Australia: Government response to the Privacy Act Review Report
This insight article was initially published on OneTrust DataGuidance, which can be viewed here.
On September 28, 2023, the Australian Government released its response to the Attorney General’s Privacy Act Review Report (Response). The Response is the culmination of several years of work and several stages of reporting and engagement, following the initial recommendation in the Australian Competition and Consumer Commission’s (ACCC) Digital Platforms Inquiry Report that the Privacy Act 1988 (Cth) No. 119 1988 (as amended) (the Privacy Act) be reviewed to assess its suitability for the digital age.
The Response confirms that a modest number of issues will be addressed immediately (that is, in the first half of 2024) through appropriate legislative changes or formal guidance from the Office of the Australian Information Commissioner (OAIC), with a much greater number of issues referred for further investigation or consultation. We do not expect to see any concrete changes on those until late 2024 or beyond, and the Response notes that any major changes would also need to be subject to implementation lead times to enable parties to prepare appropriately. Accordingly, this is the first of various further steps to come.
In this Insight article, Alex Hutchens, from McCullough Robertson, outlines the main themes coming out of the Response, summarizes the key changes in the short term, and provides a perspective on those changes that will be most critical to pursue longer term if the Privacy Act is to be fit for purpose in the now-pervasive digital environment and consistent with the leading privacy regimes around the world.
Background to the Response
The ACCC’s Digital Platforms Inquiry – Final Report was released in June 2019, and included a broad analysis of the issues posed by the increasingly powerful digital platforms providing the search and social features that were becoming (and of course remain) so integral to day-to-day life.
That report recommended regulatory reform across a broad range of disciplines, from competition law to media regulation, intellectual property law and, of course, privacy. In relation to privacy specifically, it identified issues like the proliferation of digital identifiers, the awkwardness (and perhaps legal fiction) of dealing with transparency through lengthy policy documents and privacy notices, the management of children’s vulnerabilities, which were not easily addressed by the legislation in its existing form, and in relation to Australia being out of step with the new gold-standard global approach embodied in the EU’s General Data Protection Regulation (GDPR), which had come into effect the previous year.
In the years since, we have seen significant developments in both privacy regulation and technological development around the world, with the privacy impacts of online activity, automated decision-making, and generative AI seeming to have only increased the rate of change.
In Australia, the rate of regulatory change has not been so great. This is not to say that there has not been significant work going on as it is quite the opposite, but this has not yet translated into the broad-reaching changes envisioned following the Digital Platforms Inquiry. To give a sense of the steps since then:
- in December 2019, the Government committed to a comprehensive review of the Privacy Act following the Digital Platforms Inquiry;
- in October 2020, a paper was released canvassing the potential issues for reform;
- in October 2021, the Privacy Act Review Discussion Paper was released which put forward 67 proposals for reform; and
- nearly 18 months later, in February 2023, the Attorney General released the Privacy Act Review Report, which made 116 wide-ranging proposals for reform and called for further consultations.
That brings us to the most recent development: the Government Response. While initial headlines and the Government’s talking points highlighted the fact that the Government has ‘agreed’ to 38 of the Attorney General’s 116 recommended changes and ‘agreed in principle’ to 68 more, the reality is that we are unlikely to see many immediate changes to the Privacy Act, despite commitments to immediately act on those that have been agreed. This is because of the 38 agreed recommendations, only a handful are capable of immediate implementation, while the remainder are recommendations for further consideration or engagement.
Of course, that is not to suggest that the process is simple or should be rushed. The Response is not the only source of amendments and potential amendments. In fact, the Response is situated in the context of some other significant privacy changes, such as the introduction of significantly greater penalties for breach of the Privacy Act, in light of two major data breaches in late 2022, to a GDPR-like maximum of the greater of AUD 50 million (approx. $33 million), three times the benefit obtained through infringing conduct, and 30% of annual turnover. Other privacy changes include the consideration of adjacent issues like the privacy aspects of the consumer data right (Australia’s industry-specific data portability right), uplifting cybersecurity laws (including surveillance laws), and the regulation of artificial intelligence (AI) generally.
It is therefore likely that while the initial steps are reasonably modest, we will see a significant volume of activity in 2024, culminating in further proposals for change, stakeholder consultation, and perhaps even draft legislation. The length of any lead time for significant changes will also be an interesting detail, noting that the GDPR had a two-year lead time prior to its implementation in 2018.
Summary of the Government Response – immediate changes
As flagged above, in its Response the Government provided a formal position on each of the 116 recommendations, with the overwhelming response being positive: 106 of the 116 were either ‘agreed’ or ‘agreed in principle.’
Of the agreed proposals that can be immediately implemented, there are a few in particular that are worth brief discussion. Four provide additional protection for individuals, two provide welcome clarity for entities around the practical steps necessary for data security compliance, and two provide more nuanced enforcement options. Together, they are a welcome first step towards a more robust and digital-appropriate privacy landscape.
