Peter A Clarke

It has taken almost 4 years for the Attorney General to undertake a review of the Privacy Act but it has done it.  That report was published yesterday.  That review is on top of an Australian Law Reform Commission Report in both 2008 and 2014, dealing with identical issues.  It has not been a stellar moment for public policy reform.

The report can be found here. The Report is open for submissions until 31 March 2023.  The usual process is then for the Government to provide its response. At some point there will be a draft proposed Bill, probably before the Parliament rises for the winter recess.  If the Government is intent to pushing the reforms through promptly a Bill will be introduced into the Spring session and referred off to committees.  It will then be debated and voted upon later in the year with a view to being passed before the end of 2023 with a view to taking effect in 2024. Given the Government is on a 3 year cycle and the next House of Representatives election must be held by 27 September 2025 it is unlikely that the process will be lengthy.

There are 116 recommendations.  Some of the most important are:

•  proposal 4 recommends the definition of personal information be amended to  change the word “about” to “relates to”.  This change would allow the definition to capture a broader range of information.   The change would also bring the definition in line with other Commonwealth legislation that uses ‘relating to’ when regulating information on privacy (for example, the Competition and Consumer Act 2010 (Cth) and the Telecommunications (Interception and Access) Act 1979 (Cth)) and bring the Privacy Act definition in line with the language used in the GDPR definition of ‘personal data’.  The Report also proposes that any inferred or generated information will be deemed to have been ‘collected’ within the meaning of the Privacy Act.  This will have important consequences for the AI industry.
• proposal 12 recommends a requirement for entities to act fairly and reasonably when collecting, using and disclosing personal information which will be an objective test. It will apply regardless of any consent
• proposal 11 amends the definition of consent to make it  clear that consent must be voluntary, informed, current, specific and unambiguous
• proposal 26 recommends a direct right of action for those who have suffered loss or damage as a result of an interference with their privacy. The claim can be made individually or a representative actionin the Federal Court or the Federal Circuit Court. Individuals will have to make a complaint to the OAIC prior to commencing court action.
• under proposal 4.5 – 4.8 there will be additional obligations to deidentify information. Those amendments would extend APP 11.1 and APP 8 to apply to de-identified datasets. The Report also recommends prohibiting APP entities from re-identifying de-identified information received from a third party and introducing a new criminal offence for “malicious” re-identification intended to harm or cause illegitimate benefit. .
• under proposal 28 there will be stricter time frames for Notifiable Data Breaches.  The Report recommends falling into line with the GDPR time frame of 72 hours  from when the entity becomes aware that there are reasonable grounds to believe that there has been an eligible data breach.   The Report also recommends requiring more detailed statements of what  steps the entity has taken or intends to take in response to the breach.
• Additional obligations when handling employee records (Proposal 7). Some businesses may give a sigh of relief that the employee records exemption is to be retained, but on a more nuanced basis – i.e. certain Privacy Act obligations will be extended to private sector employees.  In particular, obligations relating to transparency of collection and use of employee information, protection against unauthorised access or interference, and eligible data breach reporting. The Report flags that further consultation is required to determine how this should be implemented in legislation and hints that it could use either the architecture of the Fair Work Act or the Privacy Act.  The nature of Australia’s current employee records exemption is speculated to be a major barrier for achieving GDPR adequacy status, so it may be surprising to some to see that the exemption will be mostly retained.
• under proposal 22 there will be  processors and controllers.  That is consistent with other jurisdictions.  Under this proposal  where processors are acting on the instructions of a controller, they will have fewer compliance obligations under the Privacy Act.  Processors would only be responsible for complying with APP 1 , APP 11  and the notifiable data breach scheme.
• proposal 13 will require entities to conduct Privacy Impact Assessments for any ‘high privacy risk activity’.  Such activities  would  ‘likely to have a significant impact on the privacy of individuals’.
• under proposal 19 there will be regulation of the use of personal information in automated decision making.  The Report proposes more transparency around personal information used in “substantially” automated decisions which have a legal or significantly similar effect on an individual’s rights.
• proposal 20 recommends regulation of targeted advertising.  There will be a prohibitions on the use of information related to an individual for targeted advertising and content to children, and prohibitions on using sensitive information for targeted advertising and content to any individuals. Individuals will have a right to opt-out of receiving targeted advertising and content, and any permitted targeting must be ‘fair and reasonable’ and come with transparency requirements about the use of algorithms and profiling to recommend content to individuals.
• under proposals 16 and 17 there will be additional protections for children and vulnerable persons.  For children the additional protections include codification of existing OAIC guidance on consent and capacity, requiring entities to make collection notices and privacy policies ‘clear and understandable’, and requiring entities to have regard to the best interests of the child in its consideration of the fair and reasonable test as well as developing a Children’s Online Privacy Code applicable to services that children are likely to access. . For vulnerable people  where an activity may have a significant impact on vulnerable persons, this must be considered in the fair and reasonable test (and a Privacy Impact Assessment must be performed.
• proposal 27 recommends a statutory tort of privacy for serious invasions of privacy that are intentional or reckless. The invasion of privacy need not cause actual damage and individuals may claim damages for emotional distress.  The Report suggests that the OAIC should be able to appear as amicus curiae and intervene in proceedings with leave of the court for both the direct right of action under the Privacy Act and the tort for invasion of privacy.
• under proposal 18 there will be a limited right of erasure.  It also proposes a right of de-indexation which will allow individuals to require search engines to de-index online search results where the results are excessive in volume, inaccurate, out of date, incomplete, irrelevant or misleading. Search engines will also be required to de-index sensitive information and information about minors. There will be exceptions where: there are competing public interests, it is required or authorised by law, it is technically infeasible or an abuse of process.
• proposal 25 recommends giving the OAIC Greater enforcement powers and penalties. They include  new civil penalties and new powers of investigations, public inquiries and determinations.  The threshold for a “serious interference” will be eased, and may include interferences that involve “sensitive information” or other information of a sensitive nature, interferences adversely affecting large groups of individuals, or serious failures to take proper steps to protect personal information.

