Decoding proposed Online Privacy Code and Privacy Act Review

21 minute read  01.11.2021 Susan Kantor, Michael Thomas

The Attorney-General's Department is continuing to progress broad privacy reform to reflect the new requirements of the 'digital age'. In two parts, we examine in detail the recently published Privacy Act Review Discussion Paper and the exposure draft of the Online Privacy Bill.



Key takeouts

  • The review and strengthening of privacy legislation in Australia is continuing to progress and starting to take shape.
  • The Online Privacy Code will have significant regulatory ramifications for big tech, and many other online platforms that trade in or use large volumes of personal information.
  • Whether the privacy reforms (both the Online Privacy Code and the Privacy Act review) are fit for purpose will depend on the engagement of those business who will be impacted most. Therefore, consider engaging with the review process if your business will be impacted.

On 25 October 2021, the Attorney-General's Department (Department) published an exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Bill). The Commonwealth Government states it is 'landmark privacy legislation' intended to protect Australians online and to update the Privacy Act 1988 (Cth) (Privacy Act) for the 'digital age'.

The Bill would enable the creation of an 'Online Privacy Code' (OP Code), which will be a registered code created under the Privacy Act in relation to 'Online Privacy Organisations' (OP Organisations). The OP Code will be enforced through the current regulatory powers held by the Australian Information Commissioner (Commissioner) and the Office of the Australian Information Commissioner (OAIC). The Bill also contains provisions to amend the Privacy Act to strengthen the Commissioner's current enforcement powers.

Importantly, the Bill is currently an exposure draft. This means it is not presently before Parliament, but rather has been provided to industry and the general public for comment. Should the Bill pass through Parliament and enter into law, there will be a 12 month period in which the OP Code is developed before it is implemented. Although the OP Code is still one to two years away from being implemented, there are provisions in the Bill which outline what the OP Code must contain, and which provides us with insight into the approach the Government intends to take to regulate the practices of online platforms.

Also on 25 October 2021, the Department released its Privacy Act Review Discussion Paper (Discussion Paper), as part of its ongoing review of the Privacy Act. The Discussion Paper follows the publication of an Privacy Act Review Issues Paper (Issues Paper) in October 2020.

The Discussion Paper builds on the previous Issues Paper, and provides an updated view following the consideration of a large number of submissions received by the Department in response to the Issues Paper.

In two parts, we reflect on the Bill and the Issues Paper, and what's coming next in the privacy landscape.

Part 1: The Bill – the 'Online Privacy Code'

Who will the OP Code apply to?

The OP Code is intended to apply to 'OP Organisations', which are private sector organisations which fall within three categories defined in the Bill. Although not expressly stated in the proposed definition of OP Organisation, the Department has stated in the associated Explanatory Paper that the definition is not intended to capture entities not already subject to the Privacy Act as APP Entities. The three categories of organisations that will be OP

Organisations are:

  • organisations that provide social media services;
  • organisations that provide data brokerage services; and
  • large online platforms.

The OP Organisation definition is contingent on organisations providing services through an 'electronic service' which is defined in section 9 of the Bill (proposed section 6X of the Privacy Act) as a service that:

  1. allows end-users to access material using a carriage service (within the meaning of the Telecommunications Act 1997 (Cth)); or
  2. delivers material to persons having equipment appropriate for receiving that material, where the delivery of the service is by means of a carriage service (within the meaning of the same Act),

but does not include:

  • a broadcasting service (within the meaning of the Broadcasting Services Act 1992 (Cth);
  • a datacasting service (within the meaning of that Act);
  • a service the sole purpose of which is to process payments;
  • a service the sole purpose of which is to provide access to a payment system (within the meaning of the Payment Systems (Regulation) Act 1998).

Social media services

An organisation will be an OP Organisation providing social media services if it:

  • provides an electronic service which has the sole or primary purpose of enabling online social interaction between 2 or more end-users;
  • allows end-users to link to, or interact with some or all other end-users using the electronic service; and
  • allows end-users to post material to the electronic service.

The Explanatory Paper states that this definition will not capture organisations that enable 'online communication / interactions / content sharing' as an additional feature (e.g. businesses that provide 'online feedback facilities').