Additional protection for individuals
One of the key issues in the digital environment is that individuals do not truly understand the full range of purposes for which their personal information is used. This is a combination of historical industry practice of preparing lengthy collection notices with a multitude of purposes of collection, together with the practicalities of modern digital interactions occurring at pace through often small screens. This trend, combined with the increasing use of AI-based automated decision-making has the potential to negatively impact real-life outcomes for individuals. In Australia, this has been a particularly prominent issue in light of the Royal Commission’s findings into the so-called ‘robodebt’ automated income-smoothing technology.
Accordingly, two immediate changes have been introduced:
- privacy policies must set out the types of personal information used in automated decisions that have a legal or similarly significant effect on individuals’ rights (for example, decisions relating to access to basic necessities); and
- individuals have the right to request meaningful, jargon-free, and clear information about how automated decisions are made that have a legal or similarly significant effect on their rights.
Additionally, while many other jurisdictions around the world have separate regimes to address children’s privacy or other forms of vulnerability, that is not currently the case in Australia. We have some guidance from the OAIC in relation to the age that consent can be given, but no specific protection for children and no specific consideration of the vulnerability of particular groups in an increasingly digitized environment. To that end, the accepted proposals include the following positive developments:
- a definition of ‘child’ and giving the OAIC the power to introduce a Children’s Online Privacy Code that applies to online services likely to be accessed by children. It is envisaged that the code would be similar in approach to the UK’s Age Appropriate Design: A Code of Practice for Online Services; and
- guidance to help identify when individuals may be vulnerable and at a higher risk of harm from interferences with their personal information, as well as guidance on capacity and consent.
Operational clarity for overseas transfers and data security
Two prevailing difficulties for entities in an increasingly complex, digitized global economy include the need to manage overseas transfers in circumstances where a key potential basis for overseas transfers is not well understood, as well as the need to turn broad, principle-based data security obligations into specific systems and controls.
To that end, the Government has agreed to introduce an adequacy mechanism to prescribe countries and certification schemes that provide protection that is ‘substantially similar’ to the Australian Privacy Principles (APPs). This is similar to the concept of adequacy that underpins GDPR-based cross-border transfers. Currently, entities that wish to rely on this basis are required to conduct their own due diligence and assessment of the similarity of international regimes on a case-by-case basis, which many are reluctant to do because of the inherent uncertainty. We expect that this mechanism will open up the possibility of easier outbound cross-border transfers of data.
Further, APP 11 will be amended to expressly note that data security obligations require both technical and organizational responses, and the OAIC will be required to develop guidance about what practical steps are required to fulfil security and de-identification obligations. These changes will provide welcome certainty for entities grappling with ever-shifting cybersecurity risks.
More nuanced enforcement
Finally, a common criticism of the current regime is that financial penalties are available only for ‘serious or repeated’ interferences with privacy, which can limit enforcement due to the uncertainty of what actions satisfy that threshold. The accepted proposal will mean that two lower tiers of infringement will be introduced, lowering the threshold for wrongdoing and enabling the OAIC to issue low-level infringement notices (similar to what is available under consumer protection law) and pursue more timely and broader compliance behaviour. This will be augmented by a suite of expanded powers for the OAIC when assessing complaints and suspected infringements, including investigative powers and remedial order-making powers.
These proposals will be proceeding directly to legislative drafting with targeted stakeholder consultation, with the Government committing to introducing legislation in 2024.
Most impactful ‘agreed in principle’ proposals
As mentioned above, there were many proposals agreed in principle, and too many to mention here. However, the following six are those that we think will have the greatest impact in bringing Australia into line with the leading regimes in the world. Not only are there benefits for individuals, but there is the possibility of Australia ultimately seeking adequacy for GDPR purposes, which would be a significant step forward in reducing digital friction in global operations and transactions.
What is personal information?
The first change seems, in some ways, the smallest but is the most fundamental. The current definition of personal information requires the information to be ‘about’ an individual who is either identified or reasonably identifiable. In the Privacy Commissioner v Telstra Corporation Limited  FCAFC 4 case, digital information regarding network operations was found not to be about the account holder to whom it related, and so there is significant uncertainty in Australia about whether individual data points (particularly digital ones like IP addresses, IMEIs, IDFAs, and cookies) are in fact personal information covered by the Privacy Act. This proposal would amend the definition to capture information that ‘relates to’ an individual and include express forms of digital identifier, capturing those digital data points to make the Privacy Act fit for digital purpose and bringing Australia into line with other jurisdictions.
