Privacy reforms for a digital age

The government has delivered the next step in the ongoing Privacy Act Review by releasing the exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 and Privacy Review Discussion Paper.

Key takeaways

• The draft bill delivers parts of the proposed privacy reforms that the government considers needed in the short term, including heightened civil penalties, expanded enforcement powers for the Information Commissioner, and the framework to develop and register the Online Privacy Code. 
• The Online Privacy Code will regulate how a broad range of online service providers, such as social media providers, data brokerage services, and large platform providers, comply with the Australian Privacy Principles, with a particular view to increasing consumer control over their data, and protection for children and other vulnerable groups.
• The Discussion Paper sets out numerous proposals for broader reform of the Privacy Act, in many cases, aligned to leading international privacy frameworks such as the GDPR and Californian Consumer Protection Act, including an expanded scope of “personal information”, greater consumer rights to control how their information is processed, heightened consent requirements, and numerous measures to improve transparency of data handling practices. 
• The government is inviting public submissions on the draft bill (closing 6 December 2021) and Discussion Paper (closing 10 January 2022).

Background

On 25 October 2021, the Attorney-General’s Department released the exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Draft Bill) as well as the long awaited Privacy Act Review Discussion Paper (Discussion Paper) for broader review of the Privacy Act 1998 (Cth) (Privacy Act).

The release of the Draft Bill and Discussion Paper marks another step towards broad-ranging reforms to Australian data protection laws following:

• the announcement in March 2019 of reforms to increase the civil penalties under the Privacy Act and introduce a binding privacy code to apply to social media platforms and other online platforms that trade in personal information;
• the ACCC’s Digital Platforms Inquiry and Final Report in 2019 (DPI Report), which made numerous recommendations for privacy reforms to strengthen consumer privacy rights;
• the Attorney-General’s Department release of the Privacy Review Issues Paper in October 2020 (Issues Paper); and
• the separate, but parallel “Consumer Data Right” reforms that have been implemented under the Competition and Consumer Act 2010 (Cth), which came into effect for the banking sector in 2020 and will be rolled out to other sectors over time.

Reforms to Australian data protection laws are following global trends towards heightening consumer control over their personal information, and as a necessary consequence, a change in mindset regarding corporate “ownership” of data sets containing personal information. 

The reforms, if implemented, will require a major upheaval of privacy compliance programs across the economy, including a rethink of data flows, technology systems and contractual arrangements.  Australian organisations with global operations governed by foreign regimes such as the GDPR or California Consumer Protection Act, or that comply with (or are preparing to comply with) the Consumer Data Right, are likely to be familiar with and better placed to adapt to the proposed reforms, which propose the adoption of key aspects of these regimes such as more onerous consent requirements, individual rights to withdraw consent and erasure. 

In any event, as Australian data protection laws reach to touch the high water mark set by foreign regimes like the GDPR, data governance and strategy will be pushed closer to the top of the agenda for all organisations that process personal information.

A. Online Privacy Bill

The Draft Bill intersects with matters that form part of the broader privacy reforms, but which are perceived by the government as of pressing need of implementation in advance of the reforms proposed by the Discussion Paper.

The Draft Bill proposes some amendments to the Privacy Act including to:

• give the Commissioner the power to make a third binding code, the Online Privacy Code (OP Code);
• raise the maximum civil penalties under the Privacy Act, and introduce additional enforcement powers; and
• broaden the extra-territorial application of the Privacy Act to clarify its application to foreign companies carrying on business in Australia, but which may not “collect or hold” personal information within Australia.   

