Long awaited Privacy Act Review Report released – What privacy reforms are proposed?

On 16 February 2023, the Attorney-General’s Department released its long-awaited Privacy Act Review Report (Report). The Report contains 116 proposals for reforming the Privacy Act 1988 (Cth) (the Act) and the Australian Privacy Principles (APPs) found in Schedule 1 of the Act.

The Government is seeking feedback on the proposals before deciding the next steps to take in reforming the Act. The deadline for feedback is 31 March 2023.

In releasing the Report, the Attorney General, the Hon Mark Dreyfus noted that the Act had not kept pace with changes in the digital world and that Australians ‘expect greater protections, transparency and control over their personal information’.

1. Key reform proposals in respect of the Act’s scope and application include:

  • Clarifying what may constitute ‘personal information’ by including a non-exhaustive list of types of information which could be personal information, including device identifiers, IP addresses and location data (Proposal 4.2).
  • Recognising that collecting, using and disclosing geolocation tracking data (which identifies an individual’s exact geolocation) requires consent (Proposal 4.10).
  • Removing the exemption for small businesses (those with an annual turnover of less than $3 million) many of which are not currently required to comply with the Act. Before this occurs, an impact analysis is to be conducted and appropriate support developed (such as template privacy documents) (Proposal 6.1).
  • Extending enhanced privacy protections to employees so that employees are provided with greater transparency regarding their personal and sensitive information and are required to be notified if their personal information is involved in a data breach which is likely to result in serious harm (Proposal 7.1). In other respects, employee records will remain exempt from the application of the Act.
  • In order to rely on the journalism exemption, media organisations must be required to comply with:
    • privacy standards which a recognised oversight body oversees, such as the Australian Press Council or the Australian Communications and Media Authority; or
    • standards properly addressing privacy.
  • Media organisations be required to comply with reporting requirements in the Notifiable Data Breach Scheme (NDB Scheme) contained in the Act with some modifications, for example, affected individuals would not need to be notified if the public interest in journalism (eg investigative reporting) outweighs the affected individual’s interest in being notified (Proposal 9.5).
  • An independent review and audit of the journalism exemption take place three years after any amendments to the journalism exemption take effect (Proposal 9.3)

2. Proposals for enhanced privacy protections include:

  • The definition of ‘consent’ be amended so consent must be ‘voluntary, informed, current, specific and unambiguous’ (Proposal 11.1) with individuals having an express right to withdraw their consent (Proposal 11.3)
  • Privacy settings for online services should be ‘privacy by default’ (ie the most restrictive privacy settings) (Proposal 11.4).
  • Privacy Impact Assessments (PIAs) be undertaken before activities are conducted with a ‘high privacy risk’, being an activity, which is ‘likely to have a significant impact’ on individuals’ privacy. The OAIC is to develop guidance materials identifying factors which may be indicative of high privacy risk (Proposal 13.1).
  • In terms of governance, a senior employee must be designated as being responsible for privacy. This person can be an existing staff member who has other responsibilities (Proposal 15.2).
  • The introduction of a Children’s Online Privacy Code, which would apply to online services likely to be accessed by children, which would largely align with the UK Age Appropriate Design Code (Proposal 16.5).
  • The introduction of additional individual rights (set out in Proposal 18) including: the right to seek erasure of personal information similar to that contained in the EU General Data Protection Regulation (GDPR); the right to ask online search engines to de-index search results if, for example, the online search results are sensitive (such as contain health information), excessively detailed, out-of-date or inaccurate; and the right to request businesses to correct online publications under their control. Exceptions to the exercise of these rights include if complying would: be contrary to the public interest; conflict with a law or inconsistent with a contract with the individual; complying would not be technically possibly or unreasonable; or the request is vexatious or frivolous (Proposal 18).
  • The use of personal information in automated decision making to be regulated with, for example, privacy policies to include details of the types of personal information used in decision making which is substantially automated and has a legal or other significant effect on individuals’ rights. Indicators of the types of decisions with a significant effect on individuals’ rights should be included in the Act and the OAIC should produce guidance material (Proposal 19).
  • Definitions be introduced for ‘direct marketing’, targeting’ and ‘trading’ and individuals be provided with an unqualified right to opt-out of:
    • their personal information being used for direct marketing; and
    • receiving targeted advertising (Proposal 20).
  • The introduction of the concepts of ‘controllers’ and ‘processors’ along the lines used in the GDPR (Proposal 22.1). Processors acting in accordance with controllers’ instructions will have reduced compliance obligations under the APPs. This proposed change reflects that processors do not necessarily have a direct relationship with individuals so it may not be practicable for them to fulfil obligations under the APPs (for example providing a privacy collection notice).
  • In respect of overseas data flows, a mechanism will be added to the Act whereby countries and certification schemes considered substantially similar to the APPs can be prescribed (Proposal 23.2). This would give businesses greater certainty that they are compliant when transferring personal information to overseas recipients in countries which are prescribed. Standard contractual clauses which could be used when personal information is transferred to overseas recipients should be made available for use (Proposal 23.3).

3. Proposals in respect of regulation and enforcement include the following:

  • The creation of civil penalty provisions with new civil penalties:
    • mid-tier civil penalties for conduct which is less than a ‘serious’ or a ‘repeated’ interference with privacy, which are high enough to act as a deterrent; and
    • low-level civil penalties (for example not having an up-to-date privacy policy or failing to deal with a request to correct information within the required time) (Proposal 25.1).
  • A direct right of action be provided for individuals and groups to apply to the courts where there has been an interference with their privacy which has resulted in them suffering damage or loss (Proposal 26.1).
  • A statutory tort for serious invasions of privacy as recommended by the Australian Law Reform Commission in Report 123 (Serious Invasions of Privacy in the Digital Era) be introduced for serious invasions of privacy which are reckless or intentional. The States and Territories are to be consulted so that the approach nationally is consistent (Proposal 27.1).
  • Businesses be required to more promptly notify data breaches. Where a business has reasonable grounds to believe that a data breach is notifiable under the NDB Scheme (ie likely to result in serious harm to affected individuals), the business is required to notify:
    • the OAIC no later than 72 hours after becoming aware of the breach (which aligns with GDPR requirements) and further information can later be provided to the OAIC; and
    • affected individuals as soon as practicable and the information required to be provided can be provided in phases if not available at the time of the initial notification (Proposal 28.2).

The review of the Act was first announced in late 2019 and submissions closed over a year ago in January 2022. Accordingly, it may be some time before an exposure draft bill amending the Act is released. However, at this early stage it is clear that companies will be required to significantly change their privacy practices.

We are monitoring the Review and will keep you informed of further developments. If you would like additional information about any of the proposals, please contact one of the article authors.

Liability limited by a scheme approved under Professional Standards Legislation.
© ADDISONS. No part of this document may in any form or by any means be reproduced, stored in a retrieval system or transmitted without prior written consent. This document is for general information only and cannot be relied upon as legal advice.