“Think of the children!”: An overview of the proposed additional privacy protections for children in Australia

Written By

julie cheeseman Module
Julie Cheeseman

Partner
Australia

I am a partner in our Sydney office, where I specialise in media and technology disputes and advice.

james hoy Module
James Hoy

Special Counsel
Australia

I am a Special Counsel in our Sydney office and I specialise in media and technology disputes and advice with a particular focus on privacy and data protection matters.

evelyn park Module
Evelyn Park

Associate
Australia

I am an associate in our Dispute Resolution Group in Sydney

The Australian Government’s response (Response) to the Privacy Act Review Report (Report), released on 28 September 2023, affirmed its commitment to uplifting Australia’s privacy standards to align with global standards more closely.

This included agreeing, or agreeing in-principle, to a range of proposals aimed at introducing additional privacy protections for children and it is those proposals which will be the focus of this article. We expect to see at least some reforms progressed during the current term of parliament, with the Government recently reiterating an earlier commitment to this effect in a Senate Estimates hearing.

If you would like a more comprehensive overview of the key outcomes of the Response, please refer to our previous article published here.

Current position in relation to children

The Privacy Act 1988 (Cth) (Privacy Act) protects individual privacy regardless of age and does not specify an age after which an individual can make their own privacy decisions.

Guidance from the Office of the Australian Information Commissioner (OAIC), in relation to the issue of children’s privacy, is limited to the following:

  • an entity handling the personal information of an individual under the age of 18 must decide if the individual has the capacity to consent on a case-by-case basis;
  • as a general rule, an individual under the age of 18 has the capacity to consent if they have the maturity to understand what is being proposed (if they lack maturity it may be appropriate for a parent or guardian to consent on their behalf); and
  • if it is not practical for an entity to assess the capacity of individuals on a case-by-case basis, as a general rule, an entity may assume an individual over the age of 15 has capacity, unless they’re unsure.

As a result, in our experience, children’s privacy is a sleeper issue for many organisations and agencies in Australia.

Proposals agreed to by the Australian Government

Recognising that children are particularly vulnerable to online harms, and responding to community concerns in relation to children’s privacy, the Australian Government has agreed that:

  • a child should be defined in the Act as an individual who has not yet reached 18 years of age (Proposal 16.1); and
  • a Children’s Online Privacy Code (Australian Code) should be introduced (Proposal 16.5).

In terms of sequencing, the Australian Government has indicated that it will first focus on enacting new legislative protections for children and will then develop the Australian Code.

Proposal 16.5, as agreed by the Australian Government, indicates that:

  • the Australian Code will apply to online services that are likely to be accessed by children;
  • to the extent possible, the scope of the Australian Code will align with the UK Age Appropriate Design Code, including its exemptions for certain entities including preventative or counselling services;
  • the developer of the Australian Code will be required to consult broadly with children, parents, child development experts, child welfare advocates, industry and the eSafety Commissioner (the Government has separately indicated it will also engage with the Office of the Australian Information Commissioner on the Australian Code); and
  • the substantive requirements of the Australian Code may address how the best interests of child users should be supported in the design of an online service.

The UK Age Appropriate Design Code (UK Code) referred to similarly applies to “information society services likely to be accessed by children” and contains 15 standards that online services need to follow to ensure that they are complying with their obligations under UK data protection law with respect to children’s personal data.

The UK Code applies to a range of online services including apps, programs, search engines, social media platforms, online messaging or internet voice telephony services, online marketplaces, content streaming services, online games, news or educational websites, connected toys and devices and any websites offering goods or services to users over the internet.

If you would like more information about the UK Code, please refer to our previous articles published here and here.

Proposal 16.3, which is agreed in-principle by the Australian Government, also indicates that the Australian Code will provide guidance on the format, timing and readability of collection notices and privacy policies addressed specifically to children.

Other proposals agreed in-principle

The Australian Government has also agreed in-principle to a suite of other proposed additional privacy protections for children, including proposals to:

  • amend the Privacy Act to codify the principle that valid consent must be given with capacity (Proposal 16.2);
  • amend the Privacy Act to require that collection notices and privacy policies be clear and understandable, in particular for any information addressed specifically to children (Proposal 16.3);
  • require entities to have regard to the best interests of the child as part of considering whether a collection, use or disclosure is fair and reasonable in the circumstances (Proposal 16.4);
  • introduce a right to de-index online search results containing personal information about a child (Proposal 18.5);
  • prohibit direct marketing to a child unless the personal information used for direct marketing was collected directly from the child and the direct marketing is in the best interests of the child (Proposal 20.5);
  • prohibit targeting to a child unless the targeting is in the best interests of the child (Proposal 20.6); and
  • prohibit trading in the personal information of children (Proposal 20.7).

Conclusion

In light of the above, organisations and agencies in Australia, and overseas entities carrying on business in Australia, are encouraged to:

  • review their existing practices, procedures and systems in relation to children to ensure that they comply with OAIC guidance; and
  • consider beginning to uplift their practices, procedures and systems in relation to children to meet the higher standards foreshadowed by the Report and Response.

Having regard to consumer sentiment, in addition to meeting the higher regulatory standards which have been foreshadowed, taking steps now to provide additional privacy protections for children may also provide some entities with a competitive advantage.

Latest insights

More Insights
featured image

EDPB weighs in on key questions on personal data in AI models

1 minute Dec 20 2024

Read More
Curiosity line green background

Australia’s first standalone cyber security law – the Cyber Security Act 2024

Dec 18 2024

Read More
Curiosity line teal background

The New Cybersecurity Dawn – Hong Kong readies for new critical infrastructure legislation

7 minutes Dec 10 2024

Read More