The Privacy Act Review Report

What’s happening?

After over two years of extensive consultation and review, the Attorney-General’s Department released its Privacy Act Review Report on 16 February 2023. In assessing whether the Privacy Act 1988 (Cth) continues to be fit for purpose in an increasingly digital and data driven economy, the report made 116 specific recommendations and signals the Department’s appetite for reform. Consultation on the report is now closed and we’re awaiting the Government’s response.

 

Why does it matter?

The report’s proposals are significant and, if implemented, would represent comprehensive reform to the Privacy Act. By enhancing individual rights, distinguishing between controllers and processors, introducing a new statutory tort, and providing tighter governance on digital data handling (among other stuff!), the proposed reforms would materially impact how APP entities can collect and handle personal information. If you run a business in Australia, it will be very important to understand how your privacy and data collection obligations may change, and to consider what can be done now to prepare for the likely shift towards increased protections.

 

Removal of the Small Business Exemption

 

Proposal 6 of the report recommends the removal of the small business exemption to improve privacy protections across the entire economy.

Current position Proposed reform
Small businesses (businesses with an annual turnover of $3m or less, with some exceptions) are currently exempt from the application of the Privacy Act and do not need to comply with its restrictions on collecting and handling personal information. The small business exemption would be removed, and all Australian businesses would need to comply with the Privacy Act (regardless of annual turnover). However, this should not occur until an ‘impact analysis’ has been conducted and steps are taken to support small businesses to comply.

Here’s what we think: the removal of the small business exemption would mean more consistent and robust privacy protections across the economy, however the compliance burden for small businesses would be material and potentially very costly. Ideally, if the exemption is scrapped, some differentiation would still exist under the Privacy Act to establish more proportional expectations of smaller businesses – so that the local milk bar does not have the same compliance burden as a large ASX company. For now though, small businesses should be taking the time to start getting across the basics and mapping out what personal information they collect and why.

 

Narrowing the Political Exemption

 

Proposal 8 of the report recommends narrowing the current political exemption so that political entities are more accountable for how they handle personal information.

Current position Proposed reforms
Registered political parties are entirely exempted from the Privacy Act. There is also a more limited exemption under section 7C of the Act which applies to political representatives, their affiliates, and the affiliates of registered political parties. Geared at:

  • making registered political parties subject to the Act (with some exemptions);
  • political entities being required to publish a privacy policy;
  • requiring political parties to handle voters’ information fairly and reasonably;
  • prohibiting political parties from targeting based on certain sensitive information, and requiring; compliance with individual opt-out requests;
  • ensuring political entities take steps to protect or otherwise destroy information when no longer required, and comply with the NDB scheme; and
  • OAIC developing further guidance for political entities.

Here’s what we think: there’s a difficult balance to strike here between privacy and freedom of political communication. However, we agree with most submissions that the breadth of the current exemption is not justified. We also think that greater transparency around the handling of voters’ personal information is a reasonable expectation, considering the potential scale of collections and the spate of large-scale data breaches over the past year.

 

 

Increased Regulation for Employee Records

 

Proposal 7 of the report recommends broader regulation of the handling of employee records by private sector employers.

Current position Proposed reforms
Private sector employers generally do not need to comply with the Privacy Act in relation to how they handle ’employee records’ (which are records of personal information relating to an individual’s employment), if their handling is directly related to a current or former employment relationship. New privacy protections for private sector employees, geared at (a) requiring more transparency from employers; (b) clarity around employer rights and obligations; (c) ensuring employee information is reasonably protected by employers and (d) extending the notifiable data breach scheme to breaches that compromise employee information.

Here’s what we think: there’s been some uncertainty for this exemption since the FWC decision in Lee v Superior Wood (2019), and so legislative clarity will be helpful for employers. The proposed reforms would also reduce what’s currently a clear gap in protection for employee personal information (which hasn’t been filled by workplace legislation, as was anticipated). The targeted regulation being proposed, rather than scrapping the exemption entirely, therefore seems a sensible choice.

 

Stricter Consent Requirements

 

Proposal 11 of the report proposes changes geared at improving the quality of consent and enabling individuals to revoke it.

Current position Proposed reforms
The current definition of ‘consent’ states that it may be express or implied, but there is no further clarification on the concept of consent. There is also no express right or mechanism for withdrawing consent.
  • Improved quality of consent by requiring it to be voluntary, informed, current, specific and unambiguous
  • Express recognition of the ability to withdraw consent
  • Guidance to be provided on how online services should design consent requests, and consideration given to standardisation in this regard

Here’s what we think: while the proposed reforms are a push towards the stricter requirements of the GDPR, they don’t contain an equivalent proposal that consent be expressed via an affirmative action or statement (and so implied consent may be sufficient, if other requirements are met). In any event though, the proposed changes would require a major review and overhaul of consent processes for many Australian businesses, and new processes to enable compliance with consent revocation.

 

Right to Erasure

 

Proposal 18.3 of the report proposes a new right of erasure, giving individuals the ability to request deletion of their personal information held by APP entities.

Current position Proposed reform
There is currently no right to erasure of personal information in Australia, despite the Australian Law Reform Commission recommending it in 2014. If an individual makes a valid erasure request, the APP entity would be required to:

  • erase the relevant personal information held by them; and
  • if the personal information was obtained from or disclosed to a third party, inform the individual about the third party and the third party about the erasure request, unless this is impossible or involves disproportionate effort.

Here’s what we think: it’s pretty likely this proposal will be implemented (even if others are not), and we’d suggest businesses start getting ready by sufficiently data mapping the PII they hold. A good data map will identify what and how PII and data is currently collected, stored, used and shared and for what purposes, and is a pretty useful tool for compliance more broadly. As it would be difficult to comply with a right of erasure without one, it’s worth starting this process now.

