The highly anticipated Privacy Act Review Report is now here. Its release follows multiple high profile data breaches and the first suite of Privacy Act reforms that were passed late last year. Last year’s reforms saw:
The next round of reforms being proposed in the Report will be a fundamental reform to the Privacy Act for individuals and entities alike. They’re a welcome update to Australia’s key privacy regime, at a time when the prevalence and awareness of serious and sophisticated cyber-security and privacy risks has arguably never been higher. Some of the key changes proposed by the Report include:
Retention destruction and de-identification
Following recent high profile data breaches, the OAIC has emphasised the need for entities to assess and ensure their compliance with collection, destruction and de-identification obligations under the Australian Privacy Principles. In particular, ensuring that they are not collecting and retaining personal information for longer than necessary, or in larger quantities, or of a type, that is not necessary. The Report proposes to strengthen these existing obligations to require entities to specify the maximum and minimum retention periods for each type of personal information they hold in their privacy policy (Proposals 21.7-21.8) and to provide further clarity on the obligation to destroy or de-identify the personal information when it is no longer needed (Proposal 21.5).
Clarification of what is ‘personal information’
The definition of personal information is proposed to change, so that information need only ‘relate to’ an individual, and prescribe a non-exclusive list of examples of personal information, such as online identifiers (Proposals 4.1-4.4). These changes will provide clarity on the scope of personal information and reflect today’s digital age. Entities will need to thoroughly audit the types of information they handle since additional categories of information may now be subject to the Privacy Act.
Introduction of controller and processor roles
Under other jurisdictions’ regimes, such as the European GDPR, there is delineation of privacy obligations within each data ecosystem between entities that control personal information (controllers) and entities processing personal information on behalf of a controller (processors). These concepts are proposed to be introduced in the Privacy Act (Proposal 22.1), and processors will be subject to only a handful of Australian Privacy Principles to reflect their restricted role.
Small businesses to be subject to the Privacy Act
Currently, small businesses (which includes those turning over less than $3 million, subject to some exceptions) are exempt from much of the Privacy Act. This exemption is proposed to be phased out (Proposals 6.1-6.2). Small businesses may also have obligations where they are a ‘processor’ (Proposal 22.1). This means that small businesses will need to educate themselves on their privacy obligations, and implement the necessary policies and procedures to achieve compliance.
Organisational accountability and Privacy Impact Assessments
The Report proposes new obligations for privacy management processes, such as an obligation to determine and record the purpose for which information will be collected used and disclosed (including any secondary purposes), a requirement to appoint a senior employee responsible for privacy within the entity, and an obligation to undertake Privacy Impact Assessments for high risk processing (Proposal 15.1 – 15.2, and 13.1-3). These express requirements will clarify and build on existing obligations.
Personal information handling will also have to be ‘fair and reasonable’
Whilst collection of personal information must be ‘lawful and fair’, the Report proposes to broaden this reference to ‘fair’ and replace it with a new principle that the collection, use and disclosure be ‘fair and reasonable’ in all the circumstances (Proposals 12.1-12.3). This would be an objective test that would allow for the more fulsome assessment of the means, purposes and impacts of the information handling.
Offshore transfer of personal information
The Report proposes practical changes to facilitate offshore transfers, including a mechanism to prescribe countries and certification schemes that meet the requirements for transfer under APP 8.2(a) (Proposal 23.2). Currently businesses must make their own assessment as to whether another jurisdiction has laws that provide substantially similar protection to the APPs, which entities are often not well placed to do. A mechanism for development of standard contractual clauses is also proposed, which will be interoperable with those of other jurisdictions, to facilitate transfers under APP 8.1 (Proposal 23.3). These clauses could be entered into between the Australian entity and offshore recipient to bind the offshore recipient to comply with the APPs. The Report also foreshadows the need to consider the scope of APP 8, and whether it needs to apply to certain offshore transfers, and not just offshore disclosures (Proposal 23.6).
Expansion of individual rights
The Report proposes new data subject rights, including the right of erasure (Proposal 18.3), an unqualified right to opt out of all targeted advertising (Proposal 2.3), prohibition on targeted advertising to children and trading in the personal information of children (Proposals 20.5-20.6).
On an enforcement front, the Report proposes a right for any individual or group of individuals who have suffered loss or damage as a result of privacy interference by an entity to apply to courts for relief (subject to initial compliant processes with the OAIC being followed) (Proposal 26.1). The Report also recommends introduction of the long debated statutory tort for serious invasions of privacy (Proposal 27.1). These rights, if introduced, are likely to increase the risk of litigation for serious non-compliance, and serve as a driver for entities to maintain compliance with the reformed regime.
Tiered civil penalties
Penalties may be imposed on organisations where breaches do not meet the current threshold required of ‘serious or repeated’ (Proposal 25.1) and would also assist individuals in enforcing their privacy rights under a new direct right of action if they only have to prove a lower threshold of harm.
Extraterritorial application
The recent simplification of the extra-territorial application arguably requires some further tweaks so that application to an offshore entity only arises to the extent that the personal information handling has some connection to Australia (Proposal 23.1). The Report considers the approaches taken under the European GDPR and NZ Privacy Act, and suggests further consultation is required to arrive an at appropriate ‘Australian link’ that avoids loopholes that could be relied on by offshore entities.
Where to from here?
The Government has sought feedback to inform its response to the Report. The deadline for submitting feedback is 31 March 2023. Businesses who wish to submit responses should consider and respond within that timeframe. From there, we expect draft legislation to be released later this year, with the new reforms passed by early 2024.
We expect that many of the Proposals will be welcomed by entities, assisting with clarity around compliance obligations and better facilitating business within a global economy. But the devil is in the detail, and there is still a lot of detail to work through in preparing the reform. What entities can expect is for the changes to be substantial.
Preparation will be key, and entities can start preparing by undertaking audits and reviews of their personal information handling practices. A sound understanding of their information handling practices will be crucial to entities being able to efficiently and effectively adjust their business practices and documentation, to achieve compliance with the Privacy Act reforms, once those reforms are passed.
Authors
Bronwyn Furse | Partner | +61 8 8236 1121 | bfurse@tglaw.com.au
Kaylee Fietz | Lawyer | +61 8 8236 1109 | kfietz@tglaw.com.au