On 16 February 2023, the Attorney-General’s Department released its much-anticipated Final Report (Report) on the Review of the Privacy Act 1988 (Cth) (Privacy Act). The Report is the culmination of two years of consultation and review, which began following a recommendation made by the ACCC in its 2019 Digital Platforms Inquiry.
The purpose of the review was to consider “whether the Act and its enforcement mechanisms are fit for purpose in an environment where Australians now live much of their lives online and their information is collected and used for a myriad of purposes in the digital economy”.[1]
The proposals recommended in the Report aim to strengthen the protection of the personal information of Australians, and the control individuals have over their information. Underpinning the Report was a view that stronger privacy protections will drive digital innovation and enhance Australia’s reputation as a trusted trading partner.
Attorney-General Mark Dreyfus, citing the high-profile data breaches that affected millions of Australians in 2022, said “strong privacy laws are essential to Australians’ trust and confidence in the digital economy and digital services provided by governments and industry … However, the Privacy Act has not kept pace with the changes in the digital world”.
While the Report paints a fairly clear picture of where the Privacy Act is now heading, key details are still yet to be confirmed. In particular, the Report does not include an exposure draft of legislation for the reforms, and a number of the proposals made are subject to further consultation. Despite the absence of detail, what is clear is that the proposed Privacy Act reforms will most certainly require entities to make a number of material changes to the way they collect and handle personal information, and to their related policies and procedures.
The Report’s 116 recommendations are grouped into three broad categories:
The Report recommends replacing “about” in the definition of personal information, with “relates to” (i.e. to refer to “information or an opinion that relates to an identified individual…”).
This will clarify that the definition can capture a broader range of information – including, for example, technical information and information inferred and generated from information already held. Any such inferred or generated information will be taken to have been ‘collected’ for the purposes of the Privacy Act.
Notably, this change will also bring the definition of personal information in line with the wording of the EU’s GDPR definition of “personal data”.
The Report proposes removal of the small business exemption (businesses with an annual turnover of less than AUD $3 million are generally exempt from the Privacy Act), but only after an impact analysis and consultation to understand what support and resources small business would need in order to meet new compliance obligations, proportionate to the privacy risks they generally face.
In the meantime, it is proposed that the exemption cease to apply to collection of biometric information for use in facial recognition technology, and where a small business obtains consents from individuals to trade in their personal information.
The Report stops short of recommending removal of the employee records exemption at this stage, but does propose the extension of privacy protections to private sector employees to:
Further consultation is called for between employer and employee groups regarding how these protections will be implemented in legislation, how privacy and workplace relations laws should interact, and whether privacy codes could be developed regarding the handling of the personal and sensitive information of employees.
The Report proposes introducing concepts of “APP entity controllers” and “APP entity processors” in the Privacy Act, borrowing from the concepts of “data controllers” and “data processors” in the EU’s General Data Protection Regulation (GDPR) and data privacy laws in some other jurisdictions.
A processor that processes information on behalf of a controller would be brought into the scope of the Privacy Act, but with fewer compliance obligations. These would potentially be limited to APP 1 (Open and transparent management of personal information), APP 11 (Security of personal information) and the notifiable data breaches (NDB) scheme – but importantly on the basis that processors would only be required to notify the OAIC and the controller of a data breach, but not affected individuals. Controllers would be required to notify affected individuals.
The Report proposes the introduction of an overarching “fair and reasonable” test to the collection, use and disclosure of personal information – an objective test based on the perspective of a reasonable person, which will apply regardless of consents that have been obtained.
A number of factors are to be taken into account when determining whether a particular handling is “fair and reasonable” including the nature and sensitivity of the information, and the individual’s reasonable expectations.
The Report proposes the inclusion of a definition of a consent that reflects existing OAIC guidance as set out in the APP Guidelines. That is, consent must be informed, voluntary, current, specific and unambiguous. Valid consent may still be express or implied, provided it meets these requirements.
The Report also recommends that the OAIC develops guidance for online services in developing consent requests.
The Report proposes a number of clarifications that are directed at improving the quality of privacy notices so they are clear, current and understandable (including by children where relevant), and particularly where collection, use or disclosure of personal information is for a “high privacy risk” activity.
Entities will also be required to keep records of the primary purposes for which they collect and handle personal information, and if an entity later wants to use or disclose personal information for a secondary purpose, it will be required to also make a record of that secondary purpose before or at the time the information is used or disclosed for that purpose.
