intended to capture organisations whose business model is based on trading personal information collected online, or information derived from such personal information.

Moreover, while the explanatory paper clarifies that the category of 'large online platforms' is intended to capture organisations who collect a high volume of personal information online. Furthermore, it is currently unclear how inactive accounts or end-users with multiple accounts will be counted to assess whether the 2.5 million end-user threshold is met.

Exclusions

The Online Privacy Code will not apply to particular kinds of acts and practices that are exempt under the Privacy Act. These exclusions match the existing exclusions that apply to APP codes and the general provisions of the Privacy Act itself. In particular, an organisation will not breach the Online Privacy Code only because of an act or practice done or engaged in:

• under contract with an Australian Government agency (although the Privacy Act would still require agencies subject to the Act to include appropriate privacy protections in the contract); or
• outside of Australia, in compliance with an applicable foreign law.

The Online Privacy code will also not apply to Australian Government agencies which, the explanatory paper clarifies, is because the Online Privacy Code deals with particular kinds of commercial activities that agencies are unlikely to undertake. Agencies subject to the Privacy Act are, however, already subject to heightened privacy obligations under an the Privacy (Australian Government Agencies — Governance) ('APP Code 2017 ('APP Code').

In addition, the Online Privacy Bill expressly excludes customer loyalty schemes and services, which have the sole purpose of processing payments or providing access to a payment system. However, this could still capture online banking platforms which offer broader services.

What will be required under the Online Privacy Code?

Among other things, the key aspects of the requirements introduced by the Online Privacy Bill are as follows:

Protection of children and vulnerable groups

The Online Privacy Code will specify how consent may be obtained from these individuals (or their parents, guardians, or representatives). In addition, social media services will also need to:

• take reasonable steps to verify the age of individuals who use the social media service;
• ensure that the collection, use, or disclosure of a child's personal information is fair and reasonable in the circumstances, with the best interest of the child being the primary consideration for determining what is fair and reasonable; and
• obtain the express consent of a parent or guardian before collecting, using, or disclosing personal information of a child under the age of 16.

Cease the use or disclosure of personal information upon request

The Online Privacy Code will also require applicable organisations to take reasonable steps to not use or disclose personal information, where an individual makes such a request. Whilst there are specific legislated exceptions to this requirement (e.g. where required by law), these are narrow and it will be left to either the Online Privacy Code itself, or organisations, to determine when it is not reasonable to action an individual's request. Companies would, however, be allowed to charge a 'non-excessive' fee for fulfilment of these requests. This is intended to build upon the existing rights under Australian Privacy Principles ('APPs') 12 and 13 for individuals to request access to, and correction of, their personal information, without amounting to a 'right of erasure'.

Enforcement and penalties

A breach of the Online Privacy Code would be treated as an interference with the privacy of an individual, which exposes organisations to whom the Online Privacy Code applies to strengthened penalties of:

• up to the greater of AUD 10 million (approx. €6.3 million);
• three times the value of that benefit if determinable; or
• 10% of the relevant yearly turn over.

In addition, for individuals to whom the Online Privacy Code applies, the maximum penalty for such interference will increase to more than AUD 500,000 (approx. €312,500). Included in the proposals is that the Privacy Commissioner ('the Commissioner') could issue infringement notices for failing to provide relevant information to an investigation, for which the maximum penalty for non-compliance will be AUD 2,644 (approx. €1,650) for individuals or AUD 13,320 (approx. €8,320) for companies.

Other enforcement powers of the Commissioner will also be strengthened. These include, among other things, expanding the types of declarations that the Commissioner can make, new infringement penalty notices for failing to give information as part of an investigation and enhancing the Commissioner's information-sharing arrangements with relevant enforcement authorities.

How will the OP Code work alongside the existing regimes?

The Government has indicated that:

• if an organisation is subject to both the Online Privacy Code and an APP Code, the Online Privacy Code will prevail to the extent of any inconsistency; and
• if an organisation is subject to both the Online Privacy Code and the Consumer Data Right ('CDR') regime under the Competition and Consumer Act 2010 (Cth), the CDR rules will prevail to the extent of inconsistency between the two regimes.

Next steps

Finally, the Government invited submissions on the Exposure Draft of the Online Privacy Bill and consultation Regulation Impact Statement which closed on 6 December 2021. The Government now intends to prepare a final draft version of the Online Privacy Bill to present before the Australian Parliament.

Chanelle Nazareth Privacy Analyst
[email protected]