Privacy has become a major concern for individuals and businesses alike in the digital age. With the increasing amount of personal information being collected, used, and disclosed by businesses, there has been a growing demand for stronger privacy protections. In response, the Australian Government has recently released a report titled “Review of the Privacy Act 1988” which contains recommendations for changes to the current privacy laws in Australia. In this article, we will discuss the proposed changes and the implications for businesses operating in Australia.
Background:
On 24th February 2023, the Attorney-General’s Department of Australia released a report on the Review of the Privacy Act 1988, which outlines the proposed changes to the Australian Privacy Laws. The report was a culmination of an extensive consultation process that began in 2020 and has been welcomed by many as a positive step towards greater privacy protections. The proposed changes would significantly increase the privacy obligations of businesses, with substantial fines for non-compliance. In this article, we will discuss the changes proposed in the report and what businesses need to be aware of if this new law comes into effect.
The current Australian Privacy Act was introduced in 1988 and has been amended several times. However, many have argued that it is no longer fit for purpose, given the rapid pace of technological change and the increasing amount of personal information that is now collected, used, and shared online. The report's key findings have highlighted the need for significant changes to the Privacy Act to ensure that it remains relevant and effective in the digital age.
The new Government has already significantly increased penalties and strengthened the enforcement powers of the Office of the Australian Information Commissioner (OAIC) in the December 2022 amendments to the Privacy Act. These amendments were framed as an initial response to several high-profile ransomware attacks that took place last year, such as the Optus data breach. The next round of reforms is set to go much further.
While the latest Report highlights the areas for reform, it is still relatively light on specific detail and does not include draft language for legislative changes. The Attorney General’s Department has kicked-off another round of industry consultation which is expected to culminate in the release of an Exposure Draft and new legislation before the Parliament in the next 12 month.
What Business Need to Know:
If these proposed changes are implemented, businesses would need to take significant steps to ensure that they comply with the new privacy laws. Here are some of the key things that businesses should be aware of:
Mandatory Reporting of Serious Data Breaches:
One of the key proposals is the introduction of mandatory reporting requirements for serious data breaches. Currently, businesses are only required to notify the Office of the Australian Information Commissioner (OAIC) of data breaches that are likely to result in serious harm. However, the new laws would require businesses to report all serious data breaches, regardless of the potential harm. This would mean that businesses would need to have robust systems in place to detect and respond to data breaches quickly.
Strengthening Consent Requirements:
The report has also proposed strengthening consent requirements for the collection and use of personal information. This would mean that businesses would need to obtain explicit, informed, and freely given consent from individuals before collecting or using their personal information. The report suggests that businesses should use plain language and ensure that individuals understand what they are consenting to.
Consent requirements:
The Report recommends that the OAIC develop guidance on how online services should design consent requests. This guidance (which could be codified in future) would outline specific layouts, wording or icons which could be used when obtaining consent, and could set out how the elements of valid consent should be interpreted in an online context.
The Report also specifies additional circumstances in which a business may need to obtain an individual’s consent, including where the business is trading the individual’s personal information for some benefit.
What are the consent requirements under the current Privacy Act in terms of using information for direct marketing purposes?
Under the current Privacy Act, businesses are required to obtain an individual's express or implied consent before using their personal information for direct marketing purposes. Express consent means that the individual has actively agreed to receive direct marketing communications, whereas implied consent can be inferred from the individual's actions or circumstances. Businesses must also provide individuals with a simple way to opt-out of receiving direct marketing communications in the future. If an individual opts out, businesses must cease sending direct marketing communications to them. It is important for businesses to ensure that they comply with these consent requirements in order to avoid breaching the Privacy Act.
What about the consent requirements for opening an online account where credit card information will be stored and potentially marketing communications will be given?
When it comes to opening an online account where credit card information will be stored and potentially marketing communications will be given, businesses must obtain the individual's express consent to collect, use and disclose their personal and credit card information. This means that the individual must actively agree to the terms and conditions, including the use of their personal and credit card information for the purposes for which they will be used. The terms and conditions must be clear, concise and easily accessible to the individual. The business must also provide the individual with the option to opt-out of receiving marketing communications. It is important for businesses to ensure that they comply with these consent requirements in order to avoid breaching the Privacy Act and to protect the personal information of their customers.
Does the report mention anything about unsubscribing?
the report discusses the issue of unsubscribing or opting-out of direct marketing communications. Under the proposed reforms, businesses will be required to ensure that the opt-out process is easy and accessible for individuals. This means that businesses will need to provide clear and simple instructions on how to opt-out, and individuals should be able to opt-out using the same method that they used to subscribe to the marketing communications (e.g. by email, text message, etc.).