A number of examples of OP Organisations providing social media services are included in the Explanator Paper as follows:

  1. social networking platforms;
  2. dating apps;
  3. online content services;
  4. online blogs or forums;
  5. gaming platforms which operate 'a model which enables end-users to interact with other end-users, such as multiplayer online games with chat functionalities'; and
  6. online messaging and videoconferencing platforms.

‘Data brokerage services’

An organisation will be an OP Organisation because it engages in data brokerage services if it:

  • collects personal information about an individual, for the sole or primary purpose of disclosing that information (or information derived from that information) in the course of or in connection with providing a service; and
  • the information was:

collected by the organisation from the individual through the use of an electronic service, other than an electronic service that falls within the social media service definition; or

previously collected by another organisation from the individual by the use of an electronic service, including an electronic service which is a social media service.

The Explanatory Paper states that the intent of this definition is to capture organisations whose 'business model is based on trading in personal information collected online' or trading in information that is derived from that personal information.

It is not intended that organisations that capture and disclose data as a secondary purpose will be caught by the definition. For example, charities that collect the personal information of donors, and then disclose this information for the purpose of a fundraising campaign, are not intended to be captured.

‘Large online platforms’

An organisation will be a Large Online Platform if it:

collects personal information in the course of, or connect with, providing access to information, goods or services (other than as a data brokerage service) by the use of an electronic service (other than a social media service); and

has over 2,500,000 end-users in Australia.

The large online platforms definition effectively acts as a catch-all, to capture large technology companies that interact with personal information, but would not fall within the definitions of ‘social media service’ or ‘data brokerage service’. The Explanatory Paper states that this definition is intended to capture 'major global technology companies' (eg, Apple, Google and Amazon) and media sharing platforms (eg, Spotify).

'Legislative instruments'

Importantly, the definition of OP Organisation is expressly subject to legislative instruments that the Minister may make for the purpose of:

  • specifying further conditions to which the definition of ‘social media service’ may be subject; or
  • specifying organisations, or classes of organisations that may expand the definition of OP Organisation, either through changes to the current three limbs of the OP Organisation definition, or expanding the definition to include different classes of organisations.

The Explanatory Paper states that the purpose of the Minister's power to make legislative instruments is to allow the OP Code to apply to organisation with 'flexibility to respond to the fast-moving online environment if necessary'.

This will be an important consideration for organisations that may conduct activities which some may argue should be subject to the OP Code, but are not strictly caught by the Bill as drafted. It is possible that in future the legislature may amend the definition of OP Organisation to include a larger number of organisations than captured by the present drafting.

Scope of the Online Privacy Code

The Bill does not include the text of an OP Code. Rather, the Bill contains a range of factors that the OP Code must include, and a number of other factors that the OP Code may include. These can be grouped into three broad groups:

  1. obligations that specifically relate to compliance with the Australian Privacy Principles (APPs);
  2. new requirements that must be included in the OP Code; and
  3. requirements that may be included in the OP Code.

Additionally, the OP Code must bind all OP Organisations.

APP obligations

The OP Code is required to contain specific requirements for how OP Organisations are to comply with the following APPs:

  • APP 1.4(c): a requirement that an OP organisation's privacy policy is clear and simple to understand, and explains the purpose for which the OP Organisation collects, holds, uses and discloses personal information;
  • APP 5: a requirement that all notices provided to individuals about the collection of their personal information are sufficient to ensure that an individual is aware of the purposes for which the OP Organisation is collecting, using or disclosing their personal information;
  • APP 3 and 6: a requirement that the OP Code provide how OP Organisations are to comply with APPs 3 and 6, specifically how they are to ensure that an individual has provided consent to the collection, use or disclosure of their personal information. This is intended to include a specific requirements for organisations who interact with sensitive information, including health information.

As these obligations in the OP Code are generally expanding on obligations already placed upon OP Organisations by the APPs, it should be a relatively straightforward for OP Organisations to implement, and comply with, additional obligations included in the OP Code.

New requirements that must be included in the Online Privacy Code

The OP Code must:

  • bind all OP organisations;
  • specify how an OP Organisation's privacy policy is to comply with APP1.4(c), in stating the purpose for which the organisation collects, holds, uses and discloses personal information;
  • contain a requirement that an OP organisation take reasonable steps not to use or disclose, or further use or disclose, an individual's personal information upon the request of that individual. It is