Re-defining the basics
Of the 116 proposals, there are some proposals which will be of interest to businesses operating in Australia. These include, amongst others:
-
the broadening of the scope of the Privacy Act, including proposed changes to the meaning of ‘personal information’, proposals to impose certain protections to de-identified information and the removal or modification of small business and employee records exemptions;
-
strengthened privacy protections, including the introduction of a ‘fair and reasonable test’ (irrespective of any consent obtained from individuals) and additional requirements for activities with high privacy risk (e.g. children and vulnerable people, the collection of biometric information and large-scale data processing for profiling purposes);
-
the introduction of individual rights such as the right to erasure, right to object, and right to de-indexation;
-
new rules involving overseas data transfers and cross-border flows of data; and
-
strengthened enforcement powers.
We elaborate on each of these below.
Proposed changes impacting businesses operating in Australia
Expansion to the scope of the Privacy Act
A number of proposals have been introduced to expand the scope of the Privacy Act - some of which will bring Australia’s privacy laws in closer alignment with its international counterparts (such as the GDPR) whereas other changes may result in increased regulatory burden of compliance.
These include, amongst others:
Proposed change
|
Description
|
Change to the definition of personal Information
|
-
The Privacy Act presently applies to ‘personal information’, which is currently defined as information that is ‘about’ an individual who is identifiable or reasonably identifiable. However, there is significant uncertainty regarding what types of data are ‘about’ an individual. In particular, the increasing use of technical information (such as IP addresses, device identifiers, location data and other types of metadata that may potentially identify an individual) for profiling and identification purposes has drawn concern from regulators such as the Australian Competition and Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC).
-
In order to address these concerns, the Report has proposed an amendment to the definition of ‘personal information’. The proposal will change the definition of ‘personal information’ to mean ‘information that relates to an individual’. This change will bring the Australian definition of ‘personal information’ in closer alignment with the definition of ‘personal data’ under the GDPR and clarifies that a broad range technical information may be captured under the Privacy Act.
- Additionally, the Report proposes to develop a non-exhaustive list of the types of data that may ‘relate to’ an individual. The proposed list includes, amongst other things, contact details, identification numbers, online identifiers, pseudonyms, location data, technical or behavioural data in relation to an individual’s activities, preferences and identity, and inferred information and profiles generated from aggregated information.
|
Removal of small business exemption & introduction of controller-processor distinction
|
-
The Report proposes to remove the small business exemption, which currently exempts the majority of businesses with an annual turnover of less than $3 million from the operation of the Privacy Act. This proposal has largely been welcomed by industry. As noted in the Report, the majority of businesses in Australia do not meet the AU$3 million annual turnover threshold, resulting in a high number of businesses managing personal information without being bound by the requirements of the Privacy Act. The removal of this exemption would bring the Privacy Act in line with its international counterparts.
-
Noting that small businesses may face significantly increased compliance costs and that some small businesses which hold data have no direct relationship with individuals, the Report proposes to introduce the concept of data ‘controllers’ and ‘processors’ to the Privacy Act, albeit in a more limited manner than in the GDPR. Broadly speaking:
-
-
It is proposed that any small business ‘processor’ will be subject to limited requirements under the Privacy Act and only required to comply with APP 1 ‘Open and transparent management of personal information’, APP 11 ‘Security of Personal Information’ and the Notifiable Data Breach Scheme (NDB Scheme) obligations.
- Both proposals are currently at a preliminary stage, and will be subject to further consultation and impact analysis prior to being introduced. In the short term, however, the Report proposes carving out the use of biometric data from the small business exemption.
|
Removal of employee records exemption
|
- The Privacy Act currently exempts certain information relating to employees from the scope of the Privacy Act. The Privacy Act Discussion Paper explored potential options for removing the exemption or limiting its scope.
- The Report concluded that enhanced privacy protections should be extended to private sector employees, although it did not provide a conclusion as to whether the exemption should be modified, removed entirely, or if enhanced privacy protections should be incorporated into workplace relations legislation instead. However, it is clear that the employee records exemption and workplace privacy laws will undergo change, subject to further consultation.
|
De-identified data requirements
|
-
Presently, de-identified information that cannot be attributed to an individual does not meet the legal definition of ‘personal information’ and is not regulated by the Privacy Act.
