Insight,

Privacy,Data,

Privacy Act Review Report (Finally) Released

17 February 2023

Our People
KWM Kinetic
Owl Advisory
AU | EN
Current site :    AU   |   EN
Australia
EN |
China
JP | ZH | EN |
China Hong Kong SAR
ZH | EN |
Japan
JP | ZH | EN |
Singapore
ZH | EN |
United States
EN |
Global
ZH | EN |

TL;DR 

The Government has released a long-awaited report setting out its privacy reform agenda.  This landmark report proposes many significant changes.  These include the introduction of more prescriptive privacy rules, greater alignment with EU data protection laws, a specific focus on online services, and the empowerment of regulators to play a more active enforcement role.  Submissions may be made on the report until 31 March 2023.  More specific consultation will also be required on a number of the more far-reaching proposals.  Draft legislation will then be required to implement the proposals that are to be progressed.  Accordingly, while this is an important milestone, the journey towards meaningful privacy reform remains a long one.

What has happened?

The Attorney-General’s Department has released the Privacy Act Review Report (the Report), which sets out the Government’s response to the various reform recommendations and proposals raised by the Privacy Act Review Discussion Paper released in October 2021.

This is a major milestone on Australia’s slow march towards privacy law reform, which has its origins in the ACCC’s final report on the Digital Platforms Inquiry released almost 4 years ago.  The Report essentially sets out the Government’s proposed reform agenda for this important area of law.  The changes contemplated in the Report will affect all sectors and all levels of the Australian economy and the Report will be critical reading for any organisation that deals heavily with personal information as part of its day-to-day business.  The broad level of interest in this reform process is reflected by the fact that more than 370 written submissions were made in response to the preceding Discussion Paper.

The Report runs to over 300 pages, reflecting the breadth and complexity of the issues it covers.  There is far too much to easily address in this short update.  However, we have sought to identify some of the key themes and more impactful reforms covered in the Report.

What are the key themes?

If you have read the Discussion Paper (those who have not can quickly refresh by reading our update here from the time it was released) there will be much familiar in the Report.  Many of the reforms recommended in the Discussion Paper are reflected in the Government’s proposals.  However, there are also recommendations that have been discarded and new proposals raised that do not tie back to the Discussion Paper.

At a high level, there are a few key themes that run throughout the Report:

  • Principles vs prescription

    As with many other data protection laws, the Australian Privacy Act is a principles-based law that is centred around a set of 13 Australian Privacy Principles.  This provides an inbuilt level of flexibility and protection against redundancy.  While this is a key strength of the law, and the Government does not propose to abandon this approach, the Report identifies in a number area there is a greater need for prescriptive rules and guidance so that organisations understand how the law should be applied in specific scenarios.  This is reflected in the proposed introduction of new requirements in the Act (such as prohibitions on targeting children or using sensitive information and stricter consent standards), additional legislative guidance (such as a non-exhaustive list of technical data and other information that may be categorized as ‘personal information’) and introduction of targeted guidance and codes of practice to be developed by the OAIC (such as in relation to design of online consents and the application of minimum information security requirements).  As such, organisations should expect the law to apply a firmer and more directive hand in relation to privacy matters in the future.
  • Aligning with the GDPR

    The EU General Data Protection Regulation (or GDPR) is widely regarded as representing a high watermark for data protection laws around the world.  While the Government has resisted the temptation to simply adopt the GDPR model on a wholesale basis, there are a number of key proposals in the Report that explicitly align with the EU framework.  These include the introduction of a number of new data subject rights (such as rights of objection and rights of erasure), the development of ‘standard contractual clauses’ to standardise the terms on which information may be shared across borders and, perhaps most significantly, the introduction of a distinction between the roles played by (and associated compliance responsibilities of) data controllers and data processors.  This will be a development that is especially welcome for businesses that provide technological data processing services for Australian customers.  While not an explicit aim of the reforms, this level of alignment may also help in securing a finding by the EU that Australian law provides an ‘adequate’ level of protection for personal information so as to facilitate the flow of information between the EU and Australia.
  • Focus on online industries

