Changes to the Privacy Act changes have been been flagged in the Australian Government’s response to the Privacy Act review (here), released in September 2023. Although some changes have been agreed the majority have been kicked down the road with more review apparently needed.
Before looking at the extensive review that’s already been conducted, we will outline what’s included in the Government’s response – what’s in, what’s out and what is still a maybe.
Of the 116 proposals for reform included in the Attorney-General’s Department report released in February 2023, the Government has agreed and committed to act on 38. Another 68 are ‘agreed in principle’, while 10 are out (noted but not going to be proceeded with). See the table at the end for more details.
The 38 ‘less controversial changes’ which will be legislated include:.
The Government “agreed in principle” to 68 of the 116 proposals (the ‘more controversial proposals’) and said that it will need to conduct further consultation on these to make sure the right ‘balance’ is struck.
Some examples of what was ‘agreed in principle’ by the Government include:
Notably, the Government will not proceed with the idea of granting individuals an unqualified right to opt-out of targeted advertising. Rather than endorsing this proposal, the Government has instead simply indicated it will give further consideration on how to give individuals more control over how their information is used in online ads.
We will consider these reforms in more detail in individual posts, but at this stage we cannot help but feel a little overwhelmed. More consultation is required on 68 of the 113 recommendations? Really!
For the 68 proposals that are agreed ‘in-principle’, this agreement is actually “subject to further engagement with regulated entities and a comprehensive impact analysis to ensure the right balance can be struck between privacy benefits for Australians and other impacts on regulated entities”.
But what will that involve, particularly given the extensive consultation that has taken place over the last five years, and how long might it take?
Let’s take a quick walk down Australian privacy reform memory lane …
Changes to the Privacy Act were first tabled following recommendations from the Australian Competition and Consumer Commission’s 2019 Digital platforms inquiry – final report.
In October 2020, the Attorney-General’s Department published an 89 page Issues Paper and sought feedback on potential issues relevant to reform. Over 160 submissions (see submissions published here) were made in response to that Issues Paper which included academics, privacy professionals, interested individuals, universities, law societies, state privacy regulators, Telstra and Optus, media organisations, industry bodies and civil liberty groups. Privacy 108 made an 18-page submission available here.
After consideration of the responses to the 2020 Issues Paper, a 217 page Discussion Paper was released in October 2021 seeking further feedback on options for reform. Submissions on the Discussion Paper closed on 10 January 2022. Over 200 submissions (see submissions published here) were made to the Discussion Paper from many of the same individuals and organisations who’d responded to the Issues Paper. Privacy 108 made a 51-page submission available here.
The review also considered feedback obtained through roundtable discussions convened with stakeholders on specific issues.
Privacy Act Changes: Privacy Act Review ReportOn 16 February 2023, the Attorney-General publicly released a 320-page Privacy Act Review Report. The Review Report included indications of where the Government was placed in terms of the issues that had been raised previously.
Further consultation was sought on this Review Report, to help inform the government’s final response. The Attorney General also issued a survey and held further meetings to understand stakeholder views on the proposed reforms. The Government received over 400 written submissions to the Review Report (see submissions published here). Privacy 108 made an 37-page submission available here.
On 28 September 2023, the Australian Government released its response to the Review Report, taking into account the feedback gathered from submissions to the Review Report (plus the feedback received during the consultation periods for the 2020 Issues Paper and the 2021 Discussion Paper).
So, in summary, the proposed reforms have already gone through the following:
It is hard to discern the necessity for further consultation on the 68 recommendations designated as ‘agreed in principle’. Some parts of the privacy community are certainly feeling consultation fatigue from almost half a decade of deliberations and are eager to see some concrete steps taken sooner rather than later.
The Attorney General himself showed this was possible in the speedy amendments to the Privacy Act introduced and passed following the Optus and Medibank breaches last year.
Even for those recommendations that will be acted on, we’re looking at legislation in 2024 which will probably have a delayed effectiveness date, to give everyone time to prepare.
Some might argue that the privacy protections still being considered in Australia reflect those introduced in the European Union in 2016, becoming effective in 2018, and which are already out of date and ready for a refresh. Is this really the best that Australia can do to ensure that Australians have the privacy protections that they deserve and in many cases, think they already have?
| 38 recommendations are agreed – draft legislation to be introduced in 2024 | 68 are agreed-in-principle – subject to further and more detailed consultation with impact analyses | 10 are noted – but will not be proceeded with |
| · New penalties: a new mid-tier penalty for breaches (even if they are not serious and / or repeated) and a lower-level civil penalty for administrative breaches with the power for the Office of the Australian Information Commissioner (OAIC) to directly issue infringement notices
· New OAIC powers to conduct public inquiries and reviews · increased individual rights in respect of automated decision making · a mechanism to facilitate overseas transfers of personal information to approved countries without the need for additional contractual or other measures. |
· broaden the definition of personal information
· remove the small business exemption · extend certain privacy protections to private sector employees · introduce a fairness requirement for collection, use and disclosure of personal information (that can’t be avoided by getting consent) · clarify and strengthen notice and consent requirements · strengthen existing individual rights and introduce new rights (including a right to erasure) · require entities to record their purposes for collecting, using and disclosing personal information, when or before collecting that information · require privacy impact assessments to be conducted for high privacy risk activities · tighten restrictions around direct marketing, targeting and trading in personal information · require entities to establish minimum and maximum retention periods for personal information and specify retention periods in their privacy policies · set a 72-hour timeframe to notify the OAIC of eligible data breaches · A direct right of action for individuals to enforce the APPs in court, and · A statutory tort of serious invasion of privacy. |
· introducing an unqualified right to opt-out of targeted advertising
· removing the exemption for political parties and activities · extending the Act’s protections to de-identified information
|
"*" indicates required fields
"*" indicates required fields
Privacy 108 collects your name and email to send you our newsletter. If you do not provide this information, we will be unable to send it to you. We may use third-party service providers (such as email marketing platforms) to distribute our communications. Some providers may store information overseas, including in the United States. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au. You can unsubscribe at any time using the link in our emails or by contacting hello@privacy108.com.au.
