Privacy Act changes … still more thinking to be done?

Changes to the Privacy Act changes have been been flagged in the Australian Government’s response to the Privacy Act review  (here), released in September 2023. Although some changes have been agreed the majority have been kicked down the road with more review apparently needed.

Before looking at the extensive review that’s already been  conducted, we will outline what’s included in the Government’s response – what’s in, what’s out and what is still a maybe.

Of the 116 proposals for reform included in the Attorney-General’s Department report released in February 2023, the Government has agreed and committed to act on 38.  Another 68 are ‘agreed in principle’, while 10 are out (noted but not going to be proceeded with).  See the table at the end for more details.

Privacy Act changes: What will be legislated

The 38 ‘less controversial changes’ which will be legislated include:.

    • updating the objects of the Act
    • introducing enhanced powers for the OAIC to conduct investigations
    • introducing new civil penalty provisions for mid-tier and low-tier breaches that do not meet the ‘serious’ threshold
    • clarifying that organisations must deploy both technical and organisational measures to safeguard personal information
    • enhanced transparency obligations for organisations that use PI to make automated decisions
    • simplifying cross border transfers via a mechanism to prescribe countries that have substantially similar privacy laws

Privacy Act changes: Agreed in principle

The Government “agreed in principle” to 68 of the 116 proposals (the ‘more controversial proposals’) and said that it will need to conduct further consultation on these to make sure the right ‘balance’ is struck.

Some examples of what was ‘agreed in principle’ by the Government include:

  • Small business: removal of the small business exemption
  • Employee records extend privacy protections to the employment records of private sector employees
  • Controller, Processor: introducing the concept of controller & processor
  • Standard contractual clauses: introducing SCCs for overseas data transfers
  • APP 5 Collection notices: introducing an express requirement for these to be clear, up-to-date, concise and understandable
  • Privacy policies: introducing standardised templates and layouts for privacy policies

Privacy Act changes: Not agreed

Notably, the Government will not proceed with the idea of granting individuals  an unqualified right to opt-out of targeted advertising. Rather than endorsing this proposal, the Government has instead simply indicated it will give further consideration on how to give individuals more control over how their information is used in online ads.

Privacy Act changes: How much review is enough?

We will consider these reforms in more detail in individual posts, but at this stage we cannot help but feel a little overwhelmed.  More consultation is required on 68 of the 113 recommendations? Really!

For the 68 proposals that are agreed ‘in-principle’, this agreement is actually “subject to further engagement with regulated entities and a comprehensive impact analysis to ensure the right balance can be struck between privacy benefits for Australians and other impacts on regulated entities”.

But what will that involve,  particularly given the extensive consultation that has taken place over the last five years, and how long might it take?

Let’s take a quick walk down Australian privacy reform memory lane …

Privacy Act Changes: Issues Paper

Changes to the Privacy Act were first tabled following recommendations from the Australian Competition and Consumer Commission’s 2019 Digital platforms inquiry – final report.

In October 2020, the Attorney-General’s Department published an 89 page Issues Paper  and sought feedback on potential issues relevant to reform.  Over 160 submissions (see submissions published here) were made in response to that Issues Paper which included academics, privacy professionals, interested individuals, universities, law societies, state privacy regulators, Telstra and Optus, media organisations, industry bodies and civil liberty groups. Privacy 108 made an 18-page submission available here.

Privacy Act Changes: Discussion Paper

After consideration of the responses to the 2020 Issues Paper, a 217 page Discussion Paper was released in October 2021 seeking further feedback  on options for reform. Submissions on the Discussion Paper closed on 10 January 2022.  Over 200 submissions (see submissions published here) were made to the Discussion Paper from many of the same individuals and organisations who’d responded to the Issues Paper. Privacy 108 made a 51-page submission available here.

The review also considered feedback obtained through roundtable discussions convened with stakeholders on specific issues.

Privacy Act Changes: Privacy Act Review Report

On 16 February 2023, the Attorney-General publicly released a 320-page Privacy Act Review Report.  The Review Report included indications of where the Government was placed in terms of the issues that had been raised previously.

Further consultation was sought on this Review Report, to help inform the government’s final response. The Attorney General also issued a survey and held further meetings to understand stakeholder views on the proposed reforms. The Government received over 400 written submissions to the Review Report (see submissions published here). Privacy 108 made an 37-page submission available here.

Privacy Act Changes: Response to Privacy Act Review Report

On 28 September 2023, the Australian Government released its response to the Review Report, taking into account the feedback gathered from submissions to the Review Report (plus the feedback received during the consultation periods for the 2020 Issues Paper and the 2021 Discussion Paper).

So, in summary, the proposed reforms have already gone through the following:

  • Digital Platforms enquiry in 2019
  • Consultation on the 2020 Issues Paper
  • Consultation on the 2021 Discussion Paper
  • Consultation on the 2023 Privacy Act Review Report.

It is hard to discern the necessity for further consultation on the 68 recommendations designated as ‘agreed in principle’. Some parts of the privacy community are certainly feeling consultation fatigue from almost half a decade of deliberations and are eager to see some concrete steps taken sooner rather than later.

The Attorney General himself showed this was possible in the speedy amendments to the Privacy Act introduced and passed following the Optus and Medibank breaches last year.

Even for those recommendations that will be acted on, we’re looking at legislation in 2024 which will probably have a delayed effectiveness date, to give everyone time to prepare.

Some might argue that the privacy protections still being considered in Australia reflect those introduced in the European Union in 2016, becoming effective in 2018, and which are already out of date and ready for a refresh.  Is this really the best that Australia can do to ensure that Australians have the privacy protections that they deserve and in many cases, think they already have?

Summary of recommendations

38 recommendations are agreed – draft legislation to be introduced in 2024 68 are agreed-in-principle – subject to further and more detailed consultation with impact analyses 10 are noted – but will not be proceeded with
·       New penalties: a new mid-tier penalty for breaches (even if they are not serious and / or repeated) and a lower-level civil penalty for administrative breaches with the power for the Office of the Australian Information Commissioner (OAIC) to directly issue infringement notices

·       New OAIC powers to conduct public inquiries and reviews

·       increased individual rights in respect of automated decision making

·       a mechanism to facilitate overseas transfers of personal information to approved countries without the need for additional contractual or other measures.

·       broaden the definition of personal information

·       remove the small business exemption

·       extend certain privacy protections to private sector employees

·       introduce a fairness requirement for collection, use and disclosure of personal information (that can’t be avoided by getting consent)

·       clarify and strengthen notice and consent requirements

·       strengthen existing individual rights and introduce new rights (including a right to erasure)

·       require entities to record their purposes for collecting, using and disclosing personal information, when or before collecting that information

·       require privacy impact assessments to be conducted for high privacy risk activities

·       tighten restrictions around direct marketing, targeting and trading in personal information

·       require entities to establish minimum and maximum retention periods for personal information and specify retention periods in their privacy policies

·       set a 72-hour timeframe to notify the OAIC of eligible data breaches

·       A direct right of action for individuals to enforce the APPs in court, and

·       A statutory tort of serious invasion of privacy.

·       introducing an unqualified right to opt-out of targeted advertising

·       removing the exemption for political parties and activities

·       extending the Act’s protections to de-identified information