The Report proposes that entities be required to identify and mitigate risks before engaging in “high privacy risk” activities – that is, activities that could significantly impact on the privacy of an individual – including mandatory privacy impact assessments.
The Report proposes expanded and new rights for individuals, modelled on rights available to individuals under the EU’s GDPR, namely rights of:
with specified exceptions applying to these rights such as competing public interests, inconsistent legal relationships (under law or a contract with the individual) and technical infeasibility.
The Report proposes prohibitions on the use of personal information – and de-identified and unidentified information relating to an individual – for targeted advertising and content to children (now proposed to be specified as under 18 years), and on the use of sensitive information for targeted advertising and content to any individual.
Individuals are also to have an unqualified right to opt-out of receiving targeted advertising and content, and any permitted targeting must still meet the “fair and reasonable” test. Entities must also be transparent (in their privacy policies and privacy notices) about their use of algorithms and profiling in order to recommend content to individuals.
The Report also proposes greater transparency about the use of personal information in “substantially” automated decisions which will have a legal or similar effect on the rights of an individual. This includes a right of individuals to seek information about how automated decisions are made using their personal information.
The Report proposes a number of changes to strengthen obligations on entities to keep personal information secure, and also to destroy or de-identify it when it is no longer needed.
In light of increased cybersecurity risks and public concern, the Report recommends that APP 11 (Security of personal information) include baseline privacy outcomes, with proposed consultation with industry on those outcomes to be informed by the Government’s Australian Cyber Security Strategy.
The Report also recommends that the Government undertake a full review of all data retention laws applicable to personal information, to determine if those laws are appropriately balanced with the privacy and cyber security risks of holding significant volumes of personal information.
The Report proposes that entities be required to determine and specify their own maximum and minimum retention periods for personal information they hold, and to specify their personal information retention periods in privacy policies.
The Report proposes a new 72-hour deadline (aligned with the EU’s GDPR) within which to report eligible data breaches to the OAIC – “as soon as practicable and not later than 72 hours” after the entity becomes aware that there are reasonable grounds to believe that there has been an eligible data breach. Affected individuals are to be notified “as soon as practicable”.
The 72-hour deadline is in addition to more prescriptive data breach notification requirements, including that any notification to the OAIC or an affected individual about a data breach must set out the steps the entity has taken or intends to take in response to the data breach.
Changes proposed to APP 8 (Overseas disclosures of personal information) reflect a number of concepts from the EU’s GDPR regarding overseas transfers of information, and are aimed at facilitating overseas transfers while ensuring it is properly protected. These include:
The Report observes that the enforcement of privacy obligations against entities needs to be strengthened, and that individuals currently have limited ways to take action when they are affected by a privacy breach, including for serious invasions of privacy that are not covered by the Act.
The Report includes proposals that would:
For individuals, the Report proposes new pathways to seek redress in the courts for privacy breaches, including:
The Government is seeking feedback on the Report and its recommendations in order to inform next steps and draft legislation. Submissions to the Report close on 31 March 2023.
After this next round of consultation, we can expect to see the Government’s formal response to the Report, including confirmation of which changes it will seek to enact in the form of draft legislation. The timing of this is a little uncertain, particularly given the length of time the Review process has taken to date, but a formal response and draft legislation within the next 6 to 12 months is anticipated.
Given the substantive nature of the proposed changes, coupled with the recently increased penalties for privacy breaches (AUD $50 million +) which took effect in December 2022 (see our Insight on those changes here), entities would be well-advised to begin a whole-of-business review of:
If you would like to discuss the issues raised in this Insight, or how JWS can assist your organisation, please get in touch with Helen Clarke.
The authors acknowledge the contributions of Tom Gilbert, Seasonal Clerk, to the preparation of this Insight.
[1] Attorney-General’s Department, Privacy Act Review – Report 2022, page 1.
2024 is off to brisk start in the cyber, privacy and data space – regulatory developments in cyber security and artificial intelligence (AI) continue at pace.
An increase in enforcement action by the Regulator under the Payment Times Reporting Act 2020 (Cth) (PTR Act) has been happening over the last 12 months. Companies covered as reporting entities...
Johnson Winter Slattery has advised early childcare management software provider Kangarootime on the sale of its Australian business to fellow industry participants Juice Technologies and Kidsoft...