Attorney General announces a review of the Privacy Act 1988 with submissions due by 29 November 2020
October 30, 2020 |
Today the Attorney General announced a(nother) review of the Privacy Act 1988. That was part of a response to the ACCC Digital Platform’s Inquiry. In doing so he released a 89 page Issues Paper.
The media release provides:
The Morrison Government has today released the terms of reference and issues paper for a wide-ranging review of the Privacy Act 1988 (the Privacy Act).
The Government committed to a review following the Australian Competition and Consumer Commission’s Digital Platforms Inquiry in 2019. Several recommendations from that Inquiry – which the Government has already agreed to in principle – will be considered as part of the review.
These include expanding the scope of the Privacy Act to cover technical data and other online identifiers; and strengthening privacy notice and consent requirements
The review will be conducted by the Attorney-General’s Department and public submissions can be lodged up until 29 November 2020. A further opportunity to comment will also be available following the release of a discussion paper early next year.
“Australians are spending more and more of their time online and more of their personal information is being collected, handled and stored,” Attorney-General Christian Porter said.
“Technology is also rapidly evolving in areas such as artificial intelligence and data analytics, which is why it is crucial that we have a privacy regime that is fit for purpose, can grow trust, empower consumers and support the growing digital economy.”
A report of the review will be released following government consideration. It is separate to the work already being undertaken to increase the maximum civil penalties under the Privacy Act, and to develop a binding privacy code for social media platforms and other online platforms that trade in personal information.
The issues paper and further information about the review and consultation are available on the Privacy Act review page on the Attorney-General’s Department website.
The objective is to consider whether the scope of the Act and its enforcement mechanisms are fit for purpose. Any review properly conducted should come to a resounding no.
The terms of reference are:
The review will examine and, if needed, consider options for reform on matters including:
-
- The scope and application of the Privacy Act including in relation to:
- the definition of ‘personal information’
- current exemptions, and
- general permitted situations for the collection, use and disclosure of personal information.
- Whether the Privacy Act effectively protects personal information and provides a practical and proportionate framework for promoting good privacy practices including in relation to:
- notification requirements
- consent requirements including default privacy settings
- overseas data flows, and
- erasure of personal information.
- Whether individuals should have direct rights of action to enforce privacy obligations under the Privacy Act.
- Whether a statutory tort for serious invasions of privacy should be introduced into Australian law.
- The impact of the notifiable data breach scheme and its effectiveness in meeting its objectives.
- The effectiveness of enforcement powers and mechanisms under the Privacy Act and the interaction with other Commonwealth regulatory frameworks.
- The desirability and feasibility of an independent certification scheme to monitor and demonstrate compliance with Australian privacy laws.
- The scope and application of the Privacy Act including in relation to:
The review builds on reforms announced in March 2019 to increase the maximum civil penalties under the Privacy Act and develop a binding privacy code to apply to social media platforms and other online platforms that trade in personal information.
The review will draw on a range of sources. The review will:
-
- Invite submissions on matters for consideration in the review
- Meet with stakeholders on specific issues
- Consider research and reports which consider privacy issues, including the:
- ACCC Digital Services Advertising Inquiry
- ACCC Digital Platforms Inquiry Final Report, 2019
- Data Availability and Use, Productivity Commission Inquiry Report, 2017
- Serious Invasions of Privacy in the Digital Era, ALRC Final Report 123, 2014
- For Your Information: Australian Privacy Law and Practice, ALRC Report 108, 2008
The complete list of questions to be considered are
Objectives of the Privacy Act
-
- Should the objects outlined in section 2A of the Act be changed? If so, what changes should be made and why?
Definition of personal information
-
- What approaches should be considered to ensure the Act protects an appropriate range of technical information?
- Should the definition of personal information be updated to expressly include inferred personal information?
- Should there be additional protections in relation to de-identified, anonymised and pseudonymised information? If so, what should these be?
- Are any other changes required to the Act to provide greater clarity around what information is ‘personal information’?
