Australian privacy law reform update: Privacy Act review

Privacy Act review

The Australian Government's commitment to privacy law reform in Australia continues, taking another step forward along the privacy law reform path.

The Attorney-General's Department recently released its Privacy Act 1988 Discussion Paper and the Exposure Draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Online Privacy Bill), in response to the release of the Australian Competition and Consumer Commission's Digital Platforms Inquiry Final Report (26 July 2019).

The Australian Government's review of the Privacy Act 1988 (Cth) is broad in scope and is considering a range of issues and proposed changes to the Act to strengthen the privacy protections of individuals, enhance the Information Commissioner's enforcement and investigation powers and introduce new standards consistent with international privacy laws.

Learn more about the key takeaways from the Discussion Paper below or click here for more information about the key provisions of the Online Privacy Bill.

Discussion Paper focus

The Discussion Paper broadly covers three topics:

• scope and application of the Privacy Act;
• privacy protections; and
• regulation and enforcement.

Each topic explores a range of issues, stakeholder perspectives and potential areas for reform of the Privacy Act. Explore the key issues and proposals from each topic in more detail below.

Broadening the definition of "personal information"

The Discussion Paper highlights the need to amend the definition of "personal information". Whilst the definition of "personal information" was always intended to be expansive, it is uncertain in its application to technical and inferred information.

It is proposed that the definition of "personal information" be amended to make it clear that it includes technical and inferred information and would be supported by a non-exhaustive list of the types of information capable of falling within the new definition.

Privacy Act exemptions

Currently the Privacy Act does not apply to small businesses with an annual turnover of less than $3 million or employee records held by organisations. Yet again, a Privacy Act review is shining a spotlight on these two exemptions and whether the exemptions should continue to exist in their current form.

Notification and collection of personal information

It is proposed that an express requirement be introduced in APP 5 that collection notices be "clear, current and understandable" and the requirement for when a collection notice is required be strengthened. The Discussion Paper also notes the broad support for standardised privacy notices and such notices could be considered in the development of an APP code.

Consent

It is proposed that the definition of consent be strengthened, requiring it to be voluntary, informed, current, specific and an unambiguous indication through clear action. This proposed definition suggests a step towards requiring entities to obtain "opt-in" consent.

Right to erasure

Currently individuals do not have an express right under the Privacy Act to request erasure of their personal information. The review is considering the benefits and challenges of permitting erasure requests under the Privacy Act. It is proposed that an individual may request erasure of their personal information in limited circumstances.

Overseas data flows

Currently under APP 8.2(a) an entity may disclose personal information to an overseas recipient without complying with APP 8.1 where the entity reasonably believes the recipient is subject to a law or binding scheme that has the effect of protecting personal information in a way that is at least substantially similar to the APPs and individuals can enforce that protection. However, no further guidance is provided in respect of what laws or binding schemes would satisfy the requirements of APP 8.2(a).

It is proposed the Privacy Act be amended to introduce a mechanism to prescribe countries and certification schemes under APP 8.2(a). In addition, standard contractual clauses would be made available to APP entities to facilitate overseas disclosure of personal information. Interestingly, it is proposed that the informed consent exception to disclosing personal information to overseas recipients be removed.

Enforcement

Currently the Privacy Act includes a civil penalty provision for privacy breaches that are "serious" or "repeated" (section 13G). It is proposed that tiers of civil penalty provisions be introduced to give the Office of the Australian Information Commissioner more regulatory response options.

Direct rights of action

Currently individuals who suffer an alleged interference with their privacy have very limited rights under the Privacy Act. It is proposed that a direct right of action be introduced. The Discussion Paper also canvasses four options to introduce a statutory tort for the invasion of privacy.

Overall observations

It is evident from the Discussion Paper the Australian Government is considering strengthening the enforcement provisions and investigation powers of the Information Commissioner, amending the Privacy Act to better protect individuals operating in a digital age and moving towards international privacy law standards in some areas.

If the Australian Government continues to strengthen the Privacy Act in line with the proposals canvassed in the Discussion Paper, it will mark a significant step in the evolution of privacy laws in Australia.

However, we are still at the early stage of the law reform process. It remains to be seen what proposals and commitments will turn into law.

The Attorney-General's Department is seeking submissions in response to the Discussion Paper until 10 January 2022.

We are watching this reform process with interest and will release updates as the Privacy Act review progresses.

For advice and support regarding privacy and data requirements and best practice within your organisation, contact our experienced team of legal experts.