-
The Report proposes to extend some of the protections in the Privacy Act to de-identified information, which include (amongst others):
-
-
the requirement that APP entities take steps that are reasonable in the circumstances to protect de-deidentified information from misuse, interference and loss, and from unauthorised re-identification, access, modification or disclosure (APP 11.1);
-
-
-
|
Strengthened privacy protections and cybersecurity requirements
The Report proposes a large number of strengthened privacy protections. Key proposals include (amongst others) the following:
Proposed change
|
Description
|
Fair and reasonable test
|
- Introducing a requirement that all data collection, use and disclosure is ‘fair and reasonable’ in the circumstances. This standard must be met at all times and applies regardless of whether an individual has provided consent to a particular activity.
|
Privacy Impact Assessments for high risk activities
|
|
Protection of children and vulnerable persons
|
- Introducing additional protections for children and vulnerable persons. For children (i.e. any individual under 18 years of age), these include prohibitions on direct marketing and targeted advertising directed at children, requirements that APP entities must act with regard to the best interests of the child, and the introduction of a Children’s Online Privacy Code that aligns with the UK Age Appropriate Design Code.
|
Automated decision making
|
- Introducing requirements to set out the use of automated decision-making (ADM) in privacy policies where the use of such technology may have a legal or similarly significant effect on an individual’s rights, and a right for individuals to request meaningful information about how substantially automated decisions with legal or similarly significant effect are made.
|
Retention periods
|
- Requiring APP entities to establish minimum and maximum data retention periods, which must be set out in the entity’s privacy policy
|
New individual rights
Under the current iteration of the Privacy Act, individuals’ rights are largely confined to the right to seek access and correction of their personal information. The Report proposes the introduction of several new individual rights, some of which will already be familiar to companies who operate under the GDPR.
These new rights include the:
-
right to object to the collection, use or disclosure of personal information;
-
right to request the erasure of any of their personal information (subject to some exceptions, such as where the erasure request is impossible, or where certain information is quarantined to ensure that the information is available for law enforcement purposes); and
-
right to de-index online search results containing personal information which is sensitive, about a child, excessively detailed, inaccurate, out-of-date, incomplete, irrelevant or misleading.
Further, no direct right of action presently exists under the current Privacy Act, with individuals limited to approaching the OAIC to investigate and resolve privacy complaints. The Report suggests introducing a direct right of action that will permit individuals to apply to the courts for relief in relation to interferences with their privacy. However, the OAIC will still play a key role in overseeing the exercise of this right.
The right will only be available in circumstances where:
It has also been proposed that a statutory tort for serious invasions of privacy should be introduced, in the form recommended by the Australian Law Reform Commission in Report 123. This statutory tort will cover both APP entities and non-APP entities, and would have broader application to interferences with privacy which are not covered by the Privacy Act (noting that the Privacy Act predominantly deals with information privacy, and does not address other matters, such as physical privacy).
Cross-border data flows
Global businesses may be particularly interested in the Report’s proposed reforms in relation to cross-border data flows. The proposals include:
-
introducing a mechanism to prescribe countries and certification schemes under APP 8.2. This could potentially simplify the cross-border flow of data to certain countries, reducing some regulatory burden for companies that regularly transfer personal information to overseas parties;
-
introducing standard contractual clauses for use when transferring personal information overseas, which will assist APP entities with fulfilling their obligations to take ‘reasonable steps’ to ensure that the overseas recipient complies with the APPs; and
-
requiring entities to inform individuals that privacy protections may not apply to their information if they consent to the overseas disclosure of their personal information under APP 8.2(b) (which currently allows an APP entity to transfer personal information without taking reasonable steps to ensure that the overseas recipient does not breach the APPs if they have obtained the consent of the individual to which the information relates).
Increased enforcement powers
The enforcement of the Privacy Act has become a major focus since the introduction of significantly increased penalties for ‘serious’ and ‘repeated’ interferences with privacy in late 2022 and the various major data breaches that have occurred in Australia.
Following the introduction of the new penalty provisions, the Report proposes further changes to enforcement powers. These proposals include:
Proposed change
|
Description
|
Civil penalties
|
- New mid-tier civil penalty provision to cover interferences with privacy that are not considered egregious enough to constitute a ‘serious’ interference with privacy and therefore are outside of the scope of the current penalty provision.
- New low-level civil penalty provision to cover specific administrative breaches of the Privacy Act, which also allow the OAIC to issue infringement notices with fixed penalties.
- Amend the current penalty provision in section 13G of the Privacy Act to remove the word ‘repeated’ and clarify that the provision covers ‘serious’ interferences with privacy. ‘Serious’ interferences with privacy may include:
-
-
- interferences that involve sensitive information, affect vulnerable people or large groups of people; and/or
-
- inferences involving wilful misconduct and involve serious failures to take proper steps to protect personal data).
|
Expanded regulatory powers
|
- New regulatory powers for the OAIC, including powers to conduct public inquiries and undertake investigations in relation to civil penalty provisions.
|
Changes to the NDB Scheme
|
-
Amending the reporting requirements in the NDB Scheme to specify that entities must notify the OAIC of eligible data breaches within 72 hours of becoming aware. This brings the Privacy Act in line with similar requirements under the GDPR, as well as related legislation such as the Security of Critical Infrastructure Act 2018 (Cth) and the My Health Records Act 2012 (Cth).