Flexibility of the APPs in regulating and protecting privacy
-
- Is the framework of the Act effective in providing flexibility to cater for a wide variety of entities, acts and practices, while ensuring sufficient clarity about protections and obligations?
Exemptions
Small business exemption
-
- Does the small business exemption in its current form strike the right balance between protecting the privacy rights of individuals and avoid imposing unneccessary compliance costs on small business?
- Is the current threshold appropriately pitched or should the definition of small business be amended?
- If so, should it be amended by changing the annual turnover threshold from $3 million to another amount, replacing the threshold with another factor such as number of employees or value of assets or should the definition be amended in another way?
- Are there businesses or acts and practices that should or should not be covered by the small business exemption?
- Would it be appropriate for small businesses to be required to comply with some but not all of the APPs?
- If so, what obligations should be placed on small businesses?
- What would be the financial implications for small business?
- Would there be benefits to small business if they were required to comply with some or all of the APPs?
- Should small businesses that trade in personal information continue to be exempt from the Act if they have the consent of individuals to collect or disclose their personal information?
Employee records exemption
-
- Is the personal information of employees adequately protected by the current scope of the employee records exemption?
- If enhanced protections are required, how should concerns about employees’ ability to freely consent to employers’ collection of their personal information be addressed?
- Should some but not all of the APPs apply to employee records, or certain types of employee records?
Political parties exemption
-
- Should political acts and practices continue to be exempted from the operation of some or all of the APPs?
Journalism exemption
-
- Does the journalism exemption appropriately balance freedom of the media to report on matters of public interest with individuals’ interests in protecting their privacy?
- Should the scope of organisations covered by the journalism exemption be altered?
- Should any acts and practices of media organisations be covered by the operation of some or all of the APPs?
Notice of Collection of Personal Information
Improving awareness of relevant matters
-
- Does notice help people to understand and manage their personal information?
- What matters should be considered to balance providing adequate information to individuals and minimising any regulatory burden?
- What sort of requirements should be put in place to ensure that notification is accessible; can be easily understood; and informs an individual of all relevant uses and disclosures?
Third party collections
-
- Where an entity collects an individual’s personal information and is unable to notify the individual of the collection, should additional requirements or limitations be placed on the use or disclosure of that information?
Limiting information burden
-
- What measures could be used to ensure individuals receive adequate notice without being subject to information overload?
- Would a standardised framework of notice, such as standard words or icons, be effective in assisting consumers to understand how entities are using their personal information?
Consent to collection and use and disclosure of personal information
Consent to collection, use and disclosure of personal information
-
- Is consent an effective way for people to manage their personal information?
- What approaches should be considered to ensure that consent to the collection, use and disclosure of information is freely given and informed?
- Should individuals be required to separately consent to each purpose for which an entity collects, uses and discloses information? What would be the benefits or disadvantages of requiring individual consents for each primary purpose?
- Are the existing protections effective to stop the unnecessary collection of personal information?
- If an individual refuses to consent to their personal information being collected, used or disclosed for a purpose that is not necessary for providing the relevant product or service, should that be grounds to deny them access to that product or service?
- What requirements should be considered to manage ‘consent fatigue’ of individuals?
Exceptions to the requirement to obtain consent
-
- Are the current general permitted situations and general health situations appropriate and fit-for-purpose? Should any additional situations be included?
Pro-consumer defaults
-
- Should entities collecting, using and disclosing personal information be required to implement pro-privacy defaults for certain uses and disclosures of personal information?
Obtaining consent from children
-
- Should specific requirements be introduced in relation to how entities seek consent from children?
The role of consent for IoT devices and emerging technologies
-
- How can the personal information of individuals be protected where IoT devices collect personal information from multiple individuals?
Inferred sensitive information
-
- Does the Act adequately protect sensitive information? If not, what safeguards should be put in place to protect against the misuse of sensitive information?
- Does the definition of ‘collection’ need updating to reflect that an entity could infer sensitive information?
Direct marketing
-
- Does the Act strike the right balance between the use of personal information in relation to direct marketing? If not, how could protections for individuals be improved?
