The government has delivered the next step in the ongoing Privacy Act Review by releasing the exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 and Privacy Review Discussion Paper.
On 25 October 2021, the Attorney-General’s Department released the exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Draft Bill) as well as the long awaited Privacy Act Review Discussion Paper (Discussion Paper) for broader review of the Privacy Act 1998 (Cth) (Privacy Act).
The release of the Draft Bill and Discussion Paper marks another step towards broad-ranging reforms to Australian data protection laws following:
Reforms to Australian data protection laws are following global trends towards heightening consumer control over their personal information, and as a necessary consequence, a change in mindset regarding corporate “ownership” of data sets containing personal information.
The reforms, if implemented, will require a major upheaval of privacy compliance programs across the economy, including a rethink of data flows, technology systems and contractual arrangements. Australian organisations with global operations governed by foreign regimes such as the GDPR or California Consumer Protection Act, or that comply with (or are preparing to comply with) the Consumer Data Right, are likely to be familiar with and better placed to adapt to the proposed reforms, which propose the adoption of key aspects of these regimes such as more onerous consent requirements, individual rights to withdraw consent and erasure.
In any event, as Australian data protection laws reach to touch the high water mark set by foreign regimes like the GDPR, data governance and strategy will be pushed closer to the top of the agenda for all organisations that process personal information.
The Draft Bill intersects with matters that form part of the broader privacy reforms, but which are perceived by the government as of pressing need of implementation in advance of the reforms proposed by the Discussion Paper.
The Draft Bill proposes some amendments to the Privacy Act including to:
The proposed OP Code will apply to specific types of online service providers (OP Organisations) that provide:
The Draft Bill proposes that the OP Code:
The Commissioner will have the power to investigate potential breaches of the OP Code, either in response to a complaint or of its own initiative, and will have the full range of powers under the Privacy Act to enforce breaches of the OP Code.
The Draft Bill increases the maximum civil penalty for serious and/or repeated interference by a corporation with privacy of an individual to the greater of:
The Commissioner is also granted additional enforcement powers, including by:
The Draft Bill expands the extra-territorial application of the Privacy Act by removing the requirement that a foreign organisation that carries on business in Australia “collect or hold” information within Australia prior to or at the time of an act or practice. This amendment is designed to remove uncertainty in the existing regime as to whether foreign organisations have collected or held personal information in Australia – for instance, in circumstances where the information was collected online by servers outside of Australia.
Submissions on the Draft Bill are now open and will close on 6 December 2021. The Government will consider submissions and prepare a final draft bill to present before Parliament. If the bill receives Royal Assent, the OP Code will be developed in accordance with the existing APP code development process under Privacy Act (with industry having the first opportunity to develop the OP Code), and registered within 12 months.
Following the Issues Paper, which received extensive public submissions, the Discussion Paper makes a number of proposals for privacy reform, and sets out numerous issues requiring further consideration and consultation in order for the government to develop and finalise its proposals, which will be contained in its final report.
Key proposals made by the Discussion Paper include:
Technical information: Address uncertainty as to whether certain technical information (such as online identifiers, location data, IP addresses) constitute personal information by amending the definition of personal information:
Reasonably identifiable: Provide greater clarity on assessing whether an individual is reasonably identifiable (and as a corollary, when information is anonymised and not subject to the Privacy Act) by:
Anonymous information: Increase the standard required in order for personal information to no longer be subject to the APPs by:
Collection notices: Increase transparency for consumers at the time of collection regarding the intended processing of personal information by:
Demonstrating consent: Heightening the requirements for obtaining an individual’s consent by:
Children: Introduce additional requirements for collection, use and disclosure of personal information of minors, including by either requiring parent or guardian consent in respect of personal information of a child under the age of 16:
Primary and secondary purpose: Restrict the use of personal information for secondary purposes by amending APP 6 to:
Restricted practices: Introduce additional safeguards to identify and mitigate privacy risks for a range of high risk acts and practices, such as large scale: direct marketing, targeted advertising, processing of sensitive information, use of biometrics or facial recognition software, sale of personal information, automated decision making with legal or significant effects, practices that influence individual behaviour. Specifically, by either:
Privacy settings: Introducing new requirements for products or services that contain multiple levels of privacy settings to either:
Objecting or withdrawing consent: Introduce an individual right to object or withdraw consent to collection, use and disclosure of their personal information, and obligation on organisations to take reasonable steps to stop collecting, using or disclosing the individual’s personal information and inform the individual of the consequences of the objection.
direct marketing. Organisations will be required to cease direct marketing and notify the individual of the consequences of the objection.
Marketing communications: Require organisations to notify individuals of their right to object (as noted above) in each marketing communication.
Certification schemes: Increase certainty regarding the permissibility of cross-border transfers of personal information by amending APP 8.2 to include a mechanism to prescribe countries and certification schemes that offer adequate protection.
Standard contractual clauses: Develop standard contractual clauses that will allow organisations to transfer personal information overseas.
Other issues for further consideration
The Discussion Paper considers numerous other matters for possible reform, for which further consideration is required in order to develop reform proposals, including the removal of the small business and employee records exemptions to the APPs.
The government is inviting public submissions on the reform proposals in the Discussion Paper, which close on 10 January 2022. The government will also conduct consultation with industry stakeholders during this period. Submissions on the Discussion Paper will be considered by the government prior to issuing a final report on the Privacy Act Review.
Be the first to receive the latest articles, news and publications.
An increase in enforcement action by the Regulator under the Payment Times Reporting Act 2020 (Cth) (PTR Act) has been happening over the last 12 months. Companies covered as reporting entities...
Johnson Winter Slattery has advised early childcare management software provider Kangarootime on the sale of its Australian business to fellow industry participants Juice Technologies and Kidsoft...
Multinational groups who use intangible assets as part of their operations should be aware of two new guidance documents published by the ATO.