-
It was recently announced that the Australian Federal Government will allocate resources to restructure the OAIC – the OAIC will move to a three commissioner format, including a commissioner dedicated to handling data breach matters.
|
How do these proposed changes impact your business?
Although many of the 116 proposals have not been finalised, it is clear that extensive reforms are on the way and will change way businesses approach global privacy assessments.
The potential impact on businesses operating in Australia include, amongst others:
Impact
|
Description
|
Potential increased burden of compliance
|
- The expanded scope of the Privacy Act and strengthened privacy protections may result in increased regulatory burden and compliance cost for most organisations.
- In the short term, the most significant impact will most likely be felt by entities who are not currently covered by the Privacy Act (such as small businesses). At this stage, it is unclear how the removal of the small business exemption will be implemented and what supports will be available to aid businesses in the transition. However, businesses should consider evaluating their privacy practices to ensure that they are best-placed to comply with the Privacy Act if the exemption is removed.
|
Change to global privacy assessment
|
- The expanded definition of personal information, as well as the introduction of new requirements for de-identified data, will bring a broader range of practices into the scope of the Privacy Act.
- There may be certain projects or business functions in Australia that currently operate outside of the Privacy Act due to its de-identified/anonymised nature which will likely require the introduction of controls to ensure compliance of this information against the Privacy Act and APPs.
|
Cross-border transfer of information
|
- Global businesses that often navigate cross-border transfer of data may be particularly interested in the changes regarding the transfer of data to overseas recipients. In particular, the introduction of a mechanism to prescribe or ‘whitelist’ countries and certifications for the purposes of APP 8.2 may significantly reduce the burden on businesses when determining whether a cross-border disclosure is permissible under the Act. Similarly, the introduction of standard contractual clauses (similar to the GDPR) provides useful guidance and clarity for businesses seeking to ensure that they fulfil the requirement to undertake ‘reasonable steps’ in relation to the disclosure of personal information to overseas recipients.
- There is also potential for the proposed reforms to open a pathway to Australia receiving an adequacy finding from the European Commission under the GDPR, which could facilitate a more streamlined process for navigating cross-border transfers of data to and from the EU. In particular, the proposals to removal or modify of the small business and employee records exemptions, which have been perceived major as roadblocks to Australia receiving an adequacy finding from the European Commission under the GDPR. While these proposals are subject to further consultation, and adequacy decision was not a main focus of the Privacy Act Review, the Report bookmarked the potential for an adequacy decision following the implementation of the proposed reforms.
|
Increased focus on enforcement
|
- There is a growing shift towards stricter enforcement of breaches of the Privacy Act.
- As mentioned above, increased penalties for interferences with privacy have recently been introduced and the Report proposes further penalty provisions and enforcement powers.
- Further and separately to the Privacy Act Review, the Commonwealth Attorney-General announced on 2 May 2023 that the OAIC will be expanding and moving from having a single Information Commissioner towards a ‘three Commissioner structure’ in a move that was described as necessary to deal with ‘the growing threats to data security and the increasing volume and complexity of privacy issues’. The new structure will involve splitting the current Information Commissioner role into three distinct roles: the overarching Information Commissioner, a Privacy Commissioner, and a Freedom of Information Commissioner.
- The appointment of a dedicated Privacy Commissioner is in line with the recent trend towards increased regulation and enforcement of privacy laws and signals the current Government’s intention to allocate greater resources to privacy regulation.
|
What is on the horizon?
Consultation on the Report closed on 31 March 2023. A number of the reforms have been bookmarked for further consultation – including the potential removal of the small business and employee records exemptions. Interested parties should keep a close eye on announcements regarding these topics.
While many of the reforms are yet to be finalised, the Attorney General has previously hinted that some privacy reforms may be fast-tracked in light of significant developments last year (such as the urgent privacy reforms enacted in response to major data breaches). Businesses should anticipate draft legislation will be introduced in the near future.
At this stage, global businesses should undertake an assessment to determine whether they are well-positioned to remain compliant in the face of the upcoming reforms. These upcoming reforms should be factored in when planning for long-term projects in Australia.
Please contact us if you have any questions in relation to your organisation’s privacy obligations in Australia.
Authored by Mandi Jacobson, Angell Zhang, and Bonnie Liu.