The report also suggests that businesses should consider implementing a "universal unsubscribe" mechanism, which would allow individuals to unsubscribe from all marketing communications from a particular business or group of businesses with a single action. This would make it easier for individuals to manage their preferences and avoid receiving unwanted marketing communications.
Overall, the proposed reforms aim to strengthen the rights of individuals when it comes to direct marketing communications, and businesses will need to ensure that they comply with these new requirements in order to avoid breaching the Privacy Act.
Does the report mention anything about how to get proper consents if businesses don’t have them already?
the report provides guidance on how businesses can obtain proper consents if they do not currently have them. The proposed reforms emphasize the importance of obtaining express consent from individuals, which means that the individual must actively agree to the use of their personal information for a specific purpose. Implied consent, which can be inferred from an individual's actions or circumstances, may not be sufficient under the proposed reforms.
To obtain express consent, businesses should provide clear and concise information about the purposes for which the personal information will be used, who it will be shared with, and how it will be stored and protected. This information should be easily accessible and understandable, and businesses should ensure that individuals are aware of their right to withdraw consent at any time.
The report also suggests that businesses should consider using a "double opt-in" process for obtaining consent, where individuals are required to confirm their consent through a second action, such as clicking a link in an email. This can help to ensure that individuals have a clear understanding of what they are consenting to and can reduce the risk of inadvertent or fraudulent consents.
Overall, the proposed reforms aim to ensure that businesses obtain proper consents from individuals in a transparent and accountable manner, and businesses will need to ensure that they comply with these new requirements in order to avoid breaching the Privacy Act.
Does the report mention anything about verbal sign ups?
Yes, the report addresses the issue of obtaining consent through verbal sign-ups. Verbal consent can be a valid form of express consent under the Privacy Act, but businesses will need to ensure that they have a clear and auditable record of the consent.
The report suggests that businesses should provide individuals with a clear explanation of the purposes for which their personal information will be used, and should obtain their consent on a recorded line or in writing. This can help to ensure that there is a clear and auditable record of the consent, which can be referred to if there is any dispute in the future.
Businesses should also ensure that individuals are aware of their right to withdraw their consent at any time, and should provide them with a simple and accessible way to do so. This could include providing individuals with a telephone number or email address where they can request to have their information deleted, or by including an "unsubscribe" link in marketing communications.
Overall, the proposed reforms aim to ensure that businesses obtain valid and auditable consents from individuals, regardless of the method used to obtain the consent. Businesses will need to ensure that they have appropriate processes and systems in place to manage consent and to respond to requests for withdrawal of consent.
Increased Penalties for Non-Compliance:
The report proposes a significant increase in penalties for non-compliance with privacy laws. Currently, fines can be up to $2.1 million for companies, but the report recommends that this be increased to the greater of $10 million or 10% of a company's annual turnover. This would provide a strong incentive for businesses to take their privacy obligations seriously.
Introduction of Privacy by Design:
The report has also proposed the introduction of privacy by design principles into the Privacy Act. This would require businesses to consider privacy risks at every stage of the development of new products or services. It would also require businesses to take a proactive approach to privacy, rather than waiting until an issue arises.
the report discusses the concept of "Privacy by Design" and provides guidance on how businesses can implement this approach in practice.
Privacy by Design is a framework for building privacy protections into the design and operation of products and services from the outset, rather than as an afterthought. The goal of Privacy by Design is to ensure that privacy is considered at every stage of the product or service lifecycle, from the initial design and development through to implementation and ongoing operations.
The report suggests that businesses can implement Privacy by Design by following a number of key principles, including:
Proactive rather than reactive: Privacy considerations should be integrated into the design of products and services from the outset, rather than being added as an afterthought.
Privacy as the default: Privacy settings should be set to the highest level by default, and individuals should be given the option to opt-in to less privacy-protective settings.
Privacy embedded into design: Privacy should be embedded into the design and architecture of products and services, rather than being bolted on as an afterthought.
Full functionality – positive-sum, not zero-sum: Privacy and functionality should be viewed as complementary, rather than competing goals.
End-to-end security: Products and services should be designed to provide end-to-end security, from the user interface to the back-end systems.
By following these principles, businesses can help to ensure that privacy is built into the design and operation of their products and services. This can help to reduce the risk of privacy breaches and enhance the trust and confidence of customers.
Overall, the proposed reforms encourage businesses to adopt a Privacy by Design approach and to consider privacy considerations at every stage of the product or service lifecycle. Businesses will need to ensure that they have appropriate processes and systems in place to implement these principles in practice.
