Australian privacy law reforms 01: Federal Government sets out the future of privacy law in Australia
Proposed changes to the Privacy Act are individually and collectively likely to have a significant impact on an organisation's privacy compliance burden.
On 28 September 2023, the Commonwealth Government responded to the Attorney-General's report on the review of the Privacy Act 1988 (Cth) by indicating that, of the 116 proposals made, it agrees with 38 of them and a further 68 in principle. Where the Government agreed in principle, it indicates that further engagement with organisations and a comprehensive impact analysis is required before it makes a final decision on the proposal.
While much will depend on the final form of any legislative amendments, the Government is committed to introducing legislation in 2024.; In this article, we will give you a broad overview of what is proposed; we will be taking a deep dive over a series of articles.
Changes to the scope, and handling, of personal information
An expanded definition of "personal information"
In line with global standards, the Government agrees in principle to adopt a more expansive concept of personal information to include technical and inferred data (eg. IP addresses and other device identifiers).
New forms of "sensitive information"
There is in-principle support for the inclusion of genomic information and precise geolocation tracking data as new forms of sensitive information.
Personal information about… an unknown individual?
The concept of a "reasonably identified person" will be expanded to cover an individual where they are able to be distinguished from all others (even when their identity is not known) or where the information gives rise to the potential for an individual to be re-identified.
When can you be "re-identified"?
As de-identification is a contextual process, it is unsurprising that the Government agrees in-principle that re-identification takes into account all the available information which may cause an individual to be reasonably identifiable. The Government's position on specific protections in respect of de-identified information remains unclear.
An expanded definition of "collection"
Perhaps uncontroversially, the Government agrees in principle that the collection of information obtained from any source and by any means, including inferred or generated information, should be collections for the purposes of the Act.
The "fair and reasonable" handling of information
The Government agrees in principle to a shift from the current test of "reasonably necessity" to a test of whether it is "fair and reasonable" to collect, use and disclose the personal information in the circumstances. The "fair and reasonable" test would operate as an objective test assessed from the perspective of a reasonable person and shift the current power imbalance in favour of individuals. This test may apply irrespective of whether an individual has consented to the collection, use and disclosure of their personal information.
Form of an individual's consent
The Government supports an increase in the onus on organisations seeking to rely on something other than express consent, with the proposed requirement being that there be an unambiguous indication of consent by the individual through clear action.
Withdrawal of consent
The Government agrees in principle that the Privacy Act should expressly recognise the ability for an individual to withdraw consent in an easily accessible manner.
Changes to the Australian Privacy Principles (APPs)
APP codes to increase flexibility
As the APPs are principles-based, the Government has identified the need for detailed and prescriptive APP codes which would impose additional specific requirements on specific industries or sectors. APP codes would be established by the Office of the Australian Information Commissioner (OAIC) on the direction or approval of the Attorney-General.
Privacy policies and collection notices
To improve transparency over an organisation's personal information practices, the Government has placed emphasis on privacy policies and collection notices being clear, concise, up-to-date and accessible by an individual. To support organisations, it agrees in-principle to the development of standardised templates for voluntary adoption.
Impacts on businesses
Removal of the small business exemption
The Government agrees in-principle to the Privacy Act applying to small businesses, which are currently exempt. Further consultation is flagged to best manage the balance between the costs of compliance to small businesses and the desire for adequate protection of individuals.
Organisational accountability
The Government's view is that to improve privacy protections and mitigate risks, organisational accountability is required. This may be achieved by a designated senior privacy employee, determining and recording the purpose of any personal information handled before or at the time it is collected, used or disclosed, and organisations taking reasonable steps to ensure personal information collected by third parties was collected lawfully.
Securing personal information
The focus on information security will continue. The OAIC would also provide guidance as to what reasonable steps organisations should take, with the baseline privacy outcomes aligning with the Government's 2023-2030 Australian Cyber Security Strategy.
Retention and destruction of personal information
As to end-of-life processing, the Government recognises that organisations should establish their own minimum and maximum retention periods (which take into account the type, sensitive and purpose of the information) and should specify those periods in their privacy policies.
Employee records exemption
To what extent the employee records exemption may continue to apply to private sector organisations when they deal with their current and former employees' personal information remains to be seen. Further consultation is proposed, in particularly, as to how privacy and the workplace should interact and the impact and timing of new privacy obligations on small businesses.
