The federal government has committed to overhauling Australia’s privacy laws. The Attorney-General has stated that the government will draft a bill to amend the Privacy Act 1988, with the stated objective of making the statute ‘fit-for-purpose’ in the digital age.
Following a two-year review of the Act, the Attorney-General accepted 38 of 116 reforms proposed in the Department’s review paper for implementation in the legislation and endorsed another 68 ‘in principle’, subject to further consultation. Proposals include allowing Australians to sue for serious breaches of privacy and a phased introduction of requirements for small to medium businesses (those with turnover under $3m) to comply with the Privacy Act.
The Attorney-General referred to wide public support for broadened privacy protections, partly due to concern about frequent, large-scale data breaches affecting consumers. According to the Office of the Australian Information Commissioner (OAIC), data security remains a serious concern for Australians, with 62 per cent of people surveyed reporting that the protection of their personal information is a major concern and 89 per cent believing people should be able to seek compensation for a breach of privacy.
At the core of the proposed changes, the Government has proposed to broaden the scope of the information relating to individuals that is regulated, including technical transactor or device codes (such as IP addresses and other device identifiers) that do not directly identify an individual and inferred information. This proposed extension is not yet fully developed. The new, wider boundaries will have a substantial impact on many business practices involving segmentation of audiences for differential treatment, and not only businesses engaged in targeted online advertising. This area will be subject to further industry consultation and is likely to be vigorously debated over the coming months.
The government has resisted pressure to substantially expand the range of circumstances in which consent must be obtained from affected individuals, instead focusing attention upon whether entities are ‘fair and reasonable’ in their data practices and making clear and full statements as to their data practices in terms likely to be understood by a broad range of people who may be impacted. The amended provisions will likely give additional scope for regulators to expand their requirements that privacy policies and notices are easy to understand, limit data practices to only what is necessary and proportionate for fully explained uses and enable readers to understand how their personal information may be used in any way that could affect how those individuals are treated.
New rules are also proposed to address ‘choice architecture’ or ‘dark patterns’: behavioural ‘nudges’ through interaction design features that push affected individuals to select less protective privacy settings. There has been extensive discussion across a number of regulated jurisdictions about the need to limit such practices. Regulators are already focussing upon how choices are presented to individuals and whether user interfaces are fair and implement ‘privacy by design and default’.
The government has also noted that the enforcement resources of the Privacy Commissioner (now just the Information Commissioner acting in this role) are limited and that the creation of private rights of action would impose further discipline upon entities collecting and handling personal information. Currently, the circumstances in which affected individuals may directly sue entities for breaches of the Privacy Act are very limited, effectively leaving enforcement action the preserve of the Privacy Commissioner.
The government says it will consult further on giving individuals the power to sue if:
Other recommendations from the review that have been accepted include:
The government has flagged it will continue working on the reforms into next year, with fresh rounds of consultation to come for some of the most complex proposals, as well as likely transition periods for those affected. The Attorney-General said the government hopes to introduce legislation sometime in 2024.
ADIA members (large and small businesses) working under Australia’s only registered industry Privacy Code are well-positioned for these changes. Having operated under the Association’s Privacy Code since 2003, they have solid experience in tweaking procedures to take into account ‘best practice’ data protection expectations from regulators and the public; in supporting staff to deal with privacy issues proactively; and in briefing IT providers to remember to include ‘privacy by design’ and ‘privacy by default’ principles in data systems and user interfaces. The Code may also have helped avoid the sort of breaches, poor practice and complaints that have undermined trust in some other sectors.
ADIA remains committed to providing members with a specialised industry privacy-by-design approach and assisting employers, employees and clients with legal advice, privacy and data information training, resources and relevant support across ISO standard certification.
ADIA continues to consult with the government on the recommendations and will work hard over the coming year to ensure our Privacy Code remains relevant in line with changes and that members remain protected and well-informed.
Authors: ADIA Privacy Compliance Committee
 OAIC Community Attitudes to Privacy Report