This article was written by Michael Swinson.
On 30 October 2020 the Australian Government commenced a broad-based review of Australian Privacy Laws by releasing an Issues Paper seeking feedback on possible reforms. Submissions in response to the Issues Paper are due by 29 November 2020. The Government will then release a further discussion paper in 2021 seeking more specific feedback.
This marks the commencement of a reform process that has been expected ever since the Government committed in late 2019 that it would undertake a review of existing privacy laws in response to recommendations made part of the ACCC’s Digital Platforms Inquiry. Although originating in the context of an inquiry into a particular industry sector, the type of general privacy reforms contemplated by the ACCC and reflected in Issues Paper will apply across all industry sectors. While the ACCC’s recommendations naturally reflected a focus on consumer protection, in conducting its review the Government will no doubt also be mindful of legitimate business interests and will not want to make changes that could stymie innovation or block valid business models that depend on use of data about consumers. This tension is reflected in comments made by Attorney-General Christian Porter in announcing the review: “it is crucial that we have a privacy regime that is fit for purpose, can grow trust, empower consumers and support the growing digital economy.”
Given the broad scope of the review, it is not possible to comprehensively cover all possible issues of significance in this summary. However, some of the points that will no doubt grab attention include:
- Scope of regulated information – The Issues Paper queries the extent to which technical information – such as IP addresses, device IDs and other online identifiers – should be expressly brought within the scope of “personal information” that is regulated by the Privacy Act. This is likely to be of interest to a wide range of organisations that use this type of information for businesses purposes that extend from delivering targeted advertising and other customised content on a pseudonymised basis over the internet to operating online communications networks that depend on the exchange of online identifiers for operational purposes.
- Strengthening notice and consent requirements – Consistent with recommendations made by the ACCC in the Digital Platforms Inquiry, the Issues Paper contemplates a range of measures to strengthen existing notice and consent requirements under the Privacy Act. The emphasis on the role of consent provoked much comment from the business community in the wake of the Digital Platforms Inquiry, in particular given the ACCC’s failure to support other lawful bases for processing personal information that apply in other jurisdictions, such as the “legitimate interests” exception that applies under the General Data Protection Regulation (GDPR) in Europe. Coupled with the suggestion that separate consents should be required for each purpose for which information may be used, and that opt-out consents should be prohibited, there are concerns that reforms of this nature could result in consumers being flooded by consent requests such that they experience consent “fatigue” and stop making meaningful or considered choices about their privacy. Over-indexing on consent may also threaten business models that rely upon consumers sharing data and receiving targeted advertising in place of providing monetary consideration in exchange for services. The Issues Paper recognises that this may be considered a “trade-off” that is in the individual’s interest, provided they are properly informed, which highlights the potential sensitivities around the possible imposition of more prescriptive consent requirements.
- International harmonisation – Many technology-based businesses are highly data-driven. For these businesses to maintain a global presence, it is critical that they be able to access and share data across international borders. The fragmented and inconsistent nature of privacy laws around the globe can be problematic. In her response to the release of the Issues Paper, Information Commissioner Angelene Falk noted that effective privacy regulation requires global interoperability so that Australia’s laws “continue to connect around the world, so our data is protected wherever it flows.” The Issues Paper address these concerns in a couple of ways. First, it canvasses the possibility of doing away with existing exceptions that apply under the Privacy Act – such as exemptions for employee records and small businesses – that are considered somewhat anomalous by international standards. These exceptions may be barriers to Australia being recognised as a jurisdiction that offers “adequate” protection for personal data according to the standards under the European GDPR, so as to facilitate the easier transfer of data from Europe to Australia. Secondly, the Issues Paper raises the question of whether the Government should, as was recommended by the Australian Law Reform Commission back in 2008, publish a list of other jurisdictions with data protection laws that are considered adequate by Australian standards. This would facilitate the transfer of data from Australia to those other jurisdictions. Global businesses wishing to maintain a presence in Australia would no doubt be grateful for any clarification that would reduce barriers to sharing information across borders.
- Direct rights of action – The Issues Paper presumes that consumer interests would be better served by enabling some form of direct right of action for privacy breaches that would entitle the applicant to obtain a financial remedy, when compared with the current system which requires individuals to raise privacy complaints through the Information Commissioner. While this may appear attractive on its face, there are a range of complex factors that require consideration, including the potential cost – in terms of time, money and court resources – that may flow from an increase in privacy-related court proceedings. Since 1988 the Privacy Act has conferred jurisdiction on federal courts to grant injunctive relief in respect of contraventions of the Act, and given legal standing to “any person” to apply for such relief. In more than 30 years, only a handful of cases have been commenced seeking relief on this basis. It is also worth noting that, based on statistics published by the Office of the Australian Information Commissioner, the vast majority of privacy complaints are resolved either with either no monetary compensation or with relatively modest payments. It may not be desirable to enable court proceedings where the stakes are relatively low. Accordingly, as noted in the Issues Paper, it may be appropriate to consider a range of different controls to deter inappropriate privacy actions, such as limiting the right to bring court proceedings to situations where there has been a “serious” breach of the Privacy Act. Given the broad range of coercive powers, and specialist remedial enforcement options available to her, it may be that the Commissioner remains best place to investigate and respond to alleged interferences with privacy. Finally, it will also be important to consider the potential chilling impact of a direct right of action of this kind on journalism – other jurisdictions with direct rights of action for invasion of privacy have legal mechanisms to balance privacy against a range of other public interests, including freedom of expression.
These are only a few of the issues that we expect will be addressed in submissions responding to the Issues Paper. If you have questions about how these issues may affect your business, or are interested in assistance to prepare a submission of your own, please don’t hesitate to get in touch.