Requirements for high privacy-risk activities
Where an organisation engages in high-risk activities (the historic examples provided in the Attorney-General's report are the collection COVID-19 vaccination information and contact tracing), organisations may be expected to conduct a Privacy Impact Assessment prior to the commencement of the activity, which the OAIC would be able to request. These high-risk activities would be supported by guidance from the OAIC who would develop practice-specific guidance for new technologies and emerging privacy risks.
Vulnerable individuals and their privacy
Where an individual is experiencing a vulnerability (eg. a child, victims of family or domestic violence or problematic gamblers) or may be at a higher risk of harm from interferences with their privacy, the Government recognises that additional privacy protections should be in place. While the OAIC is to provide guidance on a non-exhaustive list of factors, a greater emphasis will be placed on organisations to ensure they appropriately collect, use and disclose a vulnerable individual's personal information.
Notifiable Data Breach scheme
Recent data breaches have identified that the current scheme is not fit for purpose, as it focuses on initial reporting and notification of the breach rather than facilitating a response to the breach. The Government agrees in principle that organisations should set out the steps taken or to be taken in response to a data breach and has identified that further consultation is required to determine whether organisations should be required to take reasonable steps to prevent or reduce harm that may likely occur to an individual.
A distinction between controllers and processors of personal information
Currently, the Privacy Act and APPs are concerned with who 'holds' personal information, and do not distinguish between a controller (who "controls" and "holds" the personal information) and a processer (ie. an outsourced service provider). The Government agrees in-principle to distinguishing between the two, which would bring Australia in line with other jurisdictions, and reduce the complexity and regulatory burden placed on processers.
Facilitating overseas data flows
To assist organisations to safely transfer data overseas, the Government agrees to the introduction of a list of prescribed countries with substantially similar privacy laws to allow for the disclosure of personal information without the need for contractual clauses or other measures. This would be similar to the GDPR's "adequacy decisions". Where a country is not a prescribed country, the Government agrees in-principle to the introduction of voluntary and standard contractual clauses to assist organisations.
Empowering an individual's rights in respect of their personal information
Expanded individual privacy rights
The Government agrees in principle to the expansion of individuals' privacy rights to improve transparency and control over their personal information. This would see the expansion of a number of existing rights, new rights and a number of exemptions which, taken together, are likely to have a significant impact on organisations in terms of direct and indirect costs.
Direct marketing, targeting and trading
The Government agrees in principle that individuals should have an unqualified right to opt out of their personal information being used or disclosed for marketing purposes. Further, an organisation should provide information to online users in respect of the use of targeting systems (such as algorithms and profiling to recommend content) and an individual's consent should be required before an organisation can trade their personal information.
An individual's ability to seek redress
While the Government recognises that individuals should have direct rights of actions to seek compensation and enhance the control of their personal information, any direct right of action would require the individual to first lodge a complaint with the OAIC or a recognised external dispute resolution scheme. This is intended to encourage early resolution and minimise the burden on the Courts.
The proposed introduction of a statutory tort for serious invasions of privacy
It is proposed that this cause of action would require the invasion of privacy to either be a serious intrusion into seclusion or a serious misuse of private information, and would enable an individual to seek redress in the courts. This statutory tort would operate independently of an individual's ability to seek redress under the Privacy Act.
Empowering regulators
Co-operative regulatory response
The Government will continue to support the various regulators in the cyber space (ASIC, ACCC, APRA, OAIC) to enforce matters involving the mishandling of personal information.
An empowered OAIC
The OAIC will be provided with additional powers to investigate and prosecute civil penalty provisions. It will also be granted the power to undertake public inquires and reviews on approval or direction of the Attorney-General. As part of this, the OAIC will conduct a strategic organisational review and investigations will be undertaken to consider the feasibility of an industry funding model to support the OAIC.
Tiered civil penalty provisions
The Privacy Act currently provides for serious or repeated privacy breaches which equates to a "top-tier" civil penalty provision. To encourage compliance with the Privacy Act, the Government agrees with the introduction of a new mid-tier civil penalty provision to cover "non-serious" privacy breaches and a low-tier civil penalty provision for specific administrative breaches of the Privacy Act and APPs.
How these changes will impact your organisation
The Government has indicated that it is committed to introducing legislation in 2024. Further consultation will be undertaken and we expect the final form of every proposed change will not be known until late next year at the earliest.
The proposals accepted and agreed to in principle by the Government are individually and collectively likely to have a significant impact on an organisation's privacy compliance burden. This will likely bring with it direct and indirect costs.
Organisations should continue to monitor progress of the Privacy Act Review, and begin factoring in the likely changes into its forward planning for activities involving the handling of personal information.