Australia: Protection of Australians' in the digital age - an overview of AG's Privacy Act report
The Australian Attorney-General's Department released the Privacy Act Review Final Report1 ('the Report') on 16 February 2023. The Report is a comprehensive review of the Privacy Act 1988 (Cth) ('the Privacy Act') and contains 116 recommendations for reforms to protect Australians in the digital age. Katherine Sainty, Ottilia Thomson, and Julia Colubriale, from Sainty Law, discuss the Report and its key recommendations.
The Report provides important insights into the future direction of the Privacy Act and represents a significant shift towards robust privacy protections and greater accountability for organisations that handle personal information.
It is expected that these recommendations will lead to reforms that change the way businesses and organisations handle privacy. This article highlights the key recommendations that businesses should become familiar with to prepare for the anticipated change.
How did we get here?
In 2019, the Australian Competition and Consumer Commission's Digital Platforms Inquiry2 found that the Privacy Act needed to be bolstered to adequately protect and empower consumers. This acted as the catalyst for the two-year review and consultation process that resulted in the Report.
During this time, the Australian Government also passed the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 which significantly increased penalties for serious and repeated privacy breaches and gave the Office of the Australian Information Commission ('OAIC') greater powers to resolve breaches3.
Purpose of the Review
The Privacy Act is Australia's key piece of legislation for regulating how organisations handle individuals' personal information. The recommendations aim to modernise the existing data privacy framework to keep pace with technology and strengthen protections for individuals. To achieve this, the Report focuses on whether the Privacy Act, and its enforcement mechanisms, are still fit for purpose in the current and future online environments in which Australians interact.
The key recommendations that organisations should be aware of are:
Broadening the Privacy Act's scope: expanding the definition of personal information (Proposal 4)
The Report recommends that the definition of 'personal information' is broadened. The current definition of 'personal information' has been a contentious issue when tested against new forms of digital data being collected about an individual as seen in the OAIC's 2017 case against a telecommunications provider. The new definition would be strengthened and circumvent confusion by including key digital data including metadata in the definition of personal information. This would specifically include data points such as geolocation, inferred and technical information, and online identifiers.
By expanding the definition, information that was previously not regarded as personal information (according to the definition in the Privacy Act) would now be protected. This would include information that is generated from information about a person that a business already holds.
Businesses will need to understand if their business practices extend to these types of data and implement the right privacy practices to protect this kinds of personal information.
The recommendation will bring the definition of personal information closer in line with the definition of 'personal data' used by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').
Clarifying the definition of consent (Proposal 11)
The Privacy Act currently defines 'consent' as express or implied consent. This definition does not require a clear affirmative act on the part of the individual to consent to collect of their information. The Report recommends defining consent in line with the Australian Privacy Principles Guidelines4.
This would make it clear that consent from an individual can be implied or express so long as it is voluntary, informed, current, specific, and unambiguous. The Report also wants individuals to have an easily accessible mechanism to retract consent.
Record-keeping (Proposal 15)
The Report recommends that businesses must keep clear records of the purposes (primary and secondary) for which they collect and handle information. This must be done before or at the time of the collection.
There is currently a general accountability principle within the Australian Privacy Principles ('APP') (APP 1) and embedded throughout the Privacy Act however the new record-keeping proposal would create clear parameters about how the obligations within the Privacy Act translate into privacy management processes for business.
Direct and targeted marketing (Proposal 20)
The Report proposes prohibiting the use of personal information (including sensitive information, de-identified information, and unidentified information) for targeted marketing which includes on social media feeds and direct advertising which includes contact through email.
This would increase transparency for business to clearly disclose to individuals the algorithms and profiling used by business to recommend content to individuals. We expect to see this transparency reflected in changes to privacy policies and collection statements.
Small business exemption (Proposal 6)
The Report recommends removing the small business exemption, which means that businesses with an annual turnover of AUD 3 million (approx. €1.8 million) or less will have to comply with the Privacy Act. The current consultation process will determine what represents a proportionate response for these businesses.
Employee records exemption (Proposal 7)
The Report has recommended either varying or removing the employee records exemption from applying to personal records of employees in the private sector. Currently, the personal information of private sector employees is exempt from the Privacy Act's protections. The aim of the variation or removal would be to improve employer information handling practices and to safeguard an employee's personal information from misuse, loss, or unauthorised access. The Report proposes that the OAIC should now be notified where data breaches involve employee personal information and there is a likely risk of serious harm.
Tighter scheme: Notifiable data breaches (Proposal 28)
Currently, a business should generally undertake an assessment of a data breach in a reasonable time and notify the OAIC within 30 days.