Withdrawal of consent
-
- Should entities be required to refresh an individual’s consent on a regular basis? If so, how would this best be achieved?
- Should entities be required to expressly provide individuals with the option of withdrawing consent?
- Should there be some acts or practices that are prohibited regardless of consent?
Emergency declarations
-
- Is an emergency declaration appropriately framed to facilitate the sharing of information in response to an emergency or disaster and protect the privacy of individuals?
Regulating use and disclosure
-
- Should reforms be considered to restrict uses and disclosures of personal information? If so, how should any reforms be balanced to ensure that they do not have an undue impact on the legitimate uses of personal information by entities?
Control and security of personal information
Security and retention
-
- Are the security requirements under the Act reasonable and appropriate to protect the personal information of individuals?
- Should there be greater requirements placed on entities to destroy or de-identify personal information that they hold?
Access, quality and correction
-
- Should amendments be made to the Act to enhance:
- transparency to individuals about what personal information is being collected and used by entities?
- the ability for personal information to be kept up to date or corrected?
- Should amendments be made to the Act to enhance:
Right to erasure
-
- Should a ‘right to erasure’ be introduced into the Act? If so, what should be the key features of such a right? What would be the financial impact on entities?
- What considerations are necessary to achieve greater consumer control through a ‘right to erasure’ without negatively impacting other public interests?
Overseas data flows and third party certification
-
- What are the benefits and disadvantages of the current accountability approach to cross-border disclosures of personal information?
- Are APP 8 and section 16C still appropriately framed?
- Is the exception to extraterritorial application of the Act in relation to acts or practices required by an applicable foreign law still appropriate?
- What (if any) are the challenges of implementing the CBPR system in Australia?
- What would be the benefits of developing a domestic privacy certification scheme, in addition to implementing the CBPR system?
- What would be the benefits or disadvantages of Australia seeking adequacy under the GDPR?
- What are the benefits and disadvantages of the current accountability approach to cross-border disclosures of personal information?
Enforcement powers under the Privacy Act and role of the OAIC
-
- Is the current enforcement framework for interferences with privacy working effectively?
- Does the current enforcement approach achieve the right balance between conciliating complaints, investigating systemic issues, and taking punitive action for serious non-compliance?
- Are the remedies available to the Commissioner sufficient or do the enforcement mechanisms available to the Commissioner require expansion?
- If so, what should these enforcement mechanisms look like?
Direct right of action
-
- How should any direct right of action under the Act be framed so as to give individuals greater control over their personal information and provide additional incentive for APP entities to comply with their obligations while balancing the need to appropriately direct court resources?
Statutory tort
-
- Is a statutory tort for invasion of privacy needed?
- Should serious invasions of privacy be addressed through the criminal law or through a statutory tort?
- What types of invasions of privacy should be covered by a statutory tort?
- Should a statutory tort of privacy apply only to intentional, reckless invasions of privacy or should it also apply to breaches of privacy as a result of negligence or gross negligence?
- How should a statutory tort for serious invasions of privacy be balanced with competing public interests?
- If a statutory tort for the invasion of privacy was not enacted, what other changes could be made to existing laws to provide redress for serious invasions of privacy?
Notifiable Data Breaches scheme – impact and effectiveness
-
- Have entities’ practices, including data security practices, changed due to the commencement of the NDB Scheme?
- Has the NDB Scheme raised awareness about the importance of effective data security?
- Have there been any challenges complying with the data breach notification requirements of other frameworks (including other domestic and international frameworks) in addition to the NDB Scheme?
Interaction between the Act and other regulatory schemes
-
- Should there continue to be separate privacy protections to address specific privacy risks and concerns?
- Is there a need for greater harmonisation of privacy protections under Commonwealth law?
- If so, is this need specific to certain types of personal information?
- Are the compliance obligations in certain sectors proportionate and appropriate to public expectations?
