Privacy Act changes on the horizon: Federal Government response to Privacy Act Review report
By Alison Baker, Eden Winokur and Iona Goodwin
Australian businesses now have a roadmap for changes to privacy legislation that the Federal Government will implement, following the Government’s response to the Privacy Act Review Report. But those anticipating swift reform may be disappointed, as the immediate next steps involve further consultation. We outline the Report’s recommendations and what businesses may need to change to comply with new privacy obligations.
The Federal Government’s response to the Privacy Act Review Report 2022 (Report)) contained 116 proposals in 27 key areas. (See our article, Substantial Privacy Act reform: what will this mean for your business?, for more information regarding the Report). The Response explains that the Government agrees to 38 of the Report’s proposals, agrees in-principle with 68 of the proposals, and ‘notes’ the remainder.
Overall, the Response indicates the Government’s support for most of the proposals and signals its intention to progress the long-awaited reform of Australia’s privacy laws. However, those anticipating swift reform of Australia’s privacy laws may be disappointed, as the Response is not new legislation, and the immediate next steps involve further consultation before we see draft legislation.
The Government identifies a number of key focus areas, most of which can be seen through the lens of enhancing the rights and protections of individuals, including by providing guidance to entities covered by the Privacy Act 1988. Significant areas of focus for change include:
- Increasing protections under the Privacy Act. This will involve requiring businesses to handle individuals’ personal information in line with community expectations.
- Enhanced requirements to keep information secure and destroying it when it is no longer needed and reforming the Notifiable Data Breaches (NDB) scheme.
- Increased clarity and simplicity for entities and individuals, including by improved definitions in the Privacy Act and guidance within the Privacy Act and increased guidance from the Office of the Australian Information Commissioner (OAIC).
- Individuals will have more control over and greater transparency regarding their personal information. This will involve changes to notice and consent mechanisms.
- Increased penalties for privacy breaches and strengthened enforcement powers for the OAIC.
- Consideration of modifying the employee records exemption and removing the small business exemption.
Next steps
For those proposals with which the Government agrees, we will see the development next year of legislative proposals, with ‘targeted consultation’ to follow. Where the Government has indicated it agrees-in-principle, we will see further consultation and the development of impact analysis.
Agreed to
Businesses will face a more extensive range of penalties for privacy breaches due to the introduction of new civil penalty provisions.
The Government has agreed to new tiers of civil penalty provisions to cover interferences without a ‘serious’ element. We should also see a new low level civil penalty provision for administrative breaches of the Privacy Act and Australian Privacy Principles. The Federal Court and the Federal Circuit and Family Court will also have the power to make any order they see fit after a civil penalty provision relating to an interference with privacy is established; this could open the door to more orders for compensation arising from privacy breaches.
Businesses using automated decision-making (ADM) should be aware of the proposals relevant to them. The Government has agreed with proposals regarding ADM including that the privacy policies of these businesses should set out the types of personal information that will be used in substantially automated decisions which have a legal, or similarly significant, effect on an individual’s rights.
The Government also agrees that individuals should have a right to request meaningful information about how automated decisions with legal or similarly significant effect are made. Changes relating to ADM will cross over with reforms arising from the recommendations from the Royal Commission into the Robodebt Scheme in relation to the use of ADM by Commonwealth agencies.
Agreed-in-principle
As is set out above, the Government has agreed-in-principle to the majority of the proposals in the Report.
The Government has agreed-in-principle to the removal of the small business exemption (which would require millions of small businesses currently exempt to comply with the Australian Privacy Principles (APPs)). However, the Response sets out that this change will not occur until there has been further consultation undertaken with small businesses and their representatives on the impact that removing the small business exemption would have.
The Government has agreed-in-principle to the ‘enhanced privacy protections’ for private sector employees, currently subject to the employee records exemption, which exempts private sector employers from compliance with the APPs in respect of employee records. This does not appear to equate to a removal of the employee records exemption altogether.
Privacy collection notices will likely have to be clear, up to date, concise and understandable.
The Government also agrees-in-principle that the definition of consent in the Privacy Act should be amended to require that consent must be voluntary, informed, current, specific and unambiguous. The Privacy Act will also likely be amended to reflect that consent can be withdrawn.
The Response provides that individuals should also have the right to request access to, and an explanation about their personal information, including that the entity must identify the source of the personal information it has collected, directly and indirectly, and explain what it has done with the personal information. Furthermore, individuals should also have the right to erasure of their personal information, including that an entity who has collected the information from a third party must inform the individual of that third party and notify the third party of the erasure request (with some exceptions).
The Government also agrees that individuals should have a right to take direct court action in respect of privacy breaches. It also agrees that a tort of breach of privacy should be developed in consultation with the States and Territories.
Changes should be made to the NDB scheme, including that entities covered by the scheme should be required to:
- notify the Information Commissioner as soon as practicable, and not later than 72 hours – compared to 30 days under the current rules – after becoming aware that there are reasonable grounds to believe there has been an eligible data breach;
- notify individuals as soon as practicable, including providing information to individuals in phases if it is not practicable to provide the information at the same time; and
- take reasonable steps to implement practices, procedures and systems to respond to a data breach.
View the complete list of the Government’s responses to the proposals.
We will see more consultation next year and the release of draft legislation. The majority of the changes, those to which the Government agrees-in-principle, appear to still be some way off.
While new legislation is not necessarily imminent, Australian business have a roadmap for the changes the Government is likely to implement. Now is a good time for businesses, including small businesses, to consider their approaches to managing personal information and how much they will need to change to comply with these new obligations.
We will continue to monitor this important reform process and keep you updated.