High-water mark: will an amended Privacy Act meet the bar set by the EU GDPR? Part two

In February 2023, the Attorney-General released the Privacy Act Review Report (Report), setting out proposals for extensive reforms to Australia’s Privacy Act 1988 (Cth) (Privacy Act). As draft legislation is not due to be introduced until later this year, it is too early to say with certainty how the reformed Privacy Act will compare to the high-water mark for privacy laws set by the General Data Protection Regulation (GDPR) of the European Union (EU). However, following the publication of the Federal Government’s response to the Report (Response), we can gauge an idea of how the legislation may compare.

In part one of this series, we took a look at the Report’s proposals addressing the concepts of ‘controllers’ and ‘processors’, exemptions to the Privacy Act and the Notifiable Data Breaches Scheme. In this second instalment, we focus on proposals for updating the mechanisms for enabling overseas data flows, transparency in relation to automated decision-making, expanding rights for individuals and increasing penalties. We also consider what it may mean for Australia if the reformed Privacy Act is, or is not, considered to be ‘essentially equivalent’ to the GDPR.

Overseas data flows

The GDPR sets out various mechanisms for transferring personal data outside of the EU (Articles 44-50). These include the ability to transfer personal data to a third country where:

• a decision has been made by the European Commission that the privacy laws of that country offer a level of protection that is essentially equivalent to the GDPR (i.e. an adequacy decision, which has not yet been granted in respect of Australia’s privacy laws); or
  
  
• appropriate safeguards are in place, such as the transferor and transferee entering into standard contractual clauses.

In the event that there is no adequacy decision or appropriate safeguard in place, a transfer of personal data may only occur where there is an applicable derogation.

Under Australian Privacy Principle (APP) 8.1 of the Privacy Act, an entity that discloses personal information to an overseas recipient must first take reasonable steps to ensure the recipient does not contravene the APPs, unless an exception applies under APP 8.2. While there are currently no standard contractual clauses in Australia, the OAIC has advised that the ‘reasonable steps’ contemplated will generally take the form of the entity entering an enforceable contractual arrangement with the overseas recipient and provides guidance as to what may be included in such contractual arrangements.

This may change under the reforms, with the Report proposing that standard contractual clauses be adopted (Proposal 23.3), which the Response agrees with in-principle. There is no suggestion that such clauses will be mandatory but they should provide more structure for entities that are unsure of the extent of the contractual obligations they should seek to impose in order to discharge the ‘reasonable steps’ obligation.

The Report also proposes an amendment to APP 8.2(a), which provides an exception to the APP 8.1 requirements where the disclosing entity reasonably believes they are disclosing personal information to an overseas recipient that is subject to a substantially similar law or binding scheme (Proposal 23.2). The proposed amendment, agreed to in the Response, would see a more prescriptive scheme introduced under which certain countries would be deemed to provide substantially similar protection to the APPs (similar to the GDPR’s adequacy framework).

On the face of it, the proposed changes to APP 8 may appear to bring the regime in line with the GDPR, however, if APP 8.1 maintains the ‘reasonable steps’ obligation (with standard contractual clauses being just one route to discharging it), entities may still be able to exercise more discretion with the steps they implement, so long as they can justify such steps are reasonable. This means that personal information transferred outside of Australia may be subject to less protections than information transferred outside of Europe.

Information about automated decision-making

The GDPR contains several rights and obligations that arise where decision-making is based ‘solely’ on automated processing (i.e. without human involvement) and produces legal or other similarly significant effects for the individual. For example, individuals have a right not to be subject to such automated decision-making, unless the controller implements suitable safeguards and the decision is:

• necessary in respect of a contract between the data subject and controller;
  
  
• authorised by applicable law; or
  
  
• based on the data subject’s explicit consent (Article 22).

Further, under the GDPR, controllers must provide data subjects with (and data subjects have a right of access to) ‘meaningful information’ (i.e. in their privacy policy or notice) about the logic involved in, and the significance and anticipated consequences of, such processing (Articles 13 – 15).

There are currently no specific rights and obligations in relation to automated decision-making under the Privacy Act. However, the Report includes proposals to introduce an obligation for entities to include in their privacy policies:

• the types of personal information that will be used in ‘substantially’ automated decisions which have a legal or similarly significant effect on an individual’s rights (Proposal 19.1); and
  
  
• a right for individuals to request meaningful information about how such decisions are made (Proposal 19.3).

Although the Report does not purport to prescribe a right for individuals equivalent to Article 22 of the GDPR, the proposals are notable as they will be informed by the Department of Industry’s consultative work on generalised regulation of AI and may impact a broader set of activities than the equivalent provision in the GDPR, i.e. decision-making substantially based on automated means (as opposed to solely based). The proposals take into account various GDPR guidance documents which have indicated that ‘tokenistic’ or ‘fabricated’ human involvement is not enough for an activity to avoid being considered ‘solely automated processing’. The Report suggests that guidance be developed to clarify the meaning of ‘substantially automated’, following consultation.

