The Federal Government has released its much-anticipated response (Response) to the Privacy Act Review Report (Report), indicating its broad approval for a markedly changed privacy regime in Australia.
The Response is largely positive to the proposals raised by the Report, which we discussed in our previous article ‘Sweeping reforms proposed in Privacy Act Review’, and demonstrates the Government’s intentions to ensure the Privacy Act 1988 (Cth) (Privacy Act) is fit-for-purpose to deal with risks emerging from new technologies and practices. This follows the approach taken in other jurisdictions, most notable the European Union’s General Data Protection Regulation (GDPR).
Below, we outline the key themes of the Response and provide some comments on the questions these themes raise.
Further Government consideration and stakeholder consultation required
While on the whole the Government is broadly supportive of the Report, for the majority of proposals, the Response does not provide much certainty as to the specific legislative reform that will be undertaken by the Government.
Although the Government has not rejected any of the proposals outright, it has only agreed to 38 of the 116 proposals without qualification. The Government has effectively reserved judgment on the majority of the proposals by agreeing ‘in-principle’ to 68 of the proposals, and ‘noting’ a further ten, in which case the Government agrees with the intent but not the specific mechanism of the proposal. The Government has committed to introduce draft legislation some time in 2024 – the first time a concrete date for reform has been set. This will be welcome news to Australian companies and other observers of the Government’s review of the Privacy Act, which commenced in 2020 and has already involved three separate public consultations.
Notwithstanding this progress, further consultation will be needed. For the majority of proposals, the Government has stated it will need to engage with regulated entities and conduct comprehensive impact analyses before formally agreeing to the proposals, for example regarding the employee records and small business exemptions.
New obligations for collecting personal information
The Response suggests the Government will likely impose additional obligations relating to the collection of personal information, which were some of the more controversial and topical proposals in the Report. These include the proposals to impose a positive standard of fairness and reasonableness to all collection of personal information and to require that Privacy Impact Assessments be undertaken for high-risk activities like facial recognition, both of which the Government agreed to in-principle.
These proposals are designed to address the emergence of practices that may pose significant privacy risks or otherwise be considered to be unfair, like screen-scraping.
The Government has also accepted, in full, proposals that individuals should have a right to request meaningful information on how significant automated decisions about them are made and that privacy policies should set out what information is used for such automated decision-making. This is notable given the parallel consultation on ‘Safe and Responsible AI in Australia’ throughout June and July, which sought public views on potential legislation dealing with risks associated with AI, an area of technology which has developed rapidly even since the consultation period for the Privacy Act Review Report closed. While there is significant potential for an amended Privacy Act to deal with many of the concerns with AI, this will also require further consultation.
Broader scope of application, including to small businesses
In the Response, the Government has agreed in-principle to a number of measures that would broaden the scope of the Privacy Act. These include extending the definition of personal information to include generated or inferred information (for example, IP addresses), as well as removing or reducing the scope or effect of a number of exemptions to the Act.
One significant such proposal is the removal of the small business exemption, which exempts small businesses with turnover of less than A$3 million from the application of the Privacy Act. The Government has agreed to this change in-principle, meaning further consultation with small businesses is required before any amendments are made. This proposal is controversial noting the impact on small businesses of the costs of complying with complex privacy legislation.
More engagement with individuals and regulators
Individuals will likely have a menu of new rights with respect to the collection and handling of their personal information, including rights of explanation, correction and erasure, as well as claims they may make where their personal information is mishandled, including a direct right of action for privacy-related damages as well as a statutory tort for serious invasions of privacy. Such a direct right of action is likely to significantly increase the volume of privacy-related litigation, as under the current regime only the Office of the Australian Information Commissioner (OAIC), may bring such action. The Report also proposes significant empowerment of the OAIC, which has historically been hesitant to exercise its limited enforcement powers compared to more aggressive regulators like the Australian Competition and Consumer Commission (ACCC). One proposal agreed to by the Government without qualification is to implement a tiered infringement scheme, which would see the introduction of low-tier and mid-tier civil penalty provisions. In general, the changes herald a more prolific and uniform enforcement approach taken by an empowered OAIC, and a larger regulatory ‘attack surface’ for companies processing personal information of Australians.
The Response to the Report has provided some clarity as to the Government’s overall approach to reforming the Privacy Act, though left the lion’s share of the proposals subject to yet another set of public consultations. However, given the commitment by the Government to introduce legislation in 2024, these consultations are likely to be more focused and will give companies another chance to have their say on more specific questions relating to privacy regulation reform. This will also give the Government an opportunity to make a decision on whether, and to what extent, it will consolidate its treatment of legal risks emerging from new technologies like AI.
Other than considering how to engage in these consultations, Australian companies may wish to consider the steps that will need to be taken to comply with a more expansive Privacy Act and respond to newly empowered individuals and regulators. Such steps may include implementing privacy by design principles into their organisation’s operational processes and investing in the data governance frameworks and technology required to ensure compliance.
This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.