The Privacy Act review: key OAIC recommendations and implications

Australian entities subject to the Privacy Act, especially those who undertake intensive data handling, together with small businesses not currently regulated by the Privacy Act, should be aware of impending change to Australia’s privacy regime.

Background
The Federal Government’s review (review) of the Privacy Act 1988 (Cth) (the Privacy Act) was launched in November 2019. The review is considering stakeholder views on specific issues, submissions made in response to the Issues Paper released in October 2020, and previous reports and research that consider privacy issues. These include the Australian Competition and Consumer Commission’s (ACCC’s) Digital Platforms Inquiry Final Report 2019, the Data Availability and Use Productivity Commission Inquiry Report 2017, and earlier Australian Law Reform Commission reports.

The period for submissions closed in late November 2020 and the Attorney-General’s Department has indicated that, following a forthcoming discussion paper in 2021, there will be a further opportunity for industry and other relevant stakeholders to provide specific comments. It has stated that the review report will be made public after government consideration.

This review is likely to have significant implications for Australia’s privacy regime, with the potential to affect the majority of Australian organisations and industries and bolster individuals’ rights.

Terms of Reference
The review’s Terms of Reference (TORs) address the following areas:

• the scope and application of the Privacy Act
• whether the Privacy Act effectively protects personal information and provides a practical and proportionate framework for promoting good privacy practices
• whether individuals should have direct rights of action to enforce privacy obligations under the Privacy Act
• whether a statutory tort for serious invasions of privacy should be introduced into Australian law
• the impact of the notifiable data breach scheme and its effectiveness in meeting its objectives
• the effectiveness of enforcement powers and mechanisms under the Privacy Act and how they interact with other Commonwealth regulatory frameworks
• the desirability and feasibility of an independent certification scheme to monitor and demonstrate compliance with Australian privacy laws.

Given the breadth of these TORs, and the specificity of the issues canvassed and 68 questions asked in the Issues Paper, it would be no surprise if extensive legislative amendment resulted from the review, particularly in relation to scope and application.

OAIC submission
While it is too early to predict the final form of these legislative amendments, the submissions of key stakeholders, and especially that of the Office of the Australian Information Commissioner (OAIC), offer some insights into the direction the government might take.

The OAIC’s submission broadly supports the review, noting that although the principles-based, flexible and technology neutral Privacy Act has long provided a solid framework of privacy rights protections, and supported economic growth, its context has seen enormous changes since 1988. Factors driving reform initiatives include the increasing volume of data held by business and government, the global nature of the digital economy, and the breadth of entities regulated by the Privacy Act.

The OAIC identifies four key elements needed to support effective privacy regulation over the next decade:

1. Global interoperability ― making sure our laws continue to connect around the world, so our data is protected wherever it flows
2. Enabling privacy self-management ―so individuals can exercise meaningful choice and control
3. Organisational accountability ― ensuring there are sufficient obligations built into the system
4. A contemporary approach to regulation ― having the right tools to regulate in line with community expectations.

In line with these elements, its submission is structured into 13 Parts with 70 specific recommendations.

Overview of OAIC recommendations
Key recommendations that seek to empower individuals and alter businesses’ obligations include:

• Refine the definition of ‘personal information’ (R 4-13)
• Introduce a right to erasure within an appropriate timeframe (R 23)
• Remove the current exemptions for small business, employee records and political parties, and introduce greater enforceability requirements for safeguards covering media organisations (R 27-30)
• Amend the definition of ‘consent’ to require a ‘clear affirmative act that is freely given, specific, current, unambiguous and informed’, and full or partial prohibitions on certain data handling activities eg scraping of personal information from online platforms and certain uses of AI technology to make decisions about individuals (R 34, 40)
• Amend Australian Privacy Principle (APP) 1 (Openness and transparency obligation) to include express accountability requirements for all regulated entities (R 42)
• Introduce a domestic privacy certification scheme into Australia’s privacy framework (R 45)
• Clarify and refine the Privacy Act’s approach in respect of overseas data flows including issues with the extraterritoriality of the Privacy Act (R 46-47)
• Introduce a direct right of action for individuals to seek compensation for an interference with their privacy under the Privacy Act, and a statutory tort for serious invasions of privacy (R 51, 57-61)

Two key scope and application issues

1. Refinement of the definition of ‘personal information’. This is a key consideration because the Privacy Act affords protection to information that falls within its definition of personal information, and any change to that definition will also necessitate changes to the definition of health information and sensitive information (which is also personal information). The OAIC’s Recommendation 4 — Replace the word ‘about’ with ‘relates to’ — would achieve greater clarity and certainty for regulated entities as to whose personal information is potentially at issue.