    The Report identifies that the continued growth and development of the digital economy has changed the way that Australians live their lives, bringing many benefits but also making their information more vulnerable.  It is not surprising, therefore, that many of the proposals in the Report are aimed specifically at addressing particular areas of vulnerability that arise in relation to online services.  This is reflected in proposals requiring a ‘privacy by default’ in relation to online privacy settings, specific guidance on designing online consents, the proposed creation of an Children’s Online Privacy Code, new rights to de-index online search results, and more specific rules around direct marketing, targeting and automated decision-making using personal information.
  • Empowerment of the OAIC

    A final and perhaps most significant theme that runs throughout the report is the need to empower and arm the OAIC to play a stronger and more interventionist role in overseeing and enforcing the Privacy Act.  This is reflected in the introduction of additional enforcement options for the OAIC to seek civil penalties and issue infringement notices, broader powers for the OAIC to create targeted codes of practices, and to undertake public inquiries and reviews into specified matters.  Somewhat ominously, the Report proposes that the OAIC conduct an internal review to ensure it is structured to ‘have a greater enforcement focus’.  That would be consistent with the support that other regulators, such as the ACCC, have already been giving to enhance the OAIC’s existing enforcement capability.  All of this requires appropriate resourcing, which has been a well-known issue impacting the OAIC, and the Report proposes to undertake further investigations into a possible industry funding model to address those limitations.  The greater role for the OAIC should also not overshine the proposed introduction of a new direct right of action and statutory tort, which will provide other enforcement paths for individuals aggrieved by a breach of their privacy.

What are the other highlights?

The Report is broadly broken into three parts.

The first part of the Report deals with the scope and application of the Privacy Act.  Key proposals raised in this part include:

  • expanding the definition of ‘personal information’ to include any information that relates to an individual (instead of the current test requiring that information be about an individual), which would align the concept with the GDPR definition of ‘personal data’ which is widely considered to be broader that the current Australian equivalent. The Report indicates that the definition would be designed to ensure that the connection between the information and the individual is not too tenuous or remote, and that a non-exhaustive list of examples would be included to provide further guidance.  This could explicitly capture things such as IP addresses and online and device identifiers

  • clarifying when information will be considered ‘de-identified’ (while stopping short of requiring absolute anonymization) and imposing limited compliance obligations on information that has been de-identified, including obligations to keep it secure and to prohibit malicious re-identification

  • requiring consent for the practice of precise geolocation tracking

  • removing the small business exemption (though only after further consultation, given the potential impact this may have on a large part of the economy) and introducing enhanced protections for employee information that is currently exempted from the Act (again after further consultation), as well as making adjustments to exemptions currently enjoyed by political organisations and journalists

The second part deals with the protections conferred by the Privacy Act.  Key proposals raised in this part include:

  • various clarifications aimed at improving the quality of privacy notices so that they are clear, up-to-date and understandable (including to children where relevant)

  • strengthening consent requirements (including raising the possibility of introducing standardised consent processes) and requiring online privacy settings to reflect a privacy by default approach

  • introducing a new general requirement to ensure that all collection, use and disclosure of personal information is fair and reasonable in the circumstances – this was clearly foreshadowed in the Discussion Paper and will become a foundational obligation that should be the focus of future privacy compliance efforts for all organisations. Although this is presented as an objective requirement, in practice there is scope for uncertainty until a body of decisions exists to guide organisations in their assessment of whether particular conduct is ‘fair and reasonable’

  • requiring the completion of a privacy impact assessment before embarking on any activity likely to have a significant impact on the privacy of individuals (also referred to as ‘high privacy risk’ activities)

  • various new obligations aimed at increasing organizational accountability, such as requirements to keep a written record of proposed purposes for which information will be collected and used, to appoint a senior employee responsible for privacy compliance, and to specify information retention periods in public-facing privacy policies