The issues paper is not bad summation of the issues and provides some useful context as to how the Privacy Act was originally drafted and the amendments made over the years. However it is a very “by the numbers” cautious analysis of what has been considered in more detail and more eloquently by the Australian Law Reform Commission in 1983 and in particular in 2008 and 2014, the ACCC in its Digital Platforms Inquiry Report, multiple Parliamentary Enquiries, such as Eyes in the Sky in 2014, the Victorian Law Reform Commission reports on surveillance in public places and Workplace Privacy, the New South Wales Law Reform Commission report on Privacy in 2009. And these are just the more recent and prominent reports. There are others.
In the last 20 years all reports on privacy and enforcement recommend that there should be a statutory tort dealing with interferences with privacy. It is a good enough issues paper but mainly touches on matters canvassed previously without explaining why it is necessary to undertake this process known when these issues Why it is necessary to the Attorney General’s Department cover this ground when better qualified bodies have already done the work is the question. Advances in technology with the corresponding increased potential to interfere with personal information makes this issue more topical and pressing but the issues have been constant and the need for reform has always been there. The inadequacy of the Privacy Act and its enforcement is not in any way related to developments in technology.
Unfortunately the answer is to why this reploughing of a well trod field now is more about politics than public policy. The Government, like ALP governments before it, is content to kick this issue down the road. That is why it did not agree to the ACCC’s recommendation that there be greater protections and a statutory tort of privacy, rather going down the path of having another, now in house, review.
There are no direct questions as to the effectiveness of the Information Commissioner’s Office. If a root and branch review of this area of the law was to take place, as it should, the dismal leadership of Commissioner’s present and prior and the inept performance of the Office should be investigated. Unfortunately, yet again the Commissioner avoids appropriate scrutiny. The Commissioner has been quick out of the box with a media release typically anodyne and amorphous. It provides:
The Australian Government’s review of the Privacy Act is a landmark opportunity to ensure our privacy framework can respond to new challenges in the digital environment, Australian Information Commissioner and Privacy Commissioner Angelene Falk said today.
The review is being led by the Attorney-General’s Department which today released its terms of reference and timeline for the review, along with an Issues Paper.
Commissioner Falk welcomed the review as an important step to ensure effective regulation that protects the community’s personal information and supports an innovative economy into the future.
“Australia has the opportunity to be at the forefront of privacy and data protection, with laws and practices that increase consumer trust and confidence in the protection of personal information and underpin innovation and economic growth,” she said.
“The review of the Privacy Act will help ensure that our regulatory framework can protect personal information into the future and hold organisations to account.
“Issues such as consent requirements, additional privacy rights, accountability measures and the Privacy Act’s coverage are fundamental to how we address the privacy challenges of the future.
“Our recent Australian Community Attitudes to Privacy Survey 2020 provides a comprehensive view of Australians’ beliefs and concerns about the protection of personal information and is a detailed resource that can inform all parties engaging with the review.
“My office looks forward to playing a key role in the review process, delivering on our core function to provide advice on the need for legislative action in the interests of individuals’ privacy. We have undertaken a program of preparatory work to support our engagement in the law reform process.”
Commissioner Falk said the OAIC’s data protection experience indicates there are four key elements to support effective privacy regulation over the next decade:
-
- Global interoperability ? making sure our laws continue to connect around the world, so our data is protected wherever it flows
- Enabling privacy self-management ?so individuals can exercise meaningful choice and control
- Organisational accountability ? ensuring there are sufficient obligations built into the system, and
- A contemporary approach to regulation ? having the right tools to regulate in line with community expectations.
What waffle! The Australian Information Commissioner’s Office is the ultimate “Gray Man” organisation of the Australian Public Service. It is invisible for all practical purposes and when required to say something, what is produced is utterly forgettable.
Submissions close on 29 November 2020. That is not the shortest time frame but it is far from generous given the number of questions and their scope. That is particularly the case given the Government has taken 15 months to put out an issues paper.
Even though the announcement was time to “go out with the trash”, a late Friday release, it has been covered by Zdnet with Privacy Act review to examine privacy tort, direct action rights, and GDPR compliance.
