Australian privacy law reform update: Online Privacy Bill

The Australian Government's commitment to privacy law reform in Australia continues, taking another step forward along the privacy law reform path.

The Australian Government recently released the Attorney-General's Department Privacy Act 1988 Discussion Paper (Discussion Paper) and the Exposure Draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Online Privacy Bill).

The Online Privacy Bill proposes to:

• introduce an Online Privacy Code for social media and certain other platforms
• increase current penalty provisions in the Privacy Act 1988 (Cth)
• enhance the Information Commissioner's enforcement powers
• clarify the extraterritorial application of the Privacy Act.

Learn more about the key provisions of the Online Privacy Bill below or click here for more information about the Discussion Paper.

What is the Online Privacy Bill?

The Online Privacy Bill is intended to give effect to the Australian Government's commitment to strengthen the Privacy Act 1988 (Cth) (Privacy Act). Specifically, the Bill will introduce a binding online code for social media and certain other online platforms, as well as increase penalties and enforcement measures.

Given the significance of the proposed changes to the current penalty provisions and enforcement powers of the Information Commissioner in the Privacy Act, entities should begin to review their current privacy practices to ensure they are Privacy Act compliant. Otherwise, they risk facing significant penalties should the Online Privacy Bill pass both Houses of Parliament in its current form.

What will the Online Privacy Code cover?

The Online Privacy Bill will set out the minimum requirements the Online Privacy Code must include. Specifically, the Online Privacy Code will cover the following issues.

Privacy policies

Entities must ensure that their privacy policies clearly and simply explain the purposes for which they collect, hold, use and disclose personal information.

Collection notices

Notices must be clear and understandable, current and provided in a timely manner. Other notice requirements in addition to APP 5 requirements may be imposed under the Code.

Consent for collection, use and disclosure of personal information

When seeking consent from individuals, consent must be voluntary, informed, unambiguous, specific and current. Entities must seek renewed consent periodically or when circumstances change when collecting "sensitive information".

New requirements

Entities must cease using or disclosing personal information upon request. There are additional protections for children and vulnerable groups.

Who will need to comply with the Online Privacy Code?

The Online Privacy Code will apply to the following private sector organisations that are already subject to the Privacy Act:

• Organisations that provide social media services
• Organisations that provide data brokerage services
• Large online platforms

What are the consequences for breaching the Online Privacy Code?

The Information Commissioner will have the power to investigate potential breaches of the Online Privacy Code, either following a complaint or on the Commissioner's own initiative. The Information Commissioner's full range of enforcement powers will be available in the event an investigation finds that a breach has occurred.

Will there be any exclusions?

The Online Privacy Code will not apply to particular kinds of acts or practices that are exempt under the Privacy Act.

How will the Online Privacy Code be developed?

The process for developing the Online Privacy Code will be based on the existing APP code and Credit Reporting code making processes. Once the Online Privacy Bill receives Royal Assent, the Code will need to be developed and registered within 12 months.

New enforcement powers and penalties

The Online Privacy Bill will introduce the following new enforcement powers and penalty provisions.

Civil penalties

For a natural person, the Bill will increase the maximum civil penalty for serious and repeated interferences with privacy from 2,000 to 2,400 penalty units (ie $532,800).

For a body corporate, the maximum penalty will increase from 10,000 penalty units to an amount not exceeding the greater of:

• $10,000,000
• three times the value of the benefit obtained by the body corporate from the conduct constituting the serious and repeated interference with privacy; or
• if the value cannot be determined, 10% of their domestic annual turnover. Annual turnover is defined in the Online Privacy Bill.

Infringement notices

A new infringement notice provision will be introduced to provide the Information Commissioner an alternative means of resolving matters that arise during an investigation, without resorting to the prosecution of a criminal offence or litigation of a civil matter. The Information Commissioner will have the power to issue an infringement notice where a person fails to comply with the requirement to give information, or provide a document or record to the Information Commissioner when required in relation to investigations.

The infringement notice will be 12 penalty units for individuals (ie $2,664), and 60 penalty units for bodies corporate (ie $13,320). In the event a body corporate fails to comply with an information request and this occurs on multiple occasions and constitutes a system of conduct or pattern of behaviour, the Office of the Australian Information Commissioner may refer matters to the Commonwealth Director of Public Prosecutions to seek a criminal penalty against the body corporate. The maximum penalty unit will increase from 100 to 300 penalty units (ie $66,600).

Enhanced powers

The Information Commissioner's determination powers will also be clarified and enhanced. In addition, the Commissioner will be granted enhanced assessment powers to assess entities' compliance with the Notifiable Data Breaches Scheme.

Clarification of the extraterritorial application of the Privacy Act

The Online Privacy Bill will also clarify the extraterritorial application of the Privacy Act. Currently, foreign organisations must comply with the Privacy Act if the entity has an "Australian link". The Bill will remove the condition that an organisation has to collect or hold personal information from sources inside of Australia. The implication of this change means organisations that do not collect or hold the personal information of Australians directly from a source in Australia will be bound by the Privacy Act.

For advice and support regarding privacy and data requirements and best practice within your organisation, contact our experienced team of legal experts.