The OP Code

The proposed OP Code will apply to specific types of online service providers (OP Organisations) that provide:

• Social media platforms, defined as an electronic service whose primary purpose is to enable online social interaction between two or more end-users, and allows end-users to post material on the service.  The “primary purpose” qualification is intended to operate to exclude services that use online communication as an additional feature (e.g. an online feedback functionality in respect of another service);
• Data brokerage services, which is a service involving the collection of personal information directly or indirectly via an electronic service for the sole or primary purpose of disclosing that information (or information derived from such information) as a service.  Data brokerage services are intended to capture organisations whose business model is based on trading in personal information or insights collected online, such as the sale of data derived from customer loyalty or frequent flyer programs; and
• Large online platforms, which collect ‘high volumes’ of personal information in excess of 2.5 million end-users in Australia.  Large online platforms will capture a range of online platforms with a significant presence in Australia, such as search engines, global technology companies and media sharing platforms.

The Draft Bill proposes that the OP Code:

• set out how OP Organisations comply with the certain existing Australian Privacy Principles, such as periodic consent renewals where processing sensitive information and additional requirements for collection notices;
• require OP Organisations to take reasonable steps to stop using and disclosing personal information at the request of the individual; and
• introduce a framework applicable to all OP Organisations designed to heighten protection of minors and vulnerable persons, which will impose specific requirements for social media platform providers including a requirement to take reasonable steps to verify age, and stricter requirements for consent (including parental consent for under 16s) and processing of personal information of minors.

The Commissioner will have the power to investigate potential breaches of the OP Code, either in response to a complaint or of its own initiative, and will have the full range of powers under the Privacy Act to enforce breaches of the OP Code.

Civil penalties and enforcement

The Draft Bill increases the maximum civil penalty for serious and/or repeated interference by a corporation with privacy of an individual to the greater of:

• $10 million; or
• three times the value of the benefit obtained by the organisation from the infringing conduct; or
• 10% of their annual domestic turnover (if the benefit cannot be determined).

The Commissioner is also granted additional enforcement powers, including by:

• expanding the types of declarations that the Commissioner can make in a determination at the conclusion of an investigation;
• introducing new information gathering powers to enable the Commissioner to conduct assessments in its enforcement activities;
• granting the Commissioner powers to issue infringement notices where organisations fail to provide information requested by the Commissioner as part of an investigation; and
• allowing the Commissioner to share information or documents with other law enforcement bodies, domestic and foreign regulators and alternative complaint bodies.

Extra-territorial reach

The Draft Bill expands the extra-territorial application of the Privacy Act by removing the requirement that a foreign organisation that carries on business in Australia “collect or hold” information within Australia prior to or at the time of an act or practice. This amendment is designed to remove uncertainty in the existing regime as to whether foreign organisations have collected or held personal information in Australia – for instance, in circumstances where the information was collected online by servers outside of Australia.

Next steps

Submissions on the Draft Bill are now open and will close on 6 December 2021. The Government will consider submissions and prepare a final draft bill to present before Parliament.  If the bill receives Royal Assent, the OP Code will be developed in accordance with the existing APP code development process under Privacy Act (with industry having the first opportunity to develop the OP Code), and registered within 12 months.

B. Privacy Act Review Discussion Paper

Following the Issues Paper, which received extensive public submissions, the Discussion Paper makes a number of proposals for privacy reform, and sets out numerous issues requiring further consideration and consultation in order for the government to develop and finalise its proposals, which will be contained in its final report.

Proposals

Key proposals made by the Discussion Paper include:

Topic	Proposal
Scope of personal information	Technical information: Address uncertainty as to whether certain technical information (such as online identifiers, location data, IP addresses) constitute personal information by amending the definition of personal information: as information that ‘relates to’, instead of is “about”, an individual; and include a non-exhaustive list of technical information that could be personal information. Reasonably identifiable: Provide greater clarity on assessing whether an individual is reasonably identifiable (and as a corollary, when information is anonymised and not subject to the Privacy Act) by: including the words “directly or indirectly”; and including a list of factors that may support an assessment of whether an individual is reasonably identifiable. Inferred information: Provide greater clarity on whether “inferred” information (such as inferences as to a person’s preferences, habits, or persuasions, put together from a range of personal and other information) constitutes personal information by amending the definition of ‘collection’ to include information obtained from any source and by any means, including inferred or generated information.
De-identified information vs Anonymous information	Anonymous information: Increase the standard required in order for personal information to no longer be subject to the APPs by: replacing “de-identified information” with “anonymous information” to reflect the need for information to be irreversibly anonymised; and amending APP 11.2 to require organisations to take all reasonable steps to destroy the information or ensure that the information is anonymised.
Collection	Collection notices: Increase transparency for consumers at the time of collection regarding the intended processing of personal information by: requiring APP 5 notices to be clear, current and understandable; amending the information required to be provided in APP 5 notices to the most crucial and relevant information, and moving less important information to the privacy policy (such as whether the collection is required by law, the consequences of not collecting, and the likely offshore recipients and locations); standardisation of APP 5 notices under an APP code, including layouts, wording and icons; limiting the circumstances where an APP 5 notice may be given after the time of collection, from circumstances where it is “not practicable”, to circumstances where it is “impossible or would involve disproportionate effort”; and introducing additional requirements to ensure that APP 5 notices are intelligible to children, where applicable. Collection from third parties: Heighten obligations on organisations receiving personal information from third parties so as to address the risk that the personal information was originally collected by unfair or unlawful means. Specifically, by amending APP 3.6 to require organisations to take reasonable steps to satisfy itself that the information was originally collected from the individual in accordance with APP 3.
Consent	Demonstrating consent: Heightening the requirements for obtaining an individual’s consent by: amending the definition of consent so as to require consent be voluntary, informed, current, specific and unambiguously indicated through clear action.  This will remove the existing ability for organisation to rely on “implied” consent in some circumstances; and standardisation of consents, including as to layouts, wording, icons or consent taxonomies under an APP code. Children: Introduce additional requirements for collection, use and disclosure of personal information of minors, including by either requiring parent or guardian consent in respect of personal information of a child under the age of 16: prior to any collection, use or disclosure of personal information; or only in situations where the Privacy Act currently requires consent (such as in respect of sensitive information).
Permitted use and disclosure of personal information	Use and disclosure: Place further limitations on the use and disclosure of personal information as currently permitted under APP 3 and APP 6 (by reference to the primary purpose of collection, and related secondary purposes) so as to limit such use and disclosure to reasonable expectations of individuals and the public at large.  Specifically, by: Amending APP 3 and 6 to require collection, use and disclosure to be “fair and reasonable in the circumstances”; and including legislative factors relevant to whether collection, use and disclosure is “fair and reasonable”, such as the individual’s reasonable expectations, the sensitivity and amount of personal information involved, foreseeable risk of adverse impacts, necessity of the organisations activities, transparency, proportionality of privacy detriment to benefit, and, if applicable, the best interest of the child. Primary and secondary purpose:  Restrict the use of personal information for secondary purposes by amending APP 6 to: define the ‘primary purpose’ as the purpose which was originally disclosed to the user in the APP 5 collection notice; define ‘secondary purpose’ as a purpose which is directly related to and reasonable necessary to support the primary purpose; and expressly require APP entities to determine and record, at or prior to using or disclosing personal information for a secondary purpose, each of the secondary purposes for which the information is to be used or disclosed.
Restricted practices	Restricted practices: Introduce additional safeguards to identify and mitigate privacy risks for a range of high risk acts and practices, such as large scale: direct marketing, targeted advertising, processing of sensitive information, use of biometrics or facial recognition software, sale of personal information, automated decision making with legal or significant effects, practices that influence individual behaviour.  Specifically, by either: requiring organisations to take reasonable steps to conduct privacy risk assessments (similar to the GDPR data protection impact assessments); or implementing other controls, such as consent requirements and absolute opt-out rights.
Pro-privacy default settings	Privacy settings: Introducing new requirements for products or services that contain multiple levels of privacy settings to either: default to the most restrictive privacy settings available (i.e. that switch-off all personal information processing that is not strictly necessary for the provision of the service or use of the product); or provide an obvious and clear way for individuals to set all privacy settings to the most restrictive level (e.g. a single-click mechanism).
New individual rights to object or withdraw consent to processing personal information	Objecting or withdrawing consent: Introduce an individual right to object or withdraw consent to collection, use and disclosure of their personal information, and obligation on organisations to take reasonable steps to stop collecting, using or disclosing the individual’s personal information and inform the individual of the consequences of the objection. Right to erasure: Introduce an individual right to erasure of personal information on certain grounds, which include for sensitive information or information relating to a child, where the individual has objected to the processing, or in other situations where the processing is unlawful.  The Discussion Paper is seeking further feedback on exceptions to the right to erasure, such as where continued processing is required to perform a contract or under law, or for public interest reasons.  Organisations will need to respond by notice to individuals on whether they will erase personal information or object on the grounds of an exception.
Direct marketing	Right to object: Introduce an unqualified right for individuals to object to collection, use or disclosure of personal information for the purpose of  direct marketing.  Organisations will be required to cease direct marketing and notify the individual of the consequences of the objection. Marketing communications: Require organisations to notify individuals of their right to object (as noted above) in each marketing communication. Collection notices and privacy policy: Introduce further requirements for privacy policies and APP 5 notifications in order to collect, use and disclose personal information for direct marketing, including specifically: APP 5 notices must specify direct marketing as a primary purpose when personal information is collected; privacy policies must identify if: personal information (alone or in combination with other information) is likely to be used for the purpose of influencing an individual’s behaviour or decisions, and the types of information used, generated or inferred; and third parties are used for online marketing materials, and the details of those third parties and the opt-out method. Repeal APP 7: Repeal APP 7 on the basis that the above amendments and existing APPs will adequately address concerns regarding direct marketing.
Automated decision making	Privacy policy: Increase transparency of automated decision making by requiring organisations to include information in their privacy policy on whether personal information will be used in automated decision making which has a legal, or similarly significant effect on people’s rights.
Data security	Technical and organisational measures: Clarify that “reasonable steps” to protect personal information under APP 11 requires organisations to implement technical and organisational measures, and to provide a list of factors that will indicate what reasonable steps may be required.
Cross-border transfer	Certification schemes: Increase certainty regarding the permissibility of cross-border transfers of personal information by amending APP 8.2 to include a mechanism to prescribe countries and certification schemes that offer adequate protection. Standard contractual clauses: Develop standard contractual clauses that will allow organisations to transfer personal information overseas. Removal of the consent exception:  Remove the ability for organisations to obtain consent from individuals to transfer personal information overseas without taking reasonable steps to ensure the overseas recipient complies with the APPs.
A direct right of action	Direct right of action: Introduce a direct right for individuals to initiate action in the Federal Court for interference with privacy, with the leave of the court and following a complaint to the OAIC.
Statutory tort	Tort of invasion of privacy: Introduce a form of statutory tort of invasion of privacy.  The Discussion Paper has proposed numerous options for further consideration, which include a statutory tort for invasion of privacy formulated by the 2014 ALRC report (applying to intrusion upon seclusion, and misuse of private information), and a minimalist statutory tort that recognises the existence of the cause of action but leaves scope and application of the tort to be developed by the courts.

Other issues for further consideration

The Discussion Paper considers numerous other matters for possible reform, for which further consideration is required in order to develop reform proposals, including the removal of the small business and employee records exemptions to the APPs.

Next Steps

The government is inviting public submissions on the reform proposals in the Discussion Paper, which close on 10 January 2022. The government will also conduct consultation with industry stakeholders during this period. Submissions on the Discussion Paper will be considered by the government prior to issuing a final report on the Privacy Act Review. 

Important Disclaimer: The material contained in this article is comment of a general nature only and is not and nor is it intended to be advice on any specific professional matter. In that the effectiveness or accuracy of any professional advice depends upon the particular circumstances of each case, neither the firm nor any individual author accepts any responsibility whatsoever for any acts or omissions resulting from reliance upon the content of any articles. Before acting on the basis of any material contained in this publication, we recommend that you consult your professional adviser. Liability limited by a scheme approved under Professional Standards Legislation (Australia-wide except in Tasmania).