Greater clarity and certainty and better protection for individuals’ privacy under the Privacy Act could also be achieved through adoption of the OAIC’s recommendation that the term ‘anonymised’ information be preferred over ‘de-identified’ and ‘pseudonomised’, and that higher protections be afforded it, such as introducing a prohibition on APP entities taking steps to re-identify information collected in an anonymized state. Research-intensive organisations and industries may need to revise their current data handling practices if the government adopts this recommendation, though it is common for explicit clauses in information sharing agreements to prohibit attempts at re-identification.

A number of other uncertainties concerning scope and application are not wholly resolved by the OAIC’s recommendations. These include consideration of whether the definition should align with that of the General Data Protection Regulation (GDPR) to catch online identifiers and technical data such as IP addresses and cookies.

The OAIC acknowledges the regulated community’s uncertainty about the status of technical information as personal information, particularly since the Grubb case . However, it does not recommend listing specific types of technical data in the definition, arguing it would quickly be out of date. Rather, the OAIC favours provision of a non-exhaustive list, in an Explanatory Memorandum, of some of the types of technical information that ‘could’ be caught within the definition in appropriate circumstances. If adopted, this recommendation would provide some limited additional certainty for regulated entities.

In addition, some health-related entities, such as the Commonwealth Department of Health, have in their submissions highlighted highly specific challenges concerning the definition of personal information as it relates to the types of information they handle, notably in relation to ‘reasonable identifiability’ of genomic information, especially in connection with data sharing and linkage activities. As the OAIC notes, one individual’s privacy decision about use or disclosure of genetic information can have ramifications for what may be the sensitive information of multiple people or the community as a whole [1.21]. Accordingly, there would be a clear public benefit to proposals for Privacy Act amendments ensuring greater clarity in respect of this information type.

2. Removal of the current exemption for small business. The OAIC’s Recommendation 27 has the potential to vastly increase the regulatory reach of the Privacy Act beyond the mere 4.8% of Australian businesses it currently regulates. According to the OAIC:

Small businesses are now increasingly collecting, holding and handling personal information in connection with their activities and in order to deliver their services. However, as at 30 June 2019, small businesses with a turnover of $3 million or less comprised 95.2% of the 2,375,753 businesses actively trading in the Australian economy’ [para 4.11].

The OAIC also notes that conduct of small business operators, notably real estate agencies, property management businesses and professional services firms, generates hundreds of enquiries and complaints to the OAIC each year. Further, the small business exemption is an anomaly in comparable international jurisdictions and a hurdle for Australia in seeking adequacy under the EU’s General Data Protection Regulation (GDPR).

Towards a more contemporary regulator
Perhaps unsurprisingly in light of the plethora of competing priorities and interests and separate but complementary laws relating to privacy regulation and protection of the rights of individuals, a number of the OAIC’s recommendations seek to add flexibility, expand the regulator’s role or strengthen its powers. These include:

• Introduce specified amendments to the enforcement mechanisms under the Privacy Act, including:
  • empower the Commissioner to seek a warrant to preserve and secure relevant information and documents
  • enhance the Commissioner’s search and seizure powers to allow the OAIC to make copies of information and documents specified in the warrant and operate electronic materials to determine whether the kinds of information and documents specified in the warrant are accessible (R 50)
• Ensure that the Commissioner has full jurisdiction over enforcing any privacy protections included in other legislative regimes (R 67)
• Amend the Privacy Act to provide an express power for the Commissioner to share information with other bodies where necessary, including other regulators and government agencies, law enforcement and complaint handling bodies (including State or Territory or foreign bodies if they have functions to protect the privacy of individuals) (R 68).

Three ways to get ready for reform of the Privacy Act
The current provisions of the Privacy Act look set to remain in force for some time – this reform is proving a lengthy process. Meanwhile, executive officers together with General Counsel in particular should:

1. ensure that they understand the extent to which their entity’s current information handling practices meet present privacy obligations. Seek clarity where needed on any obligations under the Privacy Act or other applicable legislation, and take steps to identify and amend any processes or practices that do not meet present obligations.

2. review the 2021 discussion paper that will seek feedback on preliminary outcomes and options, and engage with it to help ensure that proposed reforms are consistent with your organisation’s needs

3. once the final form of legislative amendments is known, ensure a sufficient budget allocation to enable your entity to adapt quickly before the new provisions come into force.

Deidre Missingham has extensive experience in advising on privacy law and practice. Please call Keypoint Law on 03 8199 3300 if you require assistance in discharging your current privacy obligations or advice concerning the potential implications of reform proposals for your entity.

[1]  Privacy Commissioner v Telstra Corporation Ltd [2017] FCAFC 4