The proposals relating to automated decision-making are three of only 38 proposals agreed to in-full in the Response, indicating the Government’s recognition of the importance and time sensitivity of responding to emerging risks in the AI and automated decision-making space.

Rights of the individual

Currently, individuals have rights to seek access to, and correction of, their personal information (APP 12 – 13) held by APP entities, as well as a right to opt out of direct marketing (APP 7.3). APP entities are also required to provide individuals with certain information about their collection, and handling, of personal information pursuant to APPs 1 and 5.

The Report proposes a range of new individual rights under the Privacy Act:

Incoming Privacy Act reform as set out in the Report	GDPR
Individuals to have: expanded right of access (including explanation of processing) right to object (including to direct marketing) expanded right of correction (in respect of online publications) right to erasure right to de-indexation (Proposals 18.1 – 18. 5)	Data subjects have: right to information right of access (including explanation of processing) right to rectification right to erasure (including right to de-indexation) right to restriction of processing right to data portability right to object (including to direct marketing) right against solely automated decision-making (Articles 12 – 23)

The proposed rights largely appear to mirror the rights available to individuals under Articles 12 – 23 of the GDPR, including the right to be de-indexed from search results, which has been found to be covered by the right to erasure in the case of Google Spain SL v Costeja González. However, questions remain about the scope and implementation of these rights in Australia. For example, the proposals include expanding the existing right of correction to include information that is published about individuals in online publications an APP entity is responsible for (which is broader than the current right to seek correction of only that personal information which is actually held by the entity). However, a precise definition has not been proposed for ‘generally available publications online over which an APP entity maintains control’, which would impact the scope of an expanded right of correction.

Given all individual rights have only been agreed to in-principle, these concepts will likely be further refined in future rounds of consultation and so we have yet to see the extent to which they will reflect the GDPR.

The Report already calls out the fact that it does not contain a proposal for a right to data portability (as there is in the GDPR) on the basis that this is addressed as part of the Consumer Data Right (CDR) scheme. Although the CDR currently only applies to the banking sector, it is expected to be rolled out economy-wide in the next few years.

Penalties

While the majority of the Privacy Act reforms are still to be settled and implemented, a limited number of updates to the Privacy Act are already in effect.

In December 2022, in response to a string of high-profile data breaches, the Government passed legislation dramatically increasing the maximum penalties that may be imposed under the Privacy Act for serious or repeated infringements. The scale of the increased fines under the Privacy Act is made particularly clear when compared to the penalties under the GDPR:

Previous law under the Privacy Act	Current law under the Privacy Act following reforms	GDPR
The maximum penalty previously available under the Privacy Act was: A$444,000 (for individuals); or A$2.2 million (for corporations)	The maximum penalty available under the Privacy Act is: A$2.5 million (for individuals); or for corporations, an amount equal to the higher of: A$50 million; three times the value of benefits obtained or attributable to the breach (if quantifiable); and 30% of the corporation’s ‘adjusted turnover’ during the ‘breach turnover period’ (if the court cannot determine the value of benefit obtained).	The maximum penalty available under the GDPR is an amount equal to the higher of: €10 million (approx. A$16 million), or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, for certain breaches; or €20 million (approx. A$33 million), or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, for certain other breaches.

Although the figure of 30% of adjusted turnover appears significantly higher than the equivalent figure under the GDPR (2% or 4% of annual turnover), the Privacy Act only calculates the amount based on a company’s domestic turnover, as opposed to the GDPR which applies to a company’s turnover globally and has resulted in substantial fines being imposed (such as a €746 million fine handed down to Amazon). Given no fines have yet been issued under the updated penalty regime, it remains to be seen how the increased penalties will compare in practice.

Looking ahead

Although the reforms have not been finalised, it appears that Australia will be taking a step towards the standard of the GDPR but gaps will remain. While this does mean the compliance burden on APP entities will not be as high (although it will increase), some groups have expressed concern that the reforms will not go far enough in protecting the privacy of individuals in Australia.

If the European Commission continues to consider that Australia does not have privacy laws that are ‘essentially equivalent’ to the GDPR, Australia will also remain without an adequacy decision. Such a decision would facilitate the transfer of personal information from the EU to Australia, as controllers would not need to implement further safeguards or rely on a derogation from the restrictions against transferring personal data.

Australia was last assessed for an adequacy decision in 2001. At this time, several concerns were raised about Australia’s privacy framework, including the existence of the small business exemption and the employee records exemption (discussed in part one of our series). Although the Report has recommended the removal of the small business exemption, this has only been agreed in-principle by the Response, and the Report has not gone as far as proposing the removal of the employee records exemption in full.

Attention should be paid to any comment from the European Commission in respect of Australia’s privacy reform – any concerns raised could pave the way for further reform in the future.

***

This article is part two of a two-part series. Read part one here.

Thank you to seasonal clerk Jo-Ann Wang, who contributed to this article.