A review of Australia's Privacy Act 1988 (Cth) (Privacy Act) has been ongoing since 2020, and has produced 116 proposed reforms. The expected legislative changes will have implications for businesses operating within Australia. They represent the most notable changes to the Privacy Act since the government pushed through urgent reforms in 2022 to substantially increase penalties in response to high-profile cyber breaches.
In a speech at the Privacy by Design Awards in May 2024, the Attorney General (AG), Hon Mark Dreyfus, announced plans to introduce legislation to overhaul the Privacy Act 1988 (Cth) (Privacy Act) in August 2024.
The legislation is expected to introduce the initial reforms arising out of the review of the Privacy Act, to which the Australian Government published a response in September 2023. Of the 116 reforms proposed in the review, the government agreed to 38 in full, 68 in-principle, and noted 10.
Below, we summarise some of the key changes likely to be introduced. It is expected these will introduce the agreed proposals to change the Privacy Act, but it is not yet clear how many of these agreed in-principle proposals will be included. At the time the Australian Government's response was released, the agreed in-principle proposals were reported as being subject to further engagement and consultation to explore whether or how they could be implemented.
Since the legislation will still need to be tabled and go through the parliamentary process, it may take some time before the legislation is approved in its final form and comes into effect. However, staying informed about the proposed changes and the legislative process will help businesses understand the legislation's potential impact and prepare accordingly.
Potential changes to be addressed by legislation
Greater enforcement powers
The Australian Government supports the creation of tiers of civil penalty provisions to capture interferences with privacy that are less than "serious". There will also be a new low-level civil penalty provision introduced for specific administrative breaches. Amendments will be introduced to clarify that 'serious' interference with privacy may include:
- those involving 'sensitive information' or other information of a sensitive nature
- those adversely affecting large groups of individuals
- those impacting people experiencing vulnerability
- repeated breaches
- wilful misconduct, and
- serious failures to take proper steps to protect personal information.
In addition, the Information Commissioner will be given more information-gathering powers to develop cases and therefore achieve the desired regulatory outcomes. These powers will include investigative powers; the power to undertake public inquiries; and reviews into certain matters with the approval or direction of the AG. Also, the Federal Court and the Federal Circuit and Family Court of Australia will be given more powers to make any orders they see fit after a civil penalty provision relating to interference with privacy is established. In addition, the AG will be given the power to permit the sharing of information with appropriate entities to reduce the risk of harm in the event of an eligible data breach.
Automated decision-making
The Australian Government will require privacy policies to set out the types of personal information that will be used in substantially automated decisions which have a legal, or similarly significant effect, on an individual's rights. In addition, high-level indicators of the types of decisions with a legal or similarly significant effect on an individual's rights will be specified in the Privacy Act and supplemented by OAIC guidance.
The government has indicated this could include "decisions on denial of consequential services or support, such as financial and lending services, housing, insurance, education enrolment, criminal justice, employment opportunities and health care services, or access to basic necessities such as food and water". Individuals will also be given a right to request meaningful information about how automated decisions with legal or similarly significant effect are made. It is possible that these particular measures will be implemented as part of the broader work being undertaken by the government to regulate artificial intelligence, rather than through the upcoming legislation.
Clarity on objects
The first two objects in paragraphs 2A(a) and (b) of the Privacy Act are to promote the protection of the privacy of individuals, while recognising that this protection should be balanced with the interests of entities in carrying out their functions or activities. Given the Privacy Act is generally concerned with the protection of information, the objects are to be amended to clarify that the Act is about the protection of personal information. The objects will also be amended to recognise the public interest in protecting privacy, which is that individuals' privacy is critical for building public trust and facilitating participation in public life.
Regulation of child privacy
In recognition of broad concerns around child privacy, the Australian Government has agreed that a child should be defined in the Privacy Act as an individual who has not reached 18 years of age. The government also agreed in-principle to introduce a suite of additional protections to apply specifically to children including that targeting to a child should be prohibited, except where targeting is in the best interests of the child.
Further reform on the way
Looking ahead, the Australian Government is considering a range of other proposals to reform privacy regulation which it has already agreed in-principle, and which may or may not be addressed in the upcoming legislation. This includes:
- The introduction of a right of action to allow individuals to apply to the courts directly for relief in relation to an interference with privacy. The direct right of action will allow individuals who suffer loss or damage due to an interference with privacy to obtain compensation.
- A new tort for serious invasions of privacy.
- Following further assessment and consultation, a plan to remove the exemption in the Privacy Act which provides that entities with an annual turnover of $3 million or less do not need to comply with the Privacy Act. In the short-term, small businesses will be made subject to the Privacy Act in respect of the collection of biometric information for use in facial recognition and when trading in personal information, which are considered high risk activities.
- Bolstered new individual rights including individuals being granted rights to both access and receive an explanation about their personal information if they request it; a right to object to the collection, use or disclosure of personal information (and to have a response to this objection with reasons); a right to erasure of any of their personal information; the existing right to correction being extended to generally available publications; and a right to deletion of an index of online search results containing personal information which is sensitive information, information about a child, excessively detailed, or inaccurate, out of date, incomplete, irrelevant or misleading.
- Requiring privacy impact assessments to be undertaken for activities involving high privacy risks. A high privacy risk activity is one that is likely to have a significant impact on the privacy of individuals. High privacy risk activities may include use of facial recognition technology, or the use of biometric information for identification when used in public spaces.
- The introduction of a criminal offence for malicious re-identification of de-identified information where there is an intention to harm another or obtain an illegitimate benefit.
- The introduction of standardised templates and layouts for privacy policies and collection notices.
- New requirements around collection and consent, including that:
- the collection, use and disclosure of personal information must
be fair and reasonable in the circumstances;
- maximum and minimum retention periods to be defined in privacy policies for personal information that is held;
- collection notices will need to be clear, up-to-date, concise and understandable;
- consent must be voluntary, informed, current, specific, and unambiguous; and
- consent must be obtained to trade an individual's personal information.
We plan to provide a further update on the reforms once the draft legislation is tabled.
How we can assist
Businesses can already start considering how these upcoming changes might affect them. Doing so will allow them to handle their privacy compliance with more confidence and ensure their privacy and data strategy and practices are implemented in a way that is aligned to the changing regulatory landscape.
Our team of privacy and data protection lawyers frequently assists businesses in complying with their privacy obligations regarding the collection and use of personal information.
If you need help understanding or complying with the Privacy Act, or if you require advice on the proposed reforms from the Privacy Act review, please do not hesitate to contact us.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.