Australian privacy law reforms: insights from the OAIC's submissions
Further to our recent article about the Federal Government's review of the Privacy Act 1988 (Cth), the Office of the Australian Information Commission (OAIC) last week made its submission to the Federal Government.
The OAIC broadly supports the Federal Government's proposed review of the Privacy Act and has identified four key foundations to the review – the opportunity to:
- encourage global interoperability;
- enable privacy self-management;
- ensure organisational accountability; and
- align privacy regulation with community expectations.
Impact on individuals
Recent studies[1] suggest that most individuals are uncomfortable with privacy policies and only accept them because the cost of opting out (typically the inability to obtain the goods or services) is too high.
The OAIC's recommendations seek to empower individuals by:
- ensuring that individuals are able to exercise meaningful choices and control by understanding how their personal information is being handled through notice and consent;
- when personal information is collected from an individual, and that information is used or disclosed, requiring the entity to ensure that the use or disclosure is fair and reasonable;
- introducing an independent third-party certification scheme to allow individuals to quickly assess the data protection offered by the entity;
- prohibiting the scraping of personal information from online platforms, inappropriate surveillance or monitoring of individuals through audio or video functionalities on an individual's devices, profiling and monitoring of children, and certain uses of AI technology to make decisions about individuals; and
- granting individuals a direct right of action to enforce breaches of the Privacy Act or the Australian Privacy Principles (APPs), coupled with a statutory tort for serious invasions of privacy.
Impact on businesses
How businesses will interact with the Privacy Act may be significantly altered under the OAIC's proposals. Currently, the Privacy Act only imposed obligations on 4.8% of the approximately 2.4 million actively trading Australian businesses. As a result, the other 95.2% of Australian businesses (which are exempt under the small business rule) do not have to comply with the prescribed requirements as to personal information, even when that information is no less important or immune to the risks posed by the modern digital age.
The OAIC proposes that all businesses (and political parties) ought to be required to comply with the Privacy Act to protect individuals' personal information, as the OAIC receives hundreds of enquiries and complaints each year about the conduct of small businesses. This move would also align Australia with the privacy laws of other countries, which already capture a greater proportion of businesses and organisations.
Other key recommendations likely to have an impact on businesses are recommendations for:
- the introduction of an organisational accountability regime by requiring organisations to take reasonable steps, and to be able to demonstrate those reasonable steps, to ensure compliance with the APPs and any registered APP code;
- the existence of an ongoing and demonstrable, comprehensive privacy management program, which includes conducting privacy impact assessments where appropriate, to facilitate a "privacy by design" and "privacy by default" approach to an entity's operations;
- introduce legislative transfer mechanisms to protect the transfer of information captured by the Privacy Act overseas;
- amend the Privacy Act to enliven its extraterritorial jurisdiction when a body corporate has collected the personal information of Australians from a related body corporate (irrespective of whether it carries on a business in Australia in its own right); and
- introduce a requirement that where personal information is collected from an individual, and that information is used or disclosed, the entity does so fairly and reasonably and in a way that ensures there are adequate safeguards in place to protect the privacy of individuals.
A new look Commissioner
The OAIC also recommended a number of changes to the role of the Australian Information Commissioner and Privacy Commissioner, including that the Privacy Act:
- grant the Commissioner the power to make legally binding instruments to address areas of the law that require further certainty or specificity where appropriate, and to enable the Commissioner to develop a privacy code at first instance or issue a temporary, and urgent, privacy code where it is in the public interest to do so;
- grant the Commissioner the power to request documents or information from entities to demonstrate and ensure their compliance with the APPs, the existence of a comprehensive privacy management program and that entities are operating on a "privacy by design" and "privacy by default" approach to their operations;
- grant the Commissioner the power to seek a warrant to preserve and secure information and documents and to expand the scope of its power to issue a determination to enable it to require an entity to identify and mitigate foreseeable risks or delete personal information;
- enable the Commissioner to seek civil penalties for interferences with privacy and to issue public infringement notices – by allowing the Commissioner to seek civil penalties for interferences with privacy, it will increase the scope of the Commissioner's regulatory powers with the current threshold ofrepeated or serious conduct proposed to become an aggravating factor; and
- grant the Commissioner "full jurisdiction" to enforce the privacy protections in any other legislative regimes.
Key takeaways
If you are a carrying on a business in Australia, the OAIC's recommendations, if accepted and implemented, would require you to review and reconsider your approach to the handling of personal information and your compliance with the Privacy Act more generally.
While much will depend on the final form of any legislative amendments, those amendments will inevitably increase the administrative and financial costs associated with compliance with the Privacy Act for businesses.
[1] See, for example, the OAIC's Australian Community Attitudes to Privacy Survey 2020 and the Consumer Policy Research Centre's 2020 Data and Technology Consumer Survey. Back to article