Attorney General’s review proposes Privacy Act overhaul
In line with previous predictions, wide ranging changes to the Privacy Act 1988 (Cth) were proposed by the Attorney-General in his Privacy Act Review Report (Report) released on 16 February 2023.
More than 110 proposals are set out in the Report, which go beyond proposed amendments to legislation. It includes a call for greater consultation and guidance on multiple aspects of the Act.
A broader application of the Privacy Act, greater obligations around data collection and handling and greater rights for individuals have alsobeen canvassed. We focus on a selection of these proposed reforms below.
To broaden the application of the Privacy Act, the following has been proposed:
- removal of the Small Business Exemption to significantly expand the application of the Act, but not before significant further consultation with small businesses to determine the best way for them to meet obligations under the Privacy Act – for reference it is estimated that about 95% of all businesses meet the turnover requirements of the Small Business Exemption;
- changes to (but not the removal of) other exemptions, including the Employee Records Exemption;
- clarify that the ‘Personal Information’ definition is an expansive concept that includes technical and inferred information – this includes IP addresses and device identifiers; and
- security obligations under Australian Privacy Principles 8 and 11.1 be imposed on de-identified personal information due to concerns that such information can increasingly be re-identified.
Data Collection, Use and Handling
Numerous proposals go to the collection, use and handling of personal information. Of note are:
- consent obtained from individuals must be voluntary, informed, current, specific and unambiguous;
- where information is not collected directly from an individual, a business must take reasonable steps to satisfy itself that the information was originally collected from the individual in accordance with the Privacy Act;
- online privacy settings be required to reflect a “privacy by default” framework;
- outside of limited exceptions, businesses be required to only collect, use and handle personal information in a manner that is fair and reasonable in the circumstances, having regard to a range of matters;
- prior to any collection of personal information, businesses must determine and record the purposes for which they will use or disclose personal information – any secondary purpose use must be recorded at or before the time of the secondary use;
- require businesses to establish and set out personal information retention periods having regard to a range of relevant considerations;
- enhance the disclosure and consent requirements as to overseas disclosures of personal information; and
- introduce controller and processor concepts (with processors having fewer obligations).
Rights of Individuals
Drawing inspiration from the GDPR, a range of individual rights over personal information have been proposed. These include:
- the ability to easily withdraw consent to collect and use personal information;
- access to and an explanation about their personal information;
- the right to object to the collection, use or disclosure of personal information;
- the right to the erasure of their personal information;
- the right to de-index certain types of personal information; and
- the right to request meaningful information about automated decision-making processes and the use of personal information in those processes.
As expected, associated proposals about updated privacy policies, response mechanisms and reasonable assistance to be provided to individuals in respect of these rights have been included.
In addition, it is proposed that both a direct right of action for individuals in relation to an interference with privacy and a statutory tort for serious invasions of privacy be introduced.
Enforcement and Breach Notification
Following in the footsteps of the enhanced powers granted to the OAIC through Privacy Act reforms in November 2022, it is proposed that:
- tiers of civil penalty provisions be introduced for better targeted regulatory responses;
- greater clarity be provided on what constitutes a serious interference with privacy;
- the Information Commissioner be able to undertake public inquiries and reviews into specific matters; and
- a power be introduced to require a business to take steps to identify, mitigate and redress any actual or reasonably foreseeable loss or damage suffered (or that may be suffered) by a complainant – this expands the existing power that is confined to only redressing suffered loss or damage.
Various amendments to the notifiable data breach scheme have also been proposed, including a requirement to notify the OAIC no later than 72 hours after determining that there has been a notifiable data breach.
In addition, it has been proposed that further work be undertaken to streamline multiple reporting obligations that can arise out of cyber incidents.
Underpinning a number of proposed reforms is the identification of a clear need for significantly more guidance on numerous matters under the Privacy Act. The report includes proposals for:
- standardised templates for privacy policies and collection notices;
- guidance on consent requests;
- practice-specific guidance on new technologies and emerging privacy risks;
- greater guidance on what are reasonable steps to protect personal information;
- enhanced guidance on how to destroy or de-identify personal information;
- provision of standard contractual clauses for the overseas transfer of personal information; and
- further guidance on factors the OAIC takes into account when deciding to take action for serious interferences to privacy.
The proposals canvassed in the Report are extensive and look to bring Australia closer to the obligations imposed by the GDPR and in other countries viewed as having more robust privacy and data security obligations.
Naturally, the impact of the proposals if implemented will be significant and far reaching. The Privacy Act will introduce privacy obligations to a massive subset of the economy to whom most obligations currently do not apply.
Given the heightened media spotlight on numerous recent massive data breaches and greater community expectations on data security, the proposals generally will be welcomed by the community.
However, there will undoubtedly be concerns raised by many businesses on their ability to meet the obligations proposed. In particular, the costs associated with introducing systems and procedures in compliance with the reforms are likely to be a point of great contention.
The consultation period on the proposals in the Report ended on 31 March 2023. Given the continuous flow of high-profile cyber incidents and data breaches, we expect the government will move quickly to put forward proposed legislation.
Reforms are ultimately likely to be introduced via a phased approach given that many will require significant further consultation. Some reforms may also be subject to strong industry and political resistance.
However, the clear global trend is that businesses of all sizes are now expected to take privacy and data security seriously. All businesses should now be proactively considering what they need to do to comply with obligations that will almost inevitably come.
If you need help to gauge your compliance with privacy, data security and cyber obligations, improve your cyber resilience or deal with a cyber incident, Gilchrist Connell can assist with a range of services and expertise.