Federal Attorney General pledges sweeping data privacy reforms in current parliament
June 29, 2022 |
Today Australian Financial Review reports in Dreyfus pledges sweeping data privacy reforms that the Commonwealth Government will commit to “sweeping reforms” to data privacy laws in the life of this parliament. That is within at most 3 years. He also made a similar pledge in an interview with ABC Radio National’s Law Report on 28 June 2022.
This is welcome news although it should be tempered with caution borne of many false dawns in the past. The commitment is to data privacy laws and not privacy laws per se. Hopefully the distinction is not significant. If the reforms ignored legislating a statutory cause of action for interferences with privacy and retained the current regulatory structure where the Information Commissioner was responsible for taking any action for breaches that would be a retrograde step. Similarly maintaining the multitude of exclusions from the operation of the Privacy Act 1988, such as employment records and the small business exemption (to name but two) and the broadly drawn exemptions within the Australian Privacy Principles would be a matter of concern. Hopefully the Government will consider both the Australian Law Reform Commission Reports For Your Information: Australian Privacy Law and Practice (ALRC Report 108) of 2008 and Serious Invasions of Privacy in the Digital Era (ALRC Report 123) in 2014. But it is also important for it to consider legislating standards consistent with the General Data Protection Regulation which came into force on 25 May 2018.
The history of privacy reform has been dismal with ample blame to be assigned on all parties. The Labor Government was selective in accepting and implementing recommendations from the 2008 Australian Law Reform Commission Report. It could have legislated a statutory cause of action, as was recommended. There was no good policy reason for Attorney General Dreyfus to commission yet another inquiry into privacy, this time on serious investigations in privacy in the digital era. It was can kicking. The issues were no different even if the impact of the digital economy was greater. The Coalition when in government has done the bare minimum in reforming the Privacy Act 1988. It made no effort to consider the recommendations of the ALRC 2008 and effectively shelved the Serious Invasions Report when it was completed in 2014. It instituted a departmental review of the Privacy Act 1988 which has proceeded in a languid fashion. Why a departmental investigation would be better than 2 ALRC reports is not clear. The business community have doggedly resisted any form of privacy rights which gives individuals a direct right of action. The rationale has always been weak but now is just anachronistic. The Business Council of Australia lauds the conciliation process run by the Information Commissioner as being largely successful in resolving complaints. And why wouldn’t the Business Council support the status quo. The Information Commissioner deals with complaints quietly and settlements are miserly. It is also a timid regulator. As business organisations hate the light it is a system that suits malefactors. And business likes the small business exemption, which makes no logical sense given businesses with a turnover of less than $3 million can hold masses of personal information but is beyond regulation. Of course media organisations have chosen sectional interest over public good in wanting to retain the media exemption. The Federal Court has not had its finest moments in decisions involving the Privacy Act 1988. The Full Court decision in Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4 (the Ben Grubb decision) was as wrong headed as it is possible to be in constraining the definition of personal information and regarding data collected by Telstra could not be used to identify Ben Grubb, and therefore be personal information. It is an analog decision in the digital era. What is also clear is that principles based legislation is not easy to work with. The terms are vague and the exemptions many.
Against this grim backdrop one can only hope the Government will look as much overseas as with the Australian Law Reform Commission’s recommendation when implementing the reform. It should also not be afraid of a root and branch change to the Privacy Act 1988. It is a weak vessel.
The article provides:
In his interview with the Law Report the Attorney General had this to say about the reforms to the Privacy Act:
KUKOLJA: One of the most significant reforms facing Australia is the review of the Commonwealth Privacy Act, and it’s the wide ranging legislation that governs how our personal information is used. It predates the Internet, it’s out of step with the digital age. You’ve inherited the review of the Act, some two years into the process, and public submissions closed six months ago, how soon could that report be handed to government and made public?
DREYFUS: I’m hoping with, as with so many are so many other areas, that the work that’s been done by the Attorney-General’s Department, but not progressed by the former government, can in fact be progressed. As you said in your question then, this is an area of the law which just has not kept pace with the changes in the digital world. Again, when last in government, I brought to the Parliament data breach notification laws. They passed the House of Representatives – I’ve got a very sharp memory of them in the first part of 2013 – and it took the incoming government nearly three years to bring those reforms back to the Parliament and pass them through both houses and that was a pretty straightforward data breach notification set of requirements. There’s a whole range of much more sweeping reforms that are needed to our Privacy Act. I am hoping to bring that final report of reform proposals into the public and having a proper debate in coming months.
KUKOLJA: The Office of the Information Commissioner recommended numerous changes to the Act in its submission to the government discussion paper. What do you consider to be the greatest dangers to privacy and personal information?
DREYFUS: I think that the greatest dangers are people losing control of their own information. That personal information is being used in ways which is invasive, in ways in which people have not consented to the use of their information. So, giving individuals greater control over their own information, making it possible for people to make really informed choices about the way in which information about them is being used. That’s the most important aspect.
That has led to some fevered speculation by some privacy practitioners as to what all of this means such as:
- greater scrutiny on the operational effect of policies rather than a tick box compliance.
- greater concern about, scrutiny of and liability relating to poor privacy procedures and data breaches by third parties who have been contracted to handle personal information. In particular reliance on contracts to show compliance with the legislation may not be enough. .
- increased transparency regarding how individuals data and personal information is managed and protected. What has been suggested includes cyber security labels, ‘privacy by design’ structures and ‘privacy by default’ expectation and continuous obligation to have comprehensive privacy management program.
- greater action by regulators. That has been promised or expected for years. Legislation is not enough to solve that problem.
- a direct right of action for an individual or group of individuals including class actions for large data breaches.
All shall be revealed when the Government makes its announcement as to what reforms it proposes to implement. Unfortunately no time line has been specified.