Oct 12 2023

The federal government has committed to overhauling Australia’s privacy laws. The Attorney-General has stated that the government will draft a bill to amend the Privacy Act 1988, with the stated objective of making the statute ‘fit-for-purpose’ in the digital age.

Following a two-year review of the Act, the Attorney-General accepted 38 of 116 reforms proposed in the Department’s review paper for implementation in the legislation and endorsed another 68 ‘in principle’, subject to further consultation. Proposals include allowing Australians to sue for serious breaches of privacy and a phased introduction of requirements for small to medium businesses (those with turnover under $3m) to comply with the Privacy Act.

The Attorney-General referred to wide public support for broadened privacy protections, partly due to concern about frequent, large-scale data breaches affecting consumers. According to the Office of the Australian Information Commissioner (OAIC), data security remains a serious concern for Australians, with 62 per cent of people surveyed[1] reporting that the protection of their personal information is a major concern and 89 per cent believing people should be able to seek compensation for a breach of privacy.

Fundamental changes

At the core of the proposed changes, the Government has proposed to broaden the scope of the information relating to individuals that is regulated, including technical transactor or device codes (such as IP addresses and other device identifiers) that do not directly identify an individual and inferred information. This proposed extension is not yet fully developed. The new, wider boundaries will have a substantial impact on many business practices involving segmentation of audiences for differential treatment, and not only businesses engaged in targeted online advertising. This area will be subject to further industry consultation and is likely to be vigorously debated over the coming months.

The government has resisted pressure to substantially expand the range of circumstances in which consent must be obtained from affected individuals, instead focusing attention upon whether entities are ‘fair and reasonable’ in their data practices and making clear and full statements as to their data practices in terms likely to be understood by a broad range of people who may be impacted. The amended provisions will likely give additional scope for regulators to expand their requirements that privacy policies and notices are easy to understand, limit data practices to only what is necessary and proportionate for fully explained uses and enable readers to understand how their personal information may be used in any way that could affect how those individuals are treated.

New rules are also proposed to address ‘choice architecture’ or ‘dark patterns’: behavioural ‘nudges’ through interaction design features that push affected individuals to select less protective privacy settings. There has been extensive discussion across a number of regulated jurisdictions about the need to limit such practices. Regulators are already focussing upon how choices are presented to individuals and whether user interfaces are fair and implement ‘privacy by design and default’.

The government has also noted that the enforcement resources of the Privacy Commissioner (now just the Information Commissioner acting in this role) are limited and that the creation of private rights of action would impose further discipline upon entities collecting and handling personal information. Currently, the circumstances in which affected individuals may directly sue entities for breaches of the Privacy Act are very limited, effectively leaving enforcement action the preserve of the Privacy Commissioner.

The government says it will consult further on giving individuals the power to sue if:

  • There is a serious invasion of privacy,
  • the person had a reasonable expectation of privacy,
  • the invasion was committed intentionally or recklessly, and
  • the public interest in privacy outweighs any countervailing public interest.

Other recommendations from the review that have been accepted include:

  • Introducing greater protections for children – additional protections for children have been agreed to, subject to consultation, including prohibiting any direct marketing to people under 18 unless the personal information used was collected directly from the child and is ‘in the child’s best interests.
  • The government agrees in principle that organisations will be required to report data breaches within 72 hours rather than the current much longer period.
  • The government agrees in principle that people should have an ‘unqualified’ right to opt out of their personal information being used for direct marketing.
  • The ‘right to be forgotten’ – there is tentative agreement that individuals should have the right to require an entity to delete or de-identify their personal information.
  • An end to the exemption for small to medium businesses (group aggregate revenue less than AU$3 million per year). The government has agreed, subject to further consultation, that these businesses should now come under the Act, a reform that the opposition warns could impose costly obligations on these businesses.

The government has flagged it will continue working on the reforms into next year, with fresh rounds of consultation to come for some of the most complex proposals, as well as likely transition periods for those affected.  The Attorney-General said the government hopes to introduce legislation sometime in 2024.

ADIA members (large and small businesses) working under Australia’s only registered industry Privacy Code are well-positioned for these changes. Having operated under the Association’s Privacy Code since 2003, they have solid experience in tweaking procedures to take into account ‘best practice’ data protection expectations from regulators and the public; in supporting staff to deal with privacy issues proactively; and in briefing IT providers to remember to include ‘privacy by design’ and ‘privacy by default’ principles in data systems and user interfaces. The Code may also have helped avoid the sort of breaches, poor practice and complaints that have undermined trust in some other sectors.

ADIA remains committed to providing members with a specialised industry privacy-by-design approach and assisting employers, employees and clients with legal advice, privacy and data information training, resources and relevant support across ISO standard certification.

ADIA continues to consult with the government on the recommendations and will work hard over the coming year to ensure our Privacy Code remains relevant in line with changes and that members remain protected and well-informed.

Authors: ADIA Privacy Compliance Committee

[1] OAIC Community Attitudes to Privacy Report

Sources: / TND Starter – Your morning news (