Australia’s Attorney-General Christian Porter announced on Friday the terms of reference and issues paper that his department will use as a basis for its review of the Privacy Act.
The wide-ranging review will consider the definition of personal information; whether existing exemptions for small businesses, political parties, and the storing of employee records to comply with the Act should remain; whether individuals should gain the power to drag privacy violators to court; and whether a privacy tort should be created.
The review was agreed to as part of the Commonwealth’s response to the Australian Competition and Consumer Commission’s (ACCC) Digital Platforms Inquiry.
In posing 67 questions for submissions to respond to, the Attorney-General’s Department (AGD) has asked whether the definition of personal information should be extended to inferred personal information as well as whether additional protections should be extended to de-identified, anonymised, and pseudonymised information.
Of particular interest in the paper was the failure of Australian privacy laws to be compatible with those in Europe, especially the General Data Protection Regulation (GDPR), with exemptions created in the Australian law two decades ago being a roadblock.
“The [Australian Law Reform Commission (ALRC)] noted that no other comparable jurisdiction (the United Kingdom, New Zealand, Canada, and the European Union) exempts small businesses from the general privacy law,” the paper said.
“The Senate Committee inquiry further recommended the removal of the exemption given the privacy regimes in overseas jurisdictions have operated effectively without a small business exemption and that the existence of the exemption was one of the key outstanding issues preventing Australia from seeking adequacy with the EU.
“[The ALRC] also noted that the United Kingdom does not exempt employee records and that removing the exemption may facilitate recognition of the adequacy of Australian privacy law by the EU.”
On the flip side, the paper pointed out that only UK and Germany were in Australia’s top 15 two-way trading partners while other economies around the Asia-Pacific made up 72% of trade. The EU only accounted for 13.5%.
“As less trade is undertaken with the EU than within the APEC region, the government’s recent priority has been to ensure adequate privacy protections within and between APEC economies,” the AGD said.
“Requiring businesses to comply with different information handling requirements under the Act, [Cross-Border Privacy Rules] and GDPR could result in a regulatory landscape that is overly complex. On the other hand, compliance with the GDPR may give businesses a competitive advantage in engendering consumer trust.”
Currently in Australia, if a business has revenue under AU$3 million, it is exempt from the Act, and the paper wrestled with the idea of whether a threshold should remain, and if so, what should it be since businesses under that threshold could handle sensitive personal information yet maintaining the threshold could increase compliance costs for those businesses.
Leaning on the ACCC’s recommendations, the paper raised the prospect of requiring organisations requesting personal data to implement defaults to make collection of information opt-in. It also asked whether individuals should be made to consent for each purpose and time their information is collected and whether the core concept of consent was effective.
The paper also asked whether there should be higher requirements to destroy or de-identify personal information that is held by organisations and whether Australia should have a “right to erasure”, which would be an analogue to Europe’s right to be forgotten.
The potential of handing Australians the power to initiate court action to seek compensation from privacy breaches was also raised — Australians currently can only directly apply for an injunction — and questions on how to stop the courts being filled with actions over “trivial breaches”, such as funnelling complaints via the Office of the Information Commissioner for conciliation or capping damages, were also asked.
The paper also discussed the idea of whether a statutory tort of privacy was needed, with the AGD saying it would allow for privacy breaches not covered by the Privacy Act to be caught, but also that recent criminal legislation may lower the need for such a tort.
“A key issue for the design of a statutory tort of privacy is the types of liability it would cover. That is, liability based on intention, liability based on negligence or strict liability,” the AGD said.
“The ALRC recommended that a statutory tort should be confined to intentional or reckless invasions of privacy and should not extend to negligent invasions of privacy or attract strict liability. However, it is questionable that an invasion of privacy due to gross negligence where a person may not have been reckless but failed to exercise even the slightest degree of care and diligence in relation to an obvious risk should be outside scope.”
The terms of reference also stated the review would not look into any changes to the Privacy Act that were made to cater for the government’s COVIDSafe app, nor recent changes made to credit reporting.