The Report recommends a much shorter time frame of 72-hour deadline for reporting eligible data breaches to the OAIC and setting out the steps taken or intended to be taken in response.
This requirement to notify applies from when a business becomes aware that there are reasonable grounds to believe there has been an eligible data breach and affected individuals must be notified 'as soon as practicable'.
Privacy Impact Assessments (Proposal 13)
The Report recommends that businesses wanting to engage in 'high privacy risk activities' must undertake a Privacy Impact Assessment ('PIA').
The Report notes that 'high risk privacy activities' would include activities that are likely to have a significant impact on an individual's privacy such as using surveillance tools for monitoring, collecting biometric information, and scraping sensitive information.
The Report found that the OAIC should publish specific guidance to help businesses understand what high-risk activities are and help understand when they need to undertake a PIA.
Introducing the concept of controllers and processors (Proposal 22)
The Report proposes introducing the concepts of the controller and processor. There is no definition of controller or processor currently proposed in the reforms so instead of strict definitions of what these roles would be, the Report cites the large acceptance of these roles among the international community through their data protection frameworks, most notably mentioning the GDPR.
For example, if the reforms are modelled on the GDPR a 'controller' determines the purposes and ways personal information is processed as in collected, stored, and used. While a 'processor' is responsible for the activities that the controller has instructed them to do.
The mechanism of controller/processor has gained traction globally after arising originally from the GDPR.
Adopting this mechanism which differentiates between the roles play in handling personal information is an important step in Australia's journey to being recognised by the global community as having an adequate level of protection for personal information.
The Report indicates that processors acting on behalf of the controller would have fewer compliance obligations under the reformed Privacy Act. This would save time and money for multinationals involved in data transfer impact assessments and facilitate easier cross-border data transfers and flows.
New rights for individuals and avenues for redress (Proposal 18, 26, and 27)
There has been a push for new rights for individuals which do not exist under the current Privacy Act.
This includes the rights for an individual to:
- access information relating to themselves, and require an explanation of how the information was collected, used for, and disclosed to;
- object to the collection, use, and disclosure of their personal information;
- correct and de-index their information from online search engine results; and
- have a right to erase the information that an organisation holds about them.
Allowing individuals to correct information in online search engine results would be significant giving much autonomy to individuals. The Report recommends this in the context where search results are inaccurate, out of date, incomplete, irrelevant to the individual, or misleading. These rights would not be absolute as they would be subject to exceptions that limit their operation.
The Report also proposes including a direct right of action for individuals in relation to Privacy Act breaches and introducing a tort for the invasion of privacy.
Currently, aggrieved individuals can only lodge a complaint with the OAIC to or pursue a claim in tort for the intentional or reckless invasion of privacy, which is an expensive and inefficient endeavour for the average consumer.
Stronger enforcement and powers (Proposal 25)
The Report recommends that, in addition to the new penalties for serious or repeated offences introduced under the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022), the Privacy Act should introduce more infringement notice powers (for breaches arising from administrative errors), civil penalties and guidance around the harm thresholds in the penalty provisions.
How can your business prepare for the changes?
The reforms outlined in the Report represent a significant shift in the privacy regulatory landscape in Australia.
The Report overall signals movement towards minimising how much personal information is collected to ensure it is proportionate and introduces the concept of fair and reasonable collection. If enacted this will impose, a higher standard of transparency and accountability on business. It is also a unique approach, internationally.
Businesses should keep an eye on the reforms and consider whether to submit feedback on the Report.
Businesses should prepare for change. As well as being aware of the recently increased penalties for serious and repeated privacy breaches, it's time to assess current practises including by:
- understanding and recording where personal information is collected, used, and disclosed in their internal and external supply chains;
- reviewing how consents are currently collected;
- reviewing existing policies and practices relating to:
- collecting, using, and disclosing personal information;
- retaining and deleting personal information; and
- notifying the OAIC of eligible data breaches.
The Government has called for feedback on the Report by 31 March 2023.
The Government is expected to formally respond to the submissions made on the Report and indicate which recommendations it supports in principle. While there is no timeline on when we can expect an exposure draft of the proposed reforms, all signs point to early action.
You can refer to the Attorney-General's Department website5 for further information about how to make a submission.
1. See: https://www.ag.gov.au/rights-and-protections/publications/privacy-act-review-report
2. See: https://www.accc.gov.au/focus-areas/inquiries-finalised/digital-platforms-inquiry-0
3. See: https://www.dataguidance.com/opinion/australia-implications-and-responses-data-breaches-%E2%80%93
4. See: https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines
5. See: https://consultations.ag.gov.au/integrity/privacy-act-review-report/