Proposed Privacy Act reforms: Inching closer to a fit for purpose Privacy Act?
On 16 February 2023, the Commonwealth Attorney-General released the Privacy Act Review Report 2022.
The report is the penultimate step in what has been a long, and detailed review process instigated following the Australian Competition and Consumer Commission’s 2019 Digital Platforms Inquiry. The report confirms what most privacy practitioners have been aware of for some time: the Australian Privacy Act, first passed in 1988, is no longer fit for purpose in 2023.
116 recommendations are made in the report, based on 30 “key themes and proposals” from stakeholders collected during the course of the last two years.
Over the coming weeks, we’ll be reviewing the report in depth, but here’s a taster of some of the proposals that seem likely to be included in the updated legislation:
Privacy Act: Proposed reforms
Fair and reasonable test
The report proposes a new ‘fair and reasonable’ test to unwind the current legislation’s focus on notice and consent (which is recognised as placing a burdensome and unfair onus on people to, for example, plough through legal documentation that’s more complicated than buying a house than to book a carpark). We welcome a test along the lines recommended, being whether or not an entities’ handling of personal information is within individuals’ reasonable expectations and is not harmful.
The report proposes that a privacy impact assessment should be mandatory before commencing an activity which is likely to have a significant impact on the privacy of individuals and that additional privacy protections should apply to children and vulnerable members of society. Again, we welcome a move towards privacy by design in the context, but also in a more broad context of any data processing.
The definition of personal information
The Grubb case[i] considered whether telecommunications metadata was personal information to which Mr Grubb had a right to access and the Full Federal Court was not satisfied that the information was ‘about’ an individual rather than about a device or service. The report proposes a broader concept of personal information that includes technical and inferred information where it relates to a reasonably identifiable individual, and a tightening of regulation of de-identified data, in recognition of the enhanced technological ease of re-identification.
Security, destruction and notifiable data breaches
Mass scale data breaches seem to be the news of the day lately, and we’re not convinced that the report has much to add to add in this context. It talks about regulated entities only collecting what is reasonably necessary and destroying personal information when it is no longer required. That’s already mandated. While the report acknowledges that, it talks about reinforcing these obligations through enhanced OAIC guidelines for entities on the reasonable steps they should take to destroy or de-identify personal information. Will that really shift the dial on cyber-security?
Likewise, the report recommends periodic review of the period of time for which regulated entities retain personal information. Again, shouldn’t we already be doing that? More useful is a proposed review of legal retention provisions outside of the Privacy Act that require certain forms of personal information to be retained and enhancements to the Notifiable Data Breach scheme (including an obligation to notify the Information Commissioner within 72 hours of becoming aware of a data breach). More on that from us will follow.
Direct marketing, targeting and data analytics
The report makes several proposals about direct marketing, targeted advertising and online content, and entities trading in personal information and also focusses on regulating the collection of data relating to individuals that facilitates targeting them with personalise marketing content without actually them with marketing and personalised content without necessarily identifying them (ie the ‘audience’ method of advertising content delivery). The report proposes to regulate this type of advertising content delivery as if it were processing of personal information, and also to Individuals’ control over their personal information.
The small business exemption
“The community expects that if they provide their personal information to a small business they will keep it safe,” the review concludes, but it also notes that this would have a significant impact on many operators. “Further extensive consultation would need to occur with small business to determine the best way for small businesses to meet their obligations under the Act, proportionate to the privacy risks they typically face.”
So that football gets kicked around the playing field again with the recommendation to kick it around a bit further and see what happens.
And the same applies to the exemptions for political parties and journalists. Although the report recommends “at least some re-calibration of all of the exemptions to address contemporary privacy risks and meet current community expectations,” no change is recommended as yet.
GDPR style data subject rights, terminology and data export regulation
The Report proposes new individual rights modeled on the GDPR data subject rights’ (such as rights to object, to be forgotten and request erasure and to have search results de-indexed). Rights to allow better visibility into the use of personal information in automated decisions-making systems are also proposed as is the introduction of GDPR controller and processor nomenclature. Likewise on the table are a GDPR style mechanism to deem other jurisdictions’ laws and binding schemes as providing substantially similar protection and making standard contractual clauses available to regulated entities.
Regulation, enforcement and a statutory tort
There’s the usual acknowledgement of the ineffectiveness of current enforcement capability, even after the recent upping of penalties and consequences.
New penalties, industry funding of the regulator and new civil penalties are recommended but what is really likely to press the metal to the floor is the suggestion of a direct right of action and statutory tort for serious invasions of privacy. Now that really is likely to see a major paradigm shift!
There are many recommendations. For example, transparency requirements for automated decisions that use personal information and have a significant effect on individuals are also proposed.
And of course one more review is needed … According to the Attorney General, “The Government is seeking feedback on the 116 proposals in this report before deciding what further steps to take.” If you have the energy to go another round, you can submit your responses here. Response due by 31 March 2023.
[i] Privacy Commissioner v Telstra Corporation Ltd  FCAFC 4