Submissions to the review have a deadline of November 29, with a discussion paper set to appear early next year. A date for the final report was not specified.
“Australians are spending more and more of their time online and more of their personal information is being collected, handled and stored,” Porter said.
“Technology is also rapidly evolving in areas such as artificial intelligence and data analytics, which is why it is crucial that we have a privacy regime that is fit for purpose, can grow trust, empower consumers, and support the growing digital economy.”
The review will also examine the effectiveness of the Notifiable Data Breaches scheme.
“The NDB Scheme commenced on 22 February 2018. There are therefore some difficulties in determining at this stage whether the scheme has achieved its long term objectives,” the AGD said.
The story has been picked up by the Australian Financial Review with Government to consider new privacy rights for citizens which is basically a melange of the releases from the Attorney General’s Department and the Information Commissioner, providing:
Individuals could be compensated for privacy breaches under a wide-ranging review of privacy announced by federal Attorney-General Christian Porter.
The terms of reference for the long-awaited review were announced today, 10 months after the government accepted the Australian Competition and Consumer Commission recommendation to overhaul privacy laws as part of its investigation into Google’s and Facebook’s digital platforms.
“Several recommendations from that inquiry – which the government has already agreed to in principle – will be considered as part of the review,” Mr Porter said.
“These include expanding the scope of the Privacy Act to cover technical data and other online identifiers; and strengthening privacy notice and consent requirements.”
The terms of reference have been drafted widely with the review to consider the scope and application of the 1988 Privacy Act, opening the possibility of a national privacy regime to replace the patchwork of state-based and federal privacy regulations.
The review will consider whether individuals should have direct rights of action to enforce privacy obligations under the Privacy Act, creating a personal privacy right.
Aggrieved citizens currently have to complain to state or federal privacy regulators if they believe their privacy has been breached.
The terms of reference also include consideration “whether a statutory tort for serious invasions of privacy should be introduced into Australian law”.
This opens the opportunity to seek compensation for breaches of privacy.
A binding privacy code
The review will be conducted by the Attorney-General’s Department and public submissions on an 89-page issues paper can be lodged up until November 29, 2020.
A further opportunity to comment will also be available following the release of a discussion paper early next year.
No date was given as to when the review will report.
“Australians are spending more and more of their time online and more of their personal information is being collected, handled and stored,” Attorney-General Christian Porter said.
“Technology is also rapidly evolving in areas such as artificial intelligence and data analytics, which is why it is crucial that we have a privacy regime that is fit for purpose, can grow trust, empower consumers and support the growing digital economy.”
Mr Porter said the review was separate to the work already being undertaken to increase the maximum civil penalties under the Privacy Act, and to develop a binding privacy code for social media platforms and other online platforms that trade in personal information.
The Privacy Commissioner, Angelene Falk, welcomed the review as an important step to ensure effective regulation that protects the community’s personal information and supports an innovative economy into the future.
“Australia has the opportunity to be at the forefront of privacy and data protection, with laws and practices that increase consumer trust and confidence in the protection of personal information and underpin innovation and economic growth,” she said.
“The review of the Privacy Act will help ensure that our regulatory framework can protect personal information into the future and hold organisations to account.”
Ms Falk said the OAIC’s data protection experience indicated there are four key elements to support effective privacy regulation over the next decade:
Global interoperability ? making sure our laws continue to connect around the world, so our data is protected wherever it flows
Enabling privacy self-management ? so individuals can exercise meaningful choice and control
Organisational accountability ? ensuring there are sufficient obligations built into the system, and
A contemporary approach to regulation ? having the right tools to regulate in line with community expectations.
“Issues such as consent requirements, additional privacy rights, accountability measures and the Privacy Act’s coverage are fundamental to how we address the privacy challenges of the future,” she said.
It is a fairly naive piece.
The Sydney Morning Herald has covered the release, with reference to the right to erase data, while itnews with Govt kicks off long-awaited Privacy Act review provides a summary of what the review will look at.
The process begins. The next step after the consultation process is to await the discussion paper. It is a very familiar path.