With draft legislation for implementation of reforms to Australian privacy laws likely to be introduced this month, we’ve taken a look at some of the more impactful changes likely to be flagged and what that might mean for your organisation.
100+ recommendations for reform made to the Federal Government in February 2023 were ‘agreed’ or ‘agreed in principle’. While rumours are swirling that not all of these recommendations will feature in the new Bill (with reforms possibly to be implemented in stages), our KWM TechLaw Partners share their thoughts on some of the most likely and significant changes to feature either in this Bill or in subsequent rounds of reform:
1. Fair and reasonable
A new requirement that the collection, use and disclosure of personal information be fair and reasonable (irrespective of consent) will likely shift the current power balance in favour of individuals. Organisations will need to review their current data processing activities to get comfortable that they can be justified as being both ‘fair’ and ‘reasonable’. It may take time, and some hard-fought case precedents, to provide reliable guidance on how those concepts will be applied in practice.
2. Individual rights
A suite of proposed new rights, including enhance access rights and rights to ask for information to be deleted, would empower individuals to gain more control and transparency over the handling of their personal information. Experience from the EU has shown that organisations should not underestimate the effort required to implement processes and procedures for dealing with requests from individuals seeking to exercise these rights.
3. Enforcement
The OAIC has publicly indicated an intention to be much more active in enforcing privacy laws in future. Their ability to do so will likely be enhanced by the introduction of new mid-tier and low-tier civil penalty provisions, including for breaches that might not meet the ‘serious or repeated’ threshold that currently applies. As well as a more active regulator, organisations will also need to be wary of new direct rights of action that may be introduced, to allow individuals to sue for privacy breaches. All in all, privacy is likely to become a much more litigious area of law in future.
4. Expanded meaning of ‘personal information’
We will likely see tweaks made to the current definition of ‘personal information’ that will expand the scope of the Privacy Act to cover information, like online identifiers used for profiling and targeting purposes, that may technically not currently be regulated because they don’t reveal an individual’s actual identity. These subtle changes could have a significant impact on what organisations are able to do with information they have previously considered to be ‘non-identifiable’.
5. High-risk processing and automated decision-making
Organisations that use personal information for high-risk activities (think facial recognition) or for automated-decision making that may have a significant impact on individual rights (think loan approvals or recruitment decisions) will likely be required to undertake additional privacy risk assessments. An additional level of transparency may also need to be provided about what information is being used and how automated decisions are being made. This will require additional risk management frameworks to be established, so that organisations don’t innovate themselves into hot water.
Be prepared and get your data house in order with our insights on Australia's privacy reforms.
