(Yet) another step toward ‘sweeping reforms’ of the Commonwealth Privacy Act

Background

On 28 September 2023 the Australian Government released its response (Response) to the Attorney-General’s Department’s Privacy Act Review Report (Report), which was published back in February 2023 as the next step toward sweeping reforms.[i] The Response takes into account stakeholder feedback to the Report’s 116 proposals.

The Response is organised around five key focus areas for discussion:

1. Bring the Privacy Act into the digital age
2. Uplift protections
3. Increase clarity and simplicity for entities and individuals
4. Improve control and transparency for individuals over their personal information
5. Strengthen enforcement.

But given the elapsed time since the Report was released, interested persons may be forgiven for turning straight to Attachment A, the List of Government responses to each individual proposal. There they will find a summary of which proposals have prospects of enactment by 2024, which have been held over but are still slated to move forward, and those few proposals not taken up by the Government at this time.

1. The Agreed proposals

The Response indicated that the Government has ‘agreed’ in full to 38 of the Report’s proposals, stating that once draft legislative provisions have been developed for these measures, it will undertake targeted consultation with entities prior to settling the provisions’ final form.

Several of these less controversial prioritised proposals that can be legislated quickly will give the Office of the Information Commissioner (OAIC) greater powers, including investigation powers.

Other prioritised proposals include:

• Updating the objects of the Privacy Act;
• Amending s 13G of the Privacy Act to clarify the considerations that may go to a finding of serious interference with privacy, notably to include ‘serious failures to take proper steps to protect personal information’;
• Creating new tiered civil penalties for breaches that don’t meet the ‘serious’ threshold for interferences with privacy (this will supplement the new penalties introduced by the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, which introduced significantly increased penalties for serious and repeated privacy breaches and greater powers for the OAIC to resolve breaches;
• Defining a child as ‘an individual who has not reached 18 years of age’, and introducing a Children’s Online Privacy Code that applies to online services that are ‘likely to be accessed by children’;
• Introducing an amendment to APP 11.1 and enhancing OAIC guidance regarding APP 11.2 to clarify what constitutes ‘reasonable steps’;
• Amending the Privacy Act to permit organisations to disclose personal information to state and territory authorities under an Emergency Declaration in specified circumstances;
• Requiring greater transparency in relation to automated decision making through explicit disclosure of practices in privacy policies, and giving individuals new access-to-information rights;
• Introducing a provision in the Privacy Act to facilitate sharing of information with ‘appropriate entities’ (such as banks) to reduce the risk of harm in the event of an eligible data breach ̶  one of several data breach scheme amendments agreed in principle; and
• Introducing a mechanism to prescribe the countries and certification schemes providing substantially similar protection to the APPs under APP 8.2(a). Note that there will be more consultation on the current extraterritorial reach provisions.

Nevertheless, a disappointing number of the 38 agreed proposals simply recommend further consultation or consideration. These include the proposals to consult on introducing a criminal offence for malicious re-identification of de-identified information; and to consider how enhanced risk assessment requirements for facial recognition technology and other uses of biometric information may be adopted.

Further, a number of the prioritised proposals agree to a continuation of existing provisions of the Privacy Act. These include that the existing journalism exemption should continue, subject to industry body oversight and self-regulation.

The bulk of the Attorney-General’s proposals therefore remain to be addressed over a longer time frame than many had hoped.

2. Agreed in-principle proposals

The Government agreed ‘in-principle’ with 68 of the Report’s proposals. Explaining its qualified acceptance, the Government stated:

This agreement is subject to further engagement with regulated entities and a comprehensive impact analysis to ensure the right balance can be struck between privacy benefits for Australians and other impacts on regulated entities. It is important that the benefits and economic costs are understood including any appropriate adjustments…

Among the high-profile reforms still subject to further consideration are:

• Introduction of a general requirement that collection, use and disclosure of personal information must be fair and reasonable in the circumstances;
• Changes to the employee records exemption and more protection for private sector employees;
• Removal of the small business exemption;
• Introduction of a statutory tort for serious invasions of privacy and a direct right of action for breach;
• Introduction of mandatory Privacy Impact Assessments for high risk activities or on request of the OAIC;
• Introduction of a requirement for consent to collection, use, disclosure and storage of precise geolocation tracking data;
• Introduction of a right of erasure and to de-index online search results concerning specified personal information; and
• Further regulation of direct marketing, targeting and trading in personal information, especially the introduction of an unqualified right for individuals to opt out of their personal information being used or disclosed for direct marketing purposes.

Clearly a key reason for delay in respect of some agreed-in-principle proposals is their intersection with other ongoing policy focus areas relating to privacy and cyber security, use of AI and digital identity. In some cases the Government spells this out, as in respect of the proposal about review of provisions for retention of personal information, where the Government’s response flags that it wants to avoid duplicating the recent independent review of the mandatory data retention regime under the Telecommunications (Interception and Access) Act 1979.

The Government also appears wary of introducing to the Privacy Act the new concepts of APP entity controllers and APP entity processors, roles and terminology familiar from the General Data Protection Regulation (GDPR) in the EU. Like the delay in removing the small business exemption, this delay indicates a recognition that entities need to time to transition to compliance in the context of new requirements being introduced.

3. Noted proposals

Ten of the Report’s proposals were simply ‘noted’. This suggests that at best the Government may agree with these proposals’ intent if not their proposed means of achievement. At worst, they will disappear from the reform agenda.

Advertisers have breathed a sigh of relief to find that the proposal to provide individuals with an unqualified right to opt-out of receiving targeted advertising is only noted, which had significant public support.[ii] The mere noting of the six recommended amendments and limitations on the scope of the political exemption in s 7C of the Privacy Act, has also disappointed many.

You can read the Government’s full response to the Privacy Act Review Report here. We will provide further updates as these reforms progress.

This article is not intended and should not be treated as legal advice.

[i] Earlier Keynotes discussed some key proposals in the Report.

[ii] Josh Faulks, CEO, Australian Association of National Advertisers, ‘Government’s privacy reforms strike a balance’, Australian, 3 October 2023.