Streamlining Cross-Border Data Flows:
The report proposes streamlining cross-border data flows by introducing a new framework for data transfers between Australia and other countries. This would make it easier for businesses to comply with both Australian and overseas privacy laws.
Overseas data flows
The Report recommends broad updates to the overseas disclosure provisions in Australian Privacy Principle (APP) 8 which would see it adopt several concepts from the General Data Protection Regulation (GDPR) overseas transfer regime. If passed, APP entities (i.e. businesses covered by the Act) would be permitted to disclose personal information to an overseas recipient if:
the overseas recipient is located in a ‘whitelisted’ jurisdiction (which we expect would likely include, at a minimum, all countries which are subject to an adequacy decision under the GDPR) or is subject to a prescribed certification scheme;
the APP entity entered into standard contractual clauses with the overseas recipient; and
the individual gives their informed consent to the disclosure, having been informed that privacy protections will not apply to their information if disclosed (which is already a requirement according to the APP Guidelines).
The availability of whitelisted jurisdictions and standard contractual clauses is likely to make it significantly easier for organisations to streamline compliance with APP 8 when dealing with overseas entities.
Data Breach Notification Requirements:
Businesses would need to have robust systems in place to detect and respond to data breaches quickly. This would include implementing security measures to protect personal information, such as encryption and access controls. Businesses would also need to develop clear policies and procedures for reporting data breaches to the OAIC and affected individuals.
Increased Penalties:
New Privacy Rights for Individuals
Another key theme of the report is the introduction of new privacy rights for individuals. These new rights include:
- The right to request the deletion of personal information held by a business
- The right to request the transfer of personal information to another business
- The right to object to the handling of personal information in certain circumstances
- The right to request information about the automated decision-making processes used by businesses, and to challenge the results of such processes.
These new rights are designed to give individuals greater control over their personal information and to ensure that businesses are held accountable for their handling of that information.
Right of erasure
A right to erasure is being touted as the most significant of these new individual powers.
The Report has made a number of more granular recommendations about how this right would work. This includes a 30 day window for businesses to comply with the request to delete all of the personal information that relates to the relevant individual and inform any third parties to whom the personal information has been disclosed of the deletion request.
There are also some limited exceptions to the right of erasure including where there is public interest in retaining the information (e.g. required for law enforcement) or where the information is required to be retained at law. Information that has already been de-identified does not need to be erased unless it is subsequently re-identified (e.g. the business is not required to re-identify information in order to action an erasure request).
We expect that these new ‘rights of an individual’, including the right to erasure, are likely to require businesses to uplift their data governance systems and processes to be able to respond to these erasure requests.
Increased Penalties for Breaches
The report recommends increasing the penalties for breaches of the Privacy Act. Currently, the maximum penalty for a breach is $2.1 million for businesses and $420,000 for individuals. The report suggests increasing the maximum penalty to the greater of $10 million, three times the value of any benefit obtained from the breach, or 10% of the company's annual turnover. This increase in penalties is designed to encourage businesses to take their privacy obligations more seriously.
Mandatory Data Breach Notification
The report recommends the introduction of mandatory data breach notification requirements. This means that businesses will be required to notify individuals and the Privacy Commissioner if there has been a data breach that is likely to result in serious harm to the affected individuals. This requirement will apply to all businesses, regardless of size.
New cybersecurity measures
Technical controls
It is proposed that a new baseline set of privacy outcomes be included and to clarify that ‘reasonable steps’ to protect personal information (as well as de-identified information, per the proposals) includes both and organisational measures. This focus on cybersecurity reflects industry calls for greater clarity on technical controls that will be necessary to combat malicious and criminal attacks (which the Report notes are the primary cause of data breaches), as well as increased public concern over cybersecurity.
For entities with reporting obligations under multiple frameworks, like the Security of Critical Infrastructure Act 2018, it is proposed that further work be done in harmonising security requirements across different regimes.
Data retention
The Report proposes changes to data retention requirements, aimed at creating a culture of deleting personal information when it is no longer required. The Report highlights current practices of longer-than-necessary data retention as a key driver in the severity and scope of the impact of data breaches.
There is a new requirement for entities to establish minimum and maximum data retention periods, and to include these periods in privacy policies.
The disparate patchwork of statutory obligations to retain data is also proposed to be reviewed, particularly in light of the Australian Government Digital Identity System. This might see a raft of changes to a variety of pieces of legislation, like the Archives Act 1983, under which entities are exempted from Privacy Act requirements to delete or de-identify data that is no longer necessary.