  • introducing new individual rights, including enhanced rights of access (extending to a right to require an organization to identify the source of the personal information it has collected and to provide an explanation of what it has done with that information) as well as rights of objection and erasure and a specific right to de-index online search results

  • significantly revised rules relating to direct marketing and targeting (including for advertising purposes) with unqualified rights to opt out of such activities – significantly, the Report contemplates that an organization would not be allowed to make the provision of a service contingent upon consent to marketing or targeting, which could be considered a threat to certain ad-driven business models – the interaction of these new rules with existing laws on electronic marketing will be something that requires careful consideration

  • introducing a baseline set of information security outcomes that organisations will be required to achieve through application of reasonable technical and organisational measures – recognising concerns about laws that require retention of personal information for longer than may otherwise be desirable (especially in the wake of recent major data breaches in Australia), the Report also proposes that a review be undertaken of all such laws to confirm whether they are still appropriate from a policy perspective

  • introducing separate concepts of data controllers and processors, as currently reflected in many other international data protection frameworks, with different compliance obligations applying to each (specifically with more limited compliance obligations applying to organisations that merely act as a processor for another controller organisation)

  • clarifying the recently amended ‘Australian link’ requirement to ensure that the Privacy Act only applies to conduct outside Australia where it affects personal information with a relevant connection to Australia – this should be welcomed by entities that carry on business in multiple jurisdictions

  • various amendments aimed at clarifying arrangements for disclosing personal information outside Australia, including the development of standard contracts for exports of personal information

The final part of the Report deals with regulation and enforcement of the Privacy Act.  Key proposals raised in this part include:

  • creating additional tiers of civil penalty provisions, including a lower tier that would allow infringement notices to be issued without the need for court proceedings – this could empower the OAIC to play a much more active role in penalising lower level privacy breaches, similar to the way in which the ACMA has been relatively aggressive in its enforcement of the Spam Act

  • introducing a direct right of action to enable individuals to apply to the courts for relief in relation to privacy breaches, as well as the long-anticipated introduction of a statutory tort for serious invasions of privacy as previously foreshadowed in an ALRC report in 2014

  • introducing more prescriptive data breach notification requirements, including a mandated 72 hour reporting timeframe

  • establishing a working group to harmonise privacy laws across different Australian jurisdictions – a most welcome development for any organisation that is negotiating the current tangled web of laws that apply

Where to now?

While the release of the Report is an important milestone, it is not the end of the road.  Far from it.  The Government is seeking submissions in response to the Report by 31 March 2023.  Submissions may be made by completing an online survey that the Government has produced for that purpose (available here) or in writing.  The Report indicates that a number of the more significant proposals made should be subject to additional consultation (e.g. on the adjustments to the exemptions for small businesses and employee records, and on the significant changes to rules on direct marketing and targeting), given the complexity and potential major economic impact.  Following that, draft legislation will need to be prepared to give effect to the proposals, which will be no small task given that (as is always the case with these things) the devil will inevitably be in the detail.  We will, of course, continue to keep you updated as further milestones are reached.

Categories

MEET THE AUTHORS

SHOW MORESHOW LESS
LATEST THINKING
Insight
April Security of Payment Wrap Up across Australia
The ACMA is consulting on the new SMS Sender ID Register and associated Draft Telecommunications (SMS Sender ID Register) Industry Standard 2025.

11 April 2025

Insight
Modern Slavery - Reforms at home & abroad
In this update, we summarise key modern slavery law developments in Australia and overseas during 2024, and what changes businesses should be prepared for in the rest of the year ahead.

10 April 2025

Insight
A New Era for Development in the Northern Territory: Passing of the Territory Coordinator Act
In a move to support its ‘Rebuilding the Economy’ agenda, the Northern Territory’s Country Liberal Party has enacted new legislation in what it’s calling the Territory's "most important piece of economic reform" in a decade.

10 April 2025

EXPLORE LATEST THINKING
OUR PEOPLE
LOCATIONS
MEDIA CENTRE
CAREERS
ABOUT US
Explore Our Expertise
Explore insights
Explore Our Insights

Advertising and Targeting Cookies