Federal Attorney General pledges sweeping data privacy reforms in current parliament

June 29, 2022 |

Today Australian Financial Review reports in Dreyfus pledges sweeping data privacy reforms that the Commonwealth Government will commit to “sweeping reforms” to data privacy laws in the life of this parliament.  That is within at most 3 years.  He also made a similar pledge in an interview with ABC Radio National’s Law Report on 28 June 2022.

This is welcome news although it should be tempered with caution borne of many false dawns in the past.  The commitment is to data privacy laws and not privacy laws per se.  Hopefully the distinction is not significant.  If the reforms ignored legislating a statutory cause of action for interferences with privacy and retained the current regulatory structure where the Information Commissioner was responsible for taking any action for breaches that would be a retrograde step.  Similarly maintaining the multitude of exclusions from the operation of the Privacy Act 1988, such as employment records and the small business exemption (to name but two) and the broadly drawn exemptions within the Australian Privacy Principles would be a matter of concern. Hopefully the Government will consider both the Australian Law Reform Commission Reports For Your Information: Australian Privacy Law and Practice (ALRC Report 108) of 2008 and Serious Invasions of Privacy in the Digital Era (ALRC Report 123) in 2014.  But it is also important for it to consider legislating standards consistent with the General Data Protection Regulation which came into force on 25 May 2018.

The history of privacy reform has been dismal with ample blame to be assigned on all parties.  The Labor Government was selective in accepting and implementing recommendations from the 2008 Australian Law Reform Commission Report.  It could have legislated a statutory cause of action, as was recommended.  There was no good policy reason for Attorney General Dreyfus to commission yet another inquiry into privacy, this time on serious investigations in privacy in the digital era.  It was can kicking.  The issues were no different even if the impact of the digital economy was greater.  The Coalition when in government has done the bare minimum in reforming the Privacy Act 1988.  It made no effort to consider the recommendations of the ALRC 2008 and effectively shelved the Serious Invasions Report when it was completed in 2014.  It instituted a departmental review of the Privacy Act 1988 which has proceeded in a languid fashion.  Why a departmental investigation would be better than 2 ALRC reports is not clear.  The business community have doggedly resisted any form of privacy rights which gives individuals a direct right of action.  The rationale has always been weak but now is just anachronistic.  The Business Council  of Australia lauds the conciliation process run by the Information Commissioner as being largely successful in resolving complaints.  And why wouldn’t the Business Council support the status quo.  The Information Commissioner deals with complaints quietly and settlements are miserly.  It is also a timid regulator.  As business organisations hate the light it is a system that suits malefactors.  And business likes the small business exemption, which makes no logical sense given businesses with a turnover of less than $3 million can hold masses of personal information but is beyond regulation.  Of course media organisations have chosen sectional interest over public good in wanting to retain the media exemption. The Federal Court has not had its finest moments in decisions involving the Privacy Act 1988. The Full Court decision in Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4 (the Ben Grubb decision) was as wrong headed as it is possible to be in constraining the definition of personal information and regarding data collected by Telstra could not be used to identify Ben Grubb, and therefore be personal information.  It is an analog decision in the digital era. What is also clear is that principles based legislation is not easy to work with.  The terms are vague and the exemptions many.

Against this grim backdrop one can only hope the Government will look as much overseas as with the Australian Law Reform Commission’s recommendation when implementing the reform.  It should also not be afraid of a root and branch change to the Privacy Act 1988.  It is a weak vessel.

The article provides:

After more than a decade of reviews and reports calling for an overhaul of Australia’s anachronistic privacy regime, Attorney-General Mark Dreyfus has committed to “sweeping reforms” to data privacy laws in the life of the current parliament.
“Everyone agrees that the Commonwealth Privacy Act is out of date and in need of reform for the digital age,” Mr Dreyfus told The Australian Financial Review.
“Unlike the previous government, which let this languish through three whole terms in government, I intend to act on this in our first term.”
Mr Dreyfus said his department was considering the extensive feedback on its discussion paper that suggests more than 70 major changes to the Privacy Act.
He said it had taken three years for the previous government to get data breach reforms that he proposed when he was attorney-general in 2013.
“There’s a whole range of much more sweeping reforms that are needed to our Privacy Act,” Mr Dreyfus told ABC radio on Tuesday.
“I am hoping to bring that final report of reform proposals into the public [domain] and having a proper debate in coming months.”
When attorney-general in 2013, Mr Dreyfus pushed to strengthen privacy rights, commissioning a law reform inquiry into the design of a new tort for serious breaches of privacy.
The commitment to finally align data laws with Europe and parts of North America comes as business groups remain strongly opposed to the creation of new citizen privacy rights and protections proposed by law reformers, regulators, privacy experts and practitioners.
These advocates are arguing for citizens to be able to sue for serious privacy breaches, a wind-back of politically sensitive exemptions for small business, politicians, media and employment records.
Privacy experts are also calling for less reliance on “faux consent”, arguing that privacy policies are rarely read and are illusory in terms of giving consumers any sort of protection.
Business unconvinced
Business groups are unconvinced about the creation of new privacy rights.
“We do not support creation of a direct right of action or statutory tort,” the Business Council of Australia said.
“We are yet to see compelling evidence that there is a need for these, particularly as the Office of the Australian Information Commissioner has reported that its conciliation process has been largely successful in resolving complaints.
“Given the substantial other changes canvassed in this discussion paper, it would be premature to introduce a tort that would often overlap with the protections of the Australian Privacy Principles.”
Instead, business groups are calling for the Privacy commissioner to be resourced to take appropriate enforcement action and continue to be the arbiter of priorities in enforcing the Privacy Act.
The Australian Industry Group is leading the lobby to retain the small business exemption, but significantly is not being supported by the Business Council.
Media groups (including Nine Entertainment, the publisher of the Financial Review) have continued to push back against proposals to limit the media exemption to just public interest journalism.
“People would decline to provide consent to publication of sensitive information which they did not want known, even when it was true,” Nine said in its submission.
The review comes after the 2019 Australian Competition and Consumer Commission (ACCC) digital platforms report endorsed calls by the Australian Law Reform Commission in 2010 and again in 2014 to create a new tort to enable citizens to bring actions for egregious privacy breaches.
This followed the News of the World phone hacking scandal in the UK, where journalists obtained personal information by hacking into voicemail systems.
A 2020 survey commissioned by the Privacy Commissioner found that 78 per cent of people supported the right to seek compensation in the courts for a breach of privacy.
The survey found only 20 per cent read and are confident that they understand privacy policies on internet sites.
In its latest submission, the ACCC said it “strongly supports strengthened protections” in the Privacy Act and considers the privacy-specific proposals included in the discussion paper are “critical to empowering consumers, protecting their data and supporting the digital economy”.
Australia unique
Australian privacy regulation continues to be a hotchpotch of federal and state regulations and principles with large exemptions, which University of NSW privacy expert Graeme Greenleaf says is thwarting many Australian businesses seeking to operate in Europe.
Australia is unique among OECD countries in giving businesses with an annual income of less than $2 million an exemption from the Privacy Act. Politicians and journalists are also exempted, with the act also exempting privacy breaches of employee records from oversight.
“The explanation is probably that the government is still terrified to touch these politically sensitive exemptions. The fear remains, even when the discussion paper cannot cite any ‘comparable’ country with a wholesale exemption of ‘small businesses’ from its law,” Professor Greenleaf said
“One consequence of Australia’s frozen position on exemptions is that it makes a positive EU adequacy decision very unlikely.”
Under EU rules, foreign companies are deemed to be in compliance with European data protection laws if the local jurisdiction they primarily operate in is considered “adequate”.
Data policy expert Peter Leonard, a former partner at law firm Gilbert + Tobin, said there was “growing consensus that the Australian Privacy Act, in common with similar statutes in other jurisdictions, needs a major overhaul”.
“Australian policymakers should exercise particular caution to avoid, wherever reasonably practicable, devising regulatory measures that lead to Australia-specific, regulation-induced costs for Australian entities in cross-border dealings,” Mr Leonard said.
He pointed to the need to create a regime based on legal rights as opposed to simply improving transparency.
“Without an overarching foundation or guardrail of a legal right to privacy conferred by domestic statute and enforceable by affected individuals, the Australian Privacy Act is more heavily dependent upon transparency to affected individuals as the key control or safeguard of privacy than is the case for legal rights-based privacy statutes in other jurisdictions.”

In his interview with the Law Report the Attorney General had this to say about the reforms to the Privacy Act:

KUKOLJA: One of the most significant reforms facing Australia is the review of the Commonwealth Privacy Act, and it’s the wide ranging legislation that governs how our personal information is used. It predates the Internet, it’s out of step with the digital age. You’ve inherited the review of the Act, some two years into the process, and public submissions closed six months ago, how soon could that report be handed to government and made public?

DREYFUS: I’m hoping with, as with so many are so many other areas, that the work that’s been done by the Attorney-General’s Department, but not progressed by the former government, can in fact be progressed. As you said in your question then, this is an area of the law which just has not kept pace with the changes in the digital world. Again, when last in government, I brought to the Parliament data breach notification laws. They passed the House of Representatives – I’ve got a very sharp memory of them in the first part of 2013 – and it took the incoming government nearly three years to bring those reforms back to the Parliament and pass them through both houses and that was a pretty straightforward data breach notification set of requirements. There’s a whole range of much more sweeping reforms that are needed to our Privacy Act. I am hoping to bring that final report of reform proposals into the public and having a proper debate in coming months.

KUKOLJA: The Office of the Information Commissioner recommended numerous changes to the Act in its submission to the government discussion paper. What do you consider to be the greatest dangers to privacy and personal information?

DREYFUS: I think that the greatest dangers are people losing control of their own information. That personal information is being used in ways which is invasive, in ways in which people have not consented to the use of their information. So, giving individuals greater control over their own information, making it possible for people to make really informed choices about the way in which information about them is being used. That’s the most important aspect.

That has led to some fevered speculation by some privacy practitioners as to what all of this means such as:

  • greater scrutiny on the operational effect of policies rather than a tick box compliance.
  • greater concern about, scrutiny of and liability relating to poor privacy procedures and data breaches by third parties who have been contracted to handle personal information. In particular reliance on contracts to show compliance with the legislation may not be enough.  .
  • increased transparency regarding  how individuals data and personal information is managed and protected. What has been suggested includes cyber security labels,  ‘privacy by design’ structures and ‘privacy by default’ expectation and continuous obligation to have comprehensive privacy management program.
  • greater action by regulators.  That has been promised or expected for years.  Legislation is not enough to solve that problem.
  • a direct right of action for an individual or group of individuals including class actions for large data breaches.

All shall be revealed when the Government makes its announcement as to what reforms it proposes to implement.  Unfortunately no time line has been specified.

Leave a Reply





Verified by MonsterInsights