72-hour notification timeframe
The Report proposes a new 72-hour window for APP entities to report eligible data breaches to the OAIC, starting from when they become aware that there are reasonable grounds to believe an eligible data breach has occurred, in line with the time window imposed by the GDPR. This tightens an existing obligation to report eligible data breaches to the OAIC as soon as reasonably practicable, but which included an assessment of up to 30 days.
The Report also suggests tackling confusion regarding which party makes notifications in cases of multi-party data breaches using the proposed ‘processor’ and ‘controller’ distinction, with all parties required to notify the OAIC, but only controllers required to notify affected individuals.
Regulation and enforcement
The Report contemplates significant reforms to enforcement including the introduction of a direct right of action for individuals impacted by interferences with their privacy, a statutory tort for serious invasions of privacy, new civil penalties, increased investigation and enforcement powers for the OAIC and broadened powers of the Federal Court and Federal Circuit Court in civil penalty proceedings.
Expanded scope of the Privacy Act
Expansion of the definition of personal information
As it currently stands, the definition of ‘personal information’ under the Act captures information or an opinion ‘about’ an individual who is identified or reasonably identifiable. Information about an individual may include information such as their name, date of birth and contact details.
The Report recommends expanding the definition of ‘personal information’ by replacing the word ‘about’ with the phrase ‘relates to’ to clarify that personal information will include information such as technical information (e.g. IP addresses and location data) and inferred information (e.g. predictions of behaviour or preferences). This will help resolve uncertainty which had existed over the treatment of certain categories of data under the Act.
The Report seeks to allay concerns that such updates would make the definition too broad and clarifies that information relating to an individual will not automatically be considered personal information as it must be connected to a specific individual and not be too tenuous or remote.
Removal of small business and employee records exemption
The Report also recommends that the Act be extended to apply to personal information handled by small businesses, which are currently subject to exemptions from the Act. The Report proposes consulting with small businesses about what support and resources may be needed to help ensure that those businesses are able to comply when the exemption is removed.
On the employee record exemption, the Report recommends that enhanced privacy protections should be extended to private sector employees, however it does not seem to endorse the removal of the exemption entirely. It recommends extending transparency and security requirements to employee records, as well as making them subject to the notifiable data breach regime. It suggests that further consultation is required to determine whether employee record-specific requirements should be implemented in privacy legislation or a code, or in the Fair Work Act.
Collection, use and disclosure of personal information
Notice and record keeping requirements
The Report proposes strengthened notice requirements for businesses when they collect personal information. This includes requiring a business to disclose in its privacy collection notice if an individual’s information is to be collected, used or disclosed for a high privacy risk activity (i.e. one which is likely to have a significant impact on the privacy of an individual). It would also need to provide details on how an individual can exercise any applicable ‘rights of an individual’ (explained further below) and set out the types of personal information that may be disclosed by the entity to overseas recipients.
It is proposed that businesses be required to keep records of the primary purposes for which it will collect, use and disclose personal information – this information should reflect what is set out in the business’ privacy collection notice. If the business subsequently wants to use or disclose the personal information for a secondary purpose, it must also make a record of that secondary purpose prior to or at the time the information is used or disclosed.
Fair and reasonable test
A new ‘fair and reasonable’ test is proposed to be used to determine whether the collection, use and disclosure of personal information is necessary for an entity’s function and activities. Previously, a business was required to consider whether collection was reasonably necessary for the entity’s functions or activities.
When conducting this balancing exercise, the Report recommends that a business consider:
- the reasonable expectations of the individual;
- the kind, sensitivity and amount of personal information being collected, used or disclosed; and
- whether the impact on privacy is proportionate to the benefit (among other factors).
Privacy and children
The report addresses the issue of children's privacy and proposes a number of measures to strengthen the protections afforded to children under the Privacy Act.
The report notes that children are particularly vulnerable to privacy risks, as they may not understand the implications of sharing personal information online and are often the target of online advertising and marketing campaigns.
To address these concerns, the report proposes a number of measures, including:
Strengthening the definition of "personal information" to include information that could be used to identify a child, such as their location data or online identifiers.
Requiring businesses to obtain parental consent before collecting, using or disclosing the personal information of children under a certain age (to be determined by the government).
Requiring businesses to implement specific privacy protections for children, such as default privacy settings that are appropriate for their age and a requirement to provide clear and simple explanations of privacy policies and data handling practices.
Imposing higher penalties for breaches of children's privacy, to deter businesses from engaging in practices that could harm children.