Overarching proportionality requirement
Secondly, there were three major data breaches in late 2022 and early 2023 which highlighted the breadth and volume of data held by large corporations, as well as the length of time for which it was held. Proportionality and data retention have since become issues of particular focus in Australia. An important and perhaps even transformational proposal accepted in principle in the Response is to introduce an overarching ‘fair and reasonable’ test for the collection, use, or disclosure of personal information. Currently, APP entities have significant discretion in determining whether the collection, use, and disclosure of data is reasonably necessary for their business activities. According to the Response, individuals cannot be expected to read and understand lengthy notices and policy documents, consent to intrusive collection practices as a condition of taking services, or have information collected that they would not reasonably expect. This is, sadly, a common feature of modern digital interactions. Were this new obligation introduced as proposed, it would apply irrespective of consent, and so would cause a fundamental rethink of data collection practices.
Abolishing exceptions for small businesses and employee records
Turning now to the scope of the Privacy Act, overseas observers are often surprised that, subject to some exceptions, small businesses with annual revenues of less than AUD 3 million (approx. $1.9 million) are generally exempt from compliance with the Privacy Act. Handling of employee records for employment purposes is also exempt and only partially addressed through separate workplace laws. These exemptions mean that significant volumes of personal information do not receive protection under the Privacy Act.
The Response accepts in principle the removal of the small business exemption, with the caveat that there would need to be an impact analysis and appropriate support developed for small businesses. But with some 90% of businesses currently immune from the APPs under this exemption, this would be a massive shift in the scope of the Privacy Act.
In a similar vein, while the employee records exemption would not be removed entirely, employees would be provided enhanced transparency on how their personal information is collected and used, as well as ensuring employee data is protected from misuse, loss, or unauthorized access, and that it is destroyed when no longer required. Again, this would bring a huge additional volume of records under some form of protection under the Privacy Act.
Introducing a controller/processor distinction
Another issue that often surprises people is that Australia does not currently distinguish between data processors and data controllers. The obligations under the Privacy Act generally apply to parties who ‘hold’ personal information irrespective of the capacity in which they hold it, and this raises compliance challenges as ‘processors’ who have no relationship with an individual may be required to fulfil notice or consent obligations or find ways for their ‘controller’ customers to do so. This change, if implemented, would solve many practical challenges, and bring Australia’s regime into line with many others around the world, providing conceptual consistency between regimes and practical consistency that would facilitate easier overseas transfers, both inbound and outbound.
Direct marketing, targeting, and trading
The Response acknowledges that the use of high volumes of personal information to provide targeted content and advertising is a new and growing phenomenon that was not contemplated when the Privacy Act was introduced. Surveys consistently show that Australians have concerns about the sale and use of data for these purposes. To address these changing dynamics, the Response accepts in principle that individuals should have an unqualified right to opt out of their personal information being used for direct marketing purposes. Additionally, consent should be required to trade their personal information. This would be a fundamental shift in how data is used, particularly in the digital advertising ecosystem.
Rights of individuals
In a similar vein, the Response agrees in principle to the introduction of expanded rights for individuals, modelled on the rights available to individuals under the GDPR. These would include:
- right to access and explanation: requiring entities to explain the source of personal information held about them and what has been done with that information;
- right to object to the collection, use, and disclosure of personal information: enabling individuals to challenge collection and processing that is not reasonably necessary or not fair and reasonable in the circumstances;
- right to erasure: enabling individuals to insist on the destruction of their information on request, which would also extend to any third parties to whom the business has disclosed the information; and
- right to de-index search results: a new right, jurisdictionally limited to Australia, allowing individuals to request the removal of internet search engine results that contain sensitive information, information about a child, excessively detailed information, inaccurate or outdated information, or misleading information, even where the information on those websites is lawful. Search engine operators will likely be able to refer de-indexing requests to the OAIC for determination, particularly where complex public interest questions are involved.
To complement individuals’ increased rights, the Government has agreed in principle to proposals allowing for private enforcement of privacy breaches. This is not currently available in Australia and would not only lead to an increase in private enforcement, but would also likely hasten the nascent culture of class action litigation arising from data breaches.
In sum, we are seeing 38 proposals being progressed immediately (with legislation, guidance, or consultation to occur as applicable in 2024), with a large number of additional proposals to be explored further with an indeterminate form or time frame for introduction. As discussed, the immediate proposals certainly advance privacy protection in Australia and are tailored to address the dynamics and challenges of digital ecosystems. These are positive developments that have the potential to fundamentally reshape data handling practices in Australia. Some, however, will be disappointed that more has not been done immediately and will be keeping up to date on the rate of progress of these developments, including any consequences of failing to adapt sooner to new ways of data management.
This publication covers legal and technical issues in a general way. It is not designed to express opinions on specific cases. It is intended for information purposes only and should not be regarded as legal advice. Further advice should be obtained before taking action on any issue dealt with in this publication.