Australian privacy law is currently undergoing a period of change. In December 2022, the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (OP Act) came into effect, giving the OAIC further powers and increasing the penalties for serious data breaches. Further, in February 2023, the Commonwealth Attorney- General released the Privacy Act Review Report (the Report) proposing a range of further changes to the Privacy Act. These changes and proposals have been accelerated by a series of high-profile data breaches suffered by Australian companies in late 2022, which have increase public pressure on the Federal Government to strengthen Australian privacy law.
Attorney-General’s report
Summary
The Report sets out a wider tranche of proposed reforms which, if passed, will affect all organisations that are subject to the Privacy Act, including the following:
The introduction of a controller/processor distinction;
Broadening the definition of ‘personal information’, to include information ‘relating to’ an individual as opposed to just ‘about’ an individual;
Eventually removing the small business exemption but only after steps have been implemented to assess the impact of this change and facilitate compliance;
In the shorter term, making the collection of biometric information for use in facial recognition technology an exception to the small business exemption and also removing the consent exception for small businesses that trade in personal information;
Further consultation regarding the implementation of enhanced privacy protections for private sector employees;
Changes to the political and journalism exemptions;
A requirement that any collection, use and disclosure of personal information be fair and reasonable in the circumstances;
The introduction of a statutory tort for a serious invasion of privacy;
The introduction of a direct right of action in relation to an interference with privacy;
A requirement to notify the Office of the Australian Information Commissioner of eligible data breaches within 72 hours, as opposed to 30 days;
The introduction of standard contractual clauses for use when transferring personal information overseas;
A requirement to include various additional matters in APP entities’ privacy policies and collection notices;
Obligations in relation to de-identified information, for example a requirement that APP entities take reasonable steps to protect de-identified information and prohibitions on re-identification;
Enhanced individual rights (though subject to exceptions), including:
A right to erasure;
Broader access and correction rights;
A right to object to the collection, use or disclosure of personal information;
A right to de-index certain online search results; and
An unqualified right to opt-out of the use or disclosure of personal information for direct marketing or targeted advertising purposes;
As well as an obligation on APP entities to provide reasonable assistance to individuals in respect of such rights;
Obligations to undertake privacy impact assessments for activities with high privacy risks;
A requirement to determine and record purposes for the collection, use and disclosure of personal information at the time
How could it be relevant for you (if passed)?
If the proposals above are brought into law, it is likely that most organisations will need to review their privacy practices and documentation to ensure compliance with the Privacy Act as amended.
On 28 September 2023, the Australian Government released its response to the Report (Government’s Response). Out of the Attorney-General’s 116 proposals, 38 proposals are poised for approval, 68 have been agreed in principle, and 10 are ‘noted’.
A number of notable potential changes have emerged from the Government Response including:
The removal of the small business exemption so that businesses with a turnover of less than $3 million will fall under the scope of the Privacy Act.
The elimination of the employee record exemption (subject to further consultation).
The preservation of political party exemption.
The preservation of journalism exemption, with the possible introduction of a criteria for media privacy standards.
New requirements for social media platform aimed at curbing dark patterns designed to prompt users to consent to privacy-intrusive practices.
Additional safeguards for children’s privacy protections through the development of a Children’s Online Privacy code.
The introduction of a statutory tort for serious privacy invasions.
Next steps
The Government intends to legislate changes in 2024 following further consultation.
*Information is accurate up to 27 November 2023
Privacy & Data Protection - Explore further sections