Privacy 108 Responds to Privacy Act Issues Paper

In November 2020, the Australian Federal Government commenced its latest review of the Privacy Act 1988 (Cth). Led by the ACCC and the Attorney-General’s office, the review aims to bring Australia’s privacy laws into the digital era, strengthen privacy protections for individuals and streamline compliance for businesses working across international borders.

Coming out of recommendations from the ACCC’s Digital Platforms Inquiry, the Issues Papers raised a number of key questions for consideration covering issues such as:

  • Should the definition of personal data be updated;
  • What should be required to demonstrate consent;
  • Should the current exemptions to the operation of the Act continue to apply;
  • Should the regulator have more powers;
  • Do the current provisions in regards to cross- border disclosures appropriate appropriately; and
  • How has the mandatory data breach notification system worked.

Privacy 108’s submission

Privacy 108 submitted its response to the Issues Paper in November 2020. The main points in our submission included:

  • Consumer protection should be supplementary to, and not a replacement of, the human rights protection approach the Privacy Act is built on;
  • The definition of personal information should be more closely aligned to that in the GDPR and recognise the idea of ‘individuation’ as a test of reasonable identification;
  • There would be significant benefit to the regulated community if a single privacy framework could be developed to apply to all Australian entities, including Federal and State government agencies;
  • We support the removal of exemptions for small business, political parties and employee records held by private entities. We also support the narrowing of the exemption for journalistic activities.  These may some of the be areas for development of Codes of Practice to provide guidance on the application of the privacy principles.
  • We do not support any increased use of notice and consent as mechanisms to support unethical or unfair use of personal data, though we do support clearer and more transparent notice and a higher threshold for ‘consent’, including maintaining its currency.
  • Privacy 108 supports a general right to be forgotten subject to certain exceptions. The inclusion of such an explicit right is consistent with similar provisions in the CDR scheme and the My Health Records Act.
  • We believe that many of the issues raised by the review could be resolved by a better funded and more active OAIC or other regulator. For example, questions about transparency could be resolved by a more active campaign by the OAIC, perhaps working with multiple agencies, to reduce issues with the length, complexity, form and timeliness of current notices.
  • Consideration of an alternative method for resolution of complaints, perhaps leveraging State based Fair Trade or Administrative Tribunals already established and resourced to support resolution of these types of claims, might free up OAIC resources to focus on greater engagement with the regulated community.
  • Privacy 108 also supports consideration of individuals having a direct right of action under the Act.   This could be by way of a combination of alternative dispute resolution mechanisms and a right to sue.  The right to sue should also contemplate class actions.  Again, the individual right to sue  (whether as part of the Act or a separate tort) would relieve some of the current complaint resolution burden on the OAIC.

Next Steps

Following this Issues Paper, next steps include a second issues paper to be released in early 2021. This second paper will seek more specific feedback building on the preliminary outcomes from the first Issues Paper, and possibly including suggested options for reform.  The final outcome is likely to involve significant reform to the Privacy Act, such as stricter requirements for notice and consent, an updated definition of ‘personal information’ (hopefully more aligned to that in the GDPR), and enhancement of the OAIC’s enforcement powers and further rights for individuals.

As with other second generation, privacy laws this will represent a shift from a purely principles-based regime to more prescriptive measures for certain key protections.

It would also be good to see the government commit to a better funded and resourced regulator to support implementation of and compliance with the more prescriptive regime.  This outcome seems less likely.

A full copy of Privacy 108’s submission is available here: Privacy108 Response to Privacy Act Review Issues Paper Covering Letter January 2021


Want to receive updates like this in your inbox? Subscribe

  • We collect and handle all personal information in accordance with our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.

At Privacy 108, we are passionate about privacy and data protection. We work with organisations to ensure they collect, use and secure all information in a way that is both compliant and meets community expectations. Privacy 108 is a law firm. Our team of lawyers can provide specialist legal advice on privacy and security issues.