Australia’s Attorney-General has today released the Privacy Act Review Report. The Report follows a two-year review of Australia’s outdated privacy laws and contains over 110 proposals which are designed to better align Australia’s laws with global standards of privacy protection and give individuals more control over their personal information. If implemented, the changes will have significant impact on existing privacy practices.
Given that the Report contains proposals which are new or have been reworked since the 2021 Discussion Paper, the Government is now undertaking further consultation.
Entities who do business in Australia are encouraged to carefully consider the impact of these proposals on their privacy practices so that practical implications can be raised and planned for before draft legislation is finalised by the Government. Feedback on the Report is due on 31 March 2023.
Key Proposals
Key proposals in the Report include:
the introduction of a controller/processor distinction;
broadening the definition of ‘personal information’, to include information ‘relating to’ an individual as opposed to just ‘about’ an individual;
eventually removing the small business exemption but only after steps have been implemented to assess the impact of this change and facilitate compliance;
in the shorter term, making the collection of biometric information for use in facial recognition technology an exception to the small business exemption and also removing the consent exception for small businesses that trade in personal information;
further consultation regarding the implementation of enhanced privacy protections for private sector employees;
changes to the political and journalism exemptions;
a requirement that any collection, use and disclosure of personal information be fair and reasonable in the circumstances;
the introduction of a statutory tort for a serious invasion of privacy;
the introduction of a direct right of action in relation to an interference with privacy;
a requirement to notify the Office of the Australian Information Commissioner of eligible data breaches within 72 hours, as opposed to 30 days;
the introduction of standard contractual clauses for use when transferring personal information overseas;
a requirement to include various additional matters in APP entities’ privacy policies and collection notices;
obligations in relation to de-identified information, for example a requirement that APP entities take reasonable steps to protect de-identified information and prohibitions on re-identification;
enhanced individual rights (though subject to exceptions), including:
a right to erasure;
broader access and correction rights;
a right to object to the collection, use or disclosure of personal information;
a right to de-index certain online search results; and
an unqualified right to opt-out of the use or disclosure of personal information for direct marketing or targeted advertising purposes;
as well as an obligation on APP entities to provide reasonable assistance to individuals in respect of such rights;
obligations to undertake privacy impact assessments for activities with high privacy risks;
a requirement to determine and record purposes for the collection, use and disclosure of personal information at the time or before it is collected;
additional protections for children and vulnerable individuals, including a requirement to have regard to the ‘best interests of a child’ when considering whether collection, disclosure or use is ‘fair and reasonable’;
a requirement to establish maximum and minimum retention periods for personal information and specify the same in an APP entity’s privacy policy; and
stronger enforcement powers for the OAIC.
Next steps
The Report signposts significant changes to Australia’s privacy laws and it is possible we will see draft legislation as early as the second half of 2023. The time to prepare for these changes is now. Entitles who do business in Australia should review their current privacy practices and consider which proposals might require system or other process improvements. For example, business should consider whether:
they are relying on any exemptions which are the subject of reform proposals;
the way in which data is currently handled aligns with proposed changes to the definition of personal information;
current contractual arrangements and internal reporting mechanisms are set up to allow assessment and notification of eligible data breaches within 72 hours.
There is much to digest in the 320 page Report, so look out for further detailed analysis of proposals from our Australian data protection team in the coming weeks and months.
Contacts
Hamish Fraser, Julie Cheeseman, Kate Morton, James Hoy, Belyndy Rowe, Emma Croft