Overall, the proposed reforms aim to enhance the privacy protections afforded to children and ensure that they are not exposed to unnecessary risks online. By introducing measures to require parental consent and implement specific privacy protections, the reforms seek to give parents greater control over their children's personal information and promote a safer online environment for children.
Statutory tort for serious invasion of privacy
The Report also proposes a statutory tort for serious invasions of privacy which fall outside the Act, although it does not deal precisely with the meaning of ‘serious’ in this context.
The tort is intended to address information-handling by non-APP entities, such as individuals and most small businesses. The tort also aims to provide protections that aren’t related to personal information, for instance in relation to invasions of bodily privacy such as recording private affairs and invasions of territorial privacy such as searching of a person’s home. Damages for emotional distress may be awarded.
These claims will not be subject to the same ‘gatekeeper’ involvement of the OAIC as the direct actions. However, the court must undertake a ‘balancing exercise’ that considers both the public interest in privacy and other public interests. There are also recommended defences to accompany the tort, such as necessity.
New civil penalities
In addition to the increased maximum penalties for serious or repeated interference with privacy resulting from the December 2022 reforms, the Report recommends the introduction of new low-tier and mid-tier civil penalty provisions (with the precise penalty amount to be further considered). This addresses the fact that currently, a sanction for any breach of the Act that is less than ‘serious or repeated’ can only occur by OAIC determination. A mid-tier provision is to cover interferences with privacy that are not ‘serious’ and a low-tier provision is to cover ‘administrative’ breaches. This is likely to result in increased regulatory enforcement of non-serious and one-off interferences.
Amendment to the ‘serious and repeated interferences with privacy’ provision to remove the word ‘repeated’ and clarify the circumstances that involve a serious interference with privacy (including those involving sensitive information, those affecting large groups of people, where there are repeated breaches and where there is a serious failure to take proper steps to protect personal data) is also recommended. This may be a response to the influx of data breaches in recent months.
Increased OAIC regulatory powers
Increased investigatory powers for the OAIC in relation to civil penalty provisions are also proposed. The OAIC will have the power to undertake public inquiries and conduct reviews on approval of the Attorney-General.
The OAIC may also make determinations requiring business to identify and mitigate reasonably foreseeable risks to individuals that may result from an interference with privacy. It also proposes the power to issue temporary APP codes and make an increased range of Emergency Declarations.
Widened Federal Court orders
The Report recommends that the Federal Court and Federal Circuit Court have the power to make ‘any order it sees fit’ in a civil penalty proceeding where an interference with privacy has been established.
Next steps
Feedback is now being sought to inform the Government’s response to the Report. Public and private entities are invited to submit their views on the 116 proposals raised, which are due on 31 March. Given the relatively short timeframe for consultation, businesses should begin to review the changes and consider making submissions. Corrs is able to assist clients seeking to make a submission to the consultation process.
In the meantime, businesses should review their complete suite of controls and policies relating to the collection, use, storage and de-identification of personal information to prepare for significant change in Australia’s privacy regime. Businesses should also note that increased maximum penalties for serious or repeated breaches of the privacy of an individual and strengthened OAIC enforcement powers have already commenced.
Conclusion
The proposed changes to the Privacy Act will have significant implications for businesses operating in Australia.
One of the key themes of the report is the increased obligations that businesses will have under the proposed changes to the Privacy Act. Businesses will be required to take greater responsibility for the personal information they collect, use, and disclose. This includes implementing processes to ensure that personal information is accurate, up-to-date, and secure. Businesses will also be required to provide individuals with more transparency regarding their personal information, including how it is being used and disclosed. Additionally, businesses may be required to provide individuals with the ability to access and correct their personal information, and to delete it in certain circumstances.
The report also suggests that businesses should undertake regular privacy impact assessments to identify and mitigate privacy risks associated with their operations. This will require businesses to have a better understanding of how personal information is being collected, used, and disclosed within their organization and with third parties. The proposed changes will also require businesses to be more proactive in managing and responding to privacy breaches.
Businesses will be required to take greater responsibility for the personal information they collect, use, and disclose, and will need to provide individuals with more transparency regarding their personal information. The introduction of new privacy rights for individuals and increased penalties for breaches will also be important considerations for businesses. Finally, the mandatory data breach notification requirements will impact all businesses operating in Australia, regardless of size. As such, it is important for businesses to begin considering how they will need to adapt to these changes in order to remain compliant with the new framework. The implementation of these proposed changes is still to be determined, but businesses should start preparing now to be ready for when the changes come into effect. This could include updating privacy policies and the consents received.