The Information Commissioner’s response is predictably upbeat in OAIC welcomes release of Privacy Act report stating:

The Office of the Australian Information Commissioner (OAIC) welcomes the final report of the Attorney-General’s Department’s (AGD) review of the Privacy Act 1988 and encourages interested parties to have their say about privacy reform in Australia through the AGD’s feedback process.

“This is an important milestone as we move towards further reform of Australia’s privacy framework,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said.

“As the world has become increasingly connected and information flows more complex, our privacy laws need to adapt to ensure that personal information is protected and handled fairly.”

The comprehensive report released today contains 116 proposals and the feedback process will inform the next steps by the Australian Government.

“As the privacy regulator we see the proposal to introduce a positive obligation that personal information handling is fair and reasonable, as a new keystone of the Australian privacy framework,” Commissioner Falk said.

“This shifts the burden from individuals, who are currently required to safeguard their privacy by navigating complex privacy policies and consent requirements, and places more responsibility on the organisations who collect and use personal information to ensure that their practices are fair and reasonable in the first place.”

Commissioner Falk noted that the report contains proposals that would enhance the powers of the OAIC as the privacy regulator, to enforce privacy obligations and to identify systemic privacy issues and address privacy breaches.

“It also contains other important proposals, such as enabling individuals to exercise new privacy rights and take direct action in the courts if their privacy is breached, and the removal of some exemptions from the Privacy Act. These proposals reflect the baseline privacy rights expected by our community.”

The proposed privacy reforms follow the passing in November of the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, which introduced significantly increased penalties for serious and repeated privacy breaches and greater powers for the OAIC to resolve breaches.

The response from the digital rights group has been positive as reported in innovation au in Digital rights, industry groups respond to privacy review which provides:

Digital rights groups have broadly embraced reforms to Commonwealth privacy laws put forward after a two-year review but say the proposals could still be “watered down“ by lobbyists in another round of consultations.

The review, released on Thursday, makes 116 recommendations to improve privacy protections, including through a “right to erasure” that goes further than the European Union’s General Data Protection Regulation.

Digital Rights Watch said the recommendations were a “welcome step towards reclaiming our right to privacy”, but stressed that they were still only proposals, many of which have been 10 years in the making.

“We are pleased to see the Australian government has meaningfully engaged with the issues and shortcomings of the current Privacy Act, and has listened to many of the recommendations from privacy experts and civil society,” Digital Rights Watch program lead Samantha Floreani said.

“There are many promising proposals for privacy reform in this report, but currently they are just proposals, many of which have existed for almost a decade and been ignored.

“We hope that the ALP will stand their ground against tech and business lobbyists who will seek to water these proposals down, and push forward this reform agenda into actual legislative change for the public good.“

In addition to the right to erasure, the group said it is pleased to see proposals for a statutory tort for serious invasion of privacy and a direct right of action, which have long been recommended by the Australian Law Reform Commission.

“Our current privacy regulations are woefully inadequate, out of date, and not fit for purpose for the technical realities of the modern digital economy. People deserve meaningful privacy protections and a regulator who can enforce them properly,” Ms Floreani said.

“We are hopeful that this reform agenda will lay the path towards meaningful, robust reform of the Privacy Act.”

The Australian Privacy Foundation held similar concerns, with chair David Vaile saying that while it is difficult to digest the great detail of the report in a single day, his initial reactions is one of skepticism.

“We’ve now had six major reviews in 30 years which all said Australians should be able to enforce their privacy rights in court, to sue for breach of privacy, as in most other countries, but still no commitment to fix it,” he said.

“The devil is in the detail: Privacy law in Australia is often an exercise in backdoors and loopholes for abusers, hostile to giving power to individuals to protect themselves in  a very unfair fight.”

Mr Vaile said “we now face a further long period before government responds”, in which time “every lobbyist under the sun can use time to white-ant recommendations their clients don’t like, and make up reasons why they’re not workable”.

The Australian Information Industry Association (AIIA) chief executive Simon Bush said the “significant report… paves the way for critical updates required for a modern digital economy, including meeting community expectations about data privacy”.

Proposed reforms to small businesses exemptions and the planned review of other laws requiring the retention of data, such as the telecommunications regimes, are among the recommendations the group supports.

It also supports the proposal to remove the word ‘repeated’ in data breach penalty laws and clarify that a ‘serious’ interference of privacy may include instances where sensitive information is involved, large groups of individuals are impacted or willful misconduct has occurred.

But the AIIA does not support a “wholesale right to erasure”, which it claims would require “significant technical challenges on industry”. If such a right is introduced, it has recommended a scheme that mirrors the GDPR.

“We look forward to considering in detail the full report and responding to the government to ensure that any new obligations placed on the technology industry are proportionate, do not result in regulatory duplication and effectively lead to the required uplift in protections,” Mr Bush added.

Norton Rose Fulbright partner Anna Gamvros, who is a member of the board of directors for the International Association of Privacy Professionals, also welcomed the report and congratulated the Attorney-General’s Department for its “thorough and reasoned approach to the reforms”.

“The full suite of reforms you would expect to bring Australia’s privacy laws in to line with both international standards and the reality of our data-based economy are there,” she said in a statement.

Ms Gamvros said the direct right of action would be “of significant concern to Australian businesses, and of great interest to class action funders and firms”. In giving rise to regulation by courts, it could also “negatively impact innovation in digital businesses”.

“This is particularly more acute in Australia when considered in light of some of the other proposed reforms, such as the narrowing of what is considered to be valid consent and the introduction of a new standard ‘fair and reasonable’ for collection and processing,” she said.

 The Australian with Company payouts to hack victims provides an overview which provides:

The recommendations follow high-profile hacks of Optus and Medibank last year, in which ­millions of Australians’ personal identity documents and intimate health information was breached and published by the hackers on the dark web.

In response, the government introduced snap legislation to ramp up penalties on companies that allowed for data to be stolen, increasing fines from a maximum of $2m to $50m, or 30 per cent of a company’s turnover in the relevant period.

Attorney-General Mark Dreyfus also ordered his department to complete its review of the privacy act by the end of 2022 – a process which began in 2019 – to help the government in its overhaul of the decades-old laws.

Among the 116 proposals put to government, the Attorney-General’s Department called for companies to be forced to alert the information commissioner of a data hack “no later than 72 hours” after they were aware of the breach. Currently, there is no set time frame in which companies have to make such disclosures.

The department also recommended Australians be given “more agency” to seek redress from companies for “any interference” with their privacy.

“This report proposes a direct right of action to enable individuals to seek remedies in the courts for breaches of the act which cause harm,” it said. “A statutory tort for serious invasions of privacy … is also proposed for adoption in federal legislation to address the current gap in mechanisms available to Australians to seek compensation in the courts for breaches of privacy which fall outside the act.”

To bring the law in line with regulations overseas, the review proposed giving people the right “to request erasure”, also known as “the right to be forgotten”.

Under such regulation, Australians would be able to order companies to erase any personal information that they didn’t want stored.

However, the department said there should be “general exceptions”, including that certain information be “quarantined rather than erased” to ensure it remained available for the purposes of law enforcement.

The Attorney-General’s Department said many submissions to the discussion paper on the privacy act review called for current exemptions from the act for political parties and journalists to be removed or narrowed.

“On balance, this report proposes that the need for Australians’ information to be adequately protected in the digital age justifies at least some recalibration of all of the exemptions to address contemporary privacy risks and meet community expectations,” it said.

Such changes would include the right of people to “opt out” of receiving advertising from a political entity, with political parties needing to prove they had taken “reasonable steps” to protect personal information and destroy it if it was no longer needed.

Mr Dre­yfus said the nation’s privacy act had “not kept pace” with the digital world. “The Australian people rightly expect greater protections and transparency,” he said.

The story has received coverage in the Guardian and the Age amongst others.