 

Right to Object

 

Proposal 18.4 of the report proposes a right for individuals to object to an entity’s collection and handling of their personal information.

Current position Proposed reform
There is currently no express right to object to the collection, use or disclosure of personal information in Australia. If an individual makes an objection, the APP entity would need to:

  • review its data handling practices; and
  • provide a written response to the objection, with reasons as to why its data handling is compliant/non-compliant with the Privacy Act.

Here’s what we think: the proposal only introduces a right to challenge whether an APP entity’s handling of information complies with the Act, and does not require the entity to stop whatever is being objected to. While it wouldn’t be an absolute right, APP entities would need to be ready to justify why and how they use personal information.

 

Statutory Tort and Direct Right of Action

 

Proposals 26 -27 of the report recommend a direct right of action (actionable in federal courts), and a statutory tort for serious invasions of privacy (ideally actionable in all jurisdictions).

Current position Proposed reform
There is currently no statutory tort for serious invasions of privacy, and very limited avenues for individuals in Australia to make a claim for compensation. Introduction of:

  • a direct right of action for individuals (or groups of individuals) to seek compensation from APP entities for loss or damage suffered due to a privacy interference under the Privacy Act; and
  • a statutory tort for serious invasions of privacy in the form previously recommended by the ALRC, enabling claims against both APP and non-APP entities, and capturing a broader range of invasions of privacy.

Here’s what we think: these reforms have been on the table (and hotly debated) for a long, long time. While they’ll increase exposure to a claim for compensation in addition to penalties imposed by the regulator, they would close a big gap by enabling individuals to initiate their own court actions. If implemented, we’d expect to see quite a few class actions kicking off (though we query how many individual plaintiff claims we’ll see, given the high cost of litigation).

 

Regulating Targeting and Trading

 

Among other things, proposals 20.2 – 20.4 recommend more comprehensive regulation of direct marketing, to expressly govern targeting and trading.

Current position Proposed reforms
The APPs currently restrict the use of personal information for direct marketing purposes. They do not specifically govern:

  • targeted marketing that relies on de-identified or anonymised data; or
  • trading of personal information (i.e. swapping customer lists)
  • New defined terms for ‘targeting’ and ‘trading’ (cf ‘direct marketing’)
  • An unqualified right to opt out of targeted advertising and prevent the use of information for tailoring services, content, information, advertisements or offers
  • Requirement to obtain consent before trading personal information

Here’s what we think: anonymised online targeting and trading are significant marketing methods these days, and it’s surprising that they still fall through a legislative loophole. While very effective, they can also be harmful – especially for children and vulnerable consumers. These reforms would materially lift the regulation of digital marketing and customer profiling, and will need to be carefully worked through by businesses (another one that’s worth looking at now).

 

Differentiating ‘High Risk’ Practices

 

Proposal 13 of the report proposes identification and regulation of ‘high risk’ practices.

Current position Proposed reforms
There is no express recognition or governance of ‘high risk’ practices, or any obligation to conduct privacy impact assessments (‘PIAs’).
  • Distinguish and identify ‘high risk activities,’ being activities that are ‘likely to have a significant impact on the privacy of individuals’
  • Require mandatory PIAs for any ‘high risk activities,’ to be provided to the OAIC on request
  • Develop sector specific guidance for compliance when engaging in specific high risk activities

Here’s what we think: in alignment with the GDPR, these changes will help to ensure that entities ‘think’ before they ‘do’ when engaging in high risk activities. While it will represent an initial compliance burden for businesses, undertaking a PIA is likely to reduce their overall risk exposure down the track by embedding compliance into the project design.

 

Data Breaches: Timing and Clarity for Notification

 

Proposal 28 of the report proposes to clarify and strengthen the existing NDB scheme.

Current position Proposed reforms
Under the existing regime, if there are reasonable grounds to suspect that an eligible data breach has occurred, an entity has 30 days to make an assessment of the breach, and must then make any notifications as soon as practicable.
  • Requiring a statement to be provided to OAIC within 72 hours of the entity becoming aware of reasonable grounds to believe that an eligible data breach has occurred
  • Streamlining reporting processes for entities with multiple reporting obligations under different schemes
  • Requiring entities to take proactive action to mitigate the harm to impacted individuals
  • Enabling the A-G to allow the sharing of information with appropriate entities to reduce the risk of harm to impacted individuals

Here’s what we think: recent large-scale data breaches have shown the need for tightening up the current requirements, and we expect these reforms are likely to be implemented. Get ready, as the (much) shorter timeframes and requirement for proactive steps represent significant change.

 

Distinction between Controllers and Processors

 

Proposal 22.1 of the report proposes to introduce the concept of APP controllers and APP processors into the Privacy Act.

Current position Proposed reforms
Under the existing regime, there is no distinction between controllers and processors, and the Privacy Act applies equally and in the same way to all entities that ‘hold’ personal information.
  • To introduce the concept of APP controllers and APP processors into the Privacy Act
  • Substantive compliance provisions to be adjusted so that APP processors who are acting on the instructions of an APP controller have fewer compliance obligations (limited to APP 1, APP 11 and the NDB scheme)

Here’s what we think: this would be a welcome change, especially for businesses that provide software and other digital solutions within Australia, and have no direct relationship with individuals or control over how their personal information is processed. These reforms would help to clarify the obligations of controlling vs processing entities and improve the functioning / practical implementation of the Privacy Act, especially if the small business exemption is removed.