On 16 February 2023, the Attorney-General’s Department released its much-anticipated Final Report (Report) on the Review of the Privacy Act 1988 (Cth) (Privacy Act). The Report is the culmination of two years of consultation and review, which began following a recommendation made by the ACCC in its 2019 Digital Platforms Inquiry.
The purpose of the review was to consider “whether the Act and its enforcement mechanisms are fit for purpose in an environment where Australians now live much of their lives online and their information is collected and used for a myriad of purposes in the digital economy”.[1]
The proposals recommended in the Report aim to strengthen the protection of the personal information of Australians, and the control individuals have over their information. Underpinning the Report was a view that stronger privacy protections will drive digital innovation and enhance Australia’s reputation as a trusted trading partner.
Attorney-General Mark Dreyfus, citing the high-profile data breaches that affected millions of Australians in 2022, said “strong privacy laws are essential to Australians’ trust and confidence in the digital economy and digital services provided by governments and industry … However, the Privacy Act has not kept pace with the changes in the digital world”.
While the Report paints a fairly clear picture of where the Privacy Act is now heading, key details are still yet to be confirmed. In particular, the Report does not include an exposure draft of legislation for the reforms, and a number of the proposals made are subject to further consultation. Despite the absence of detail, what is clear is that the proposed Privacy Act reforms will most certainly require entities to make a number of material changes to the way they collect and handle personal information, and to their related policies and procedures.
Overview of the recommendations for change
The Report’s 116 recommendations are grouped into three broad categories:
- application of the Privacy Act to certain entities and kinds of information – clarifying and broadening the type of information protected under the Privacy Act;
- protections provided by the Privacy Act – enhancing those protections with a focus on transparency and empowering individuals; and
- regulation and enforcement of privacy breaches – enhancing the regulatory and enforcement options available to both the privacy regulator, the Office of the Australian Information Commissioner (OAIC) and affected individuals.
1. Application of the Privacy Act
Expanded definition of personal information
The Report recommends replacing “about” in the definition of personal information, with “relates to” (i.e. to refer to “information or an opinion that relates to an identified individual…”).
This will clarify that the definition can capture a broader range of information – including, for example, technical information and information inferred and generated from information already held. Any such inferred or generated information will be taken to have been ‘collected’ for the purposes of the Privacy Act.
Notably, this change will also bring the definition of personal information in line with the wording of the EU’s GDPR definition of “personal data”.
Small business exemption
The Report proposes removal of the small business exemption (businesses with an annual turnover of less than AUD $3 million are generally exempt from the Privacy Act), but only after an impact analysis and consultation to understand what support and resources small business would need in order to meet new compliance obligations, proportionate to the privacy risks they generally face.
In the meantime, it is proposed that the exemption cease to apply to collection of biometric information for use in facial recognition technology, and where a small business obtains consents from individuals to trade in their personal information.
Employee records exemption
The Report stops short of recommending removal of the employee records exemption at this stage, but does propose the extension of privacy protections to private sector employees to:
- provide greater transparency regarding what employee personal and sensitive information is being collected and used for; and
- ensure employee personal information is protected from misuse, loss or unauthorised access and is destroyed when it is no longer required, and that employees and the OAIC are notified of data breaches involving employee personal information where there is a likely risk of serious harm.
Further consultation is called for between employer and employee groups regarding how these protections will be implemented in legislation, how privacy and workplace relations laws should interact, and whether privacy codes could be developed regarding the handling of the personal and sensitive information of employees.
‘Controllers’ and ‘processors’ of information
The Report proposes introducing concepts of “APP entity controllers” and “APP entity processors” in the Privacy Act, borrowing from the concepts of “data controllers” and “data processors” in the EU’s General Data Protection Regulation (GDPR) and data privacy laws in some other jurisdictions.
A processor that processes information on behalf of a controller would be brought into the scope of the Privacy Act, but with fewer compliance obligations. These would potentially be limited to APP 1 (Open and transparent management of personal information), APP 11 (Security of personal information) and the notifiable data breaches (NDB) scheme – but importantly on the basis that processors would only be required to notify the OAIC and the controller of a data breach, but not affected individuals. Controllers would be required to notify affected individuals.
2. Protections provided by the Privacy Act
“Fair and reasonable”
The Report proposes the introduction of an overarching “fair and reasonable” test to the collection, use and disclosure of personal information – an objective test based on the perspective of a reasonable person, which will apply regardless of consents that have been obtained.
A number of factors are to be taken into account when determining whether a particular handling is “fair and reasonable” including the nature and sensitivity of the information, and the individual’s reasonable expectations.
Consent
The Report proposes the inclusion of a definition of a consent that reflects existing OAIC guidance as set out in the APP Guidelines. That is, consent must be informed, voluntary, current, specific and unambiguous. Valid consent may still be express or implied, provided it meets these requirements.
The Report also recommends that the OAIC develops guidance for online services in developing consent requests.
Privacy notices and record keeping
The Report proposes a number of clarifications that are directed at improving the quality of privacy notices so they are clear, current and understandable (including by children where relevant), and particularly where collection, use or disclosure of personal information is for a “high privacy risk” activity.
Entities will also be required to keep records of the primary purposes for which they collect and handle personal information, and if an entity later wants to use or disclose personal information for a secondary purpose, it will be required to also make a record of that secondary purpose before or at the time the information is used or disclosed for that purpose.
High risk privacy activities
The Report proposes that entities be required to identify and mitigate risks before engaging in “high privacy risk” activities – that is, activities that could significantly impact on the privacy of an individual – including mandatory privacy impact assessments.
New rights of the individual
The Report proposes expanded and new rights for individuals, modelled on rights available to individuals under the EU’s GDPR, namely rights of:
- access to information relating to them, and to require an explanation as how the information was collected and what it is used and disclosed for;
- objection to the collection use and disclosure of personal information;
- erasure, exercisable by the individual in respect of any category of information an entity holds about the individual; and
- correction, and de-indexing (of online search results),
with specified exceptions applying to these rights such as competing public interests, inconsistent legal relationships (under law or a contract with the individual) and technical infeasibility.
Direct marketing, targeting and automated decision-making
The Report proposes prohibitions on the use of personal information – and de-identified and unidentified information relating to an individual – for targeted advertising and content to children (now proposed to be specified as under 18 years), and on the use of sensitive information for targeted advertising and content to any individual.
Individuals are also to have an unqualified right to opt-out of receiving targeted advertising and content, and any permitted targeting must still meet the “fair and reasonable” test. Entities must also be transparent (in their privacy policies and privacy notices) about their use of algorithms and profiling in order to recommend content to individuals.
The Report also proposes greater transparency about the use of personal information in “substantially” automated decisions which will have a legal or similar effect on the rights of an individual. This includes a right of individuals to seek information about how automated decisions are made using their personal information.
Security and data retention
The Report proposes a number of changes to strengthen obligations on entities to keep personal information secure, and also to destroy or de-identify it when it is no longer needed.
In light of increased cybersecurity risks and public concern, the Report recommends that APP 11 (Security of personal information) include baseline privacy outcomes, with proposed consultation with industry on those outcomes to be informed by the Government’s Australian Cyber Security Strategy.
The Report also recommends that the Government undertake a full review of all data retention laws applicable to personal information, to determine if those laws are appropriately balanced with the privacy and cyber security risks of holding significant volumes of personal information.
The Report proposes that entities be required to determine and specify their own maximum and minimum retention periods for personal information they hold, and to specify their personal information retention periods in privacy policies.
Notifiable data breaches reporting within 72 hours
The Report proposes a new 72-hour deadline (aligned with the EU’s GDPR) within which to report eligible data breaches to the OAIC – “as soon as practicable and not later than 72 hours” after the entity becomes aware that there are reasonable grounds to believe that there has been an eligible data breach. Affected individuals are to be notified “as soon as practicable”.
The 72-hour deadline is in addition to more prescriptive data breach notification requirements, including that any notification to the OAIC or an affected individual about a data breach must set out the steps the entity has taken or intends to take in response to the data breach.
Overseas disclosures of personal information
Changes proposed to APP 8 (Overseas disclosures of personal information) reflect a number of concepts from the EU’s GDPR regarding overseas transfers of information, and are aimed at facilitating overseas transfers while ensuring it is properly protected. These include:
- introducing a “whitelisting” mechanism to prescribe countries’ privacy laws and binding schemes as providing substantially similar protection; and
- the development of “standard contractual clauses” for use by entities to standardise the terms on which personal information can be disclosed overseas.
3. Regulation and enforcement of privacy breaches
The Report observes that the enforcement of privacy obligations against entities needs to be strengthened, and that individuals currently have limited ways to take action when they are affected by a privacy breach, including for serious invasions of privacy that are not covered by the Act.
The Report includes proposals that would:
- equip the OAIC with more options to enforce privacy breaches, including a proposed new mid-level penalty for privacy breaches that are not “serious”, and a lower-level civil penalty and infringement notice powers for breaches that are administrative in nature;
- enhance the OAIC’s ability to proactively identify and address privacy breaches, including powers to conduct public inquiries and reviews; and
- provide the courts with enhanced powers to make orders against entities that have breached their privacy obligations.
For individuals, the Report proposes new pathways to seek redress in the courts for privacy breaches, including:
- the introduction of a direct right of action to sue for breaches of the Privacy Act; and
- a new statutory tort for serious invasions of privacy, that are intentional or reckless, including a right to claim damages for emotional distress.
What happens next?
The Government is seeking feedback on the Report and its recommendations in order to inform next steps and draft legislation. Submissions to the Report close on 31 March 2023.
After this next round of consultation, we can expect to see the Government’s formal response to the Report, including confirmation of which changes it will seek to enact in the form of draft legislation. The timing of this is a little uncertain, particularly given the length of time the Review process has taken to date, but a formal response and draft legislation within the next 6 to 12 months is anticipated.
Given the substantive nature of the proposed changes, coupled with the recently increased penalties for privacy breaches (AUD $50 million +) which took effect in December 2022, entities would be well-advised to begin a whole-of-business review of:
- the personal information they collect and hold, across all areas of the business;
- existing policies, procedures and practices that apply to their collection, use, disclosure and storage of personal information; and
- their data retention and destruction regimes.
If you would like to discuss the issues raised in this Insight, or how JWS can assist your organisation, please get in touch with Helen Clarke.
The authors acknowledge the contributions of Tom Gilbert, Seasonal Clerk, to the preparation of this Insight.
[1] Attorney-General’s Department, Privacy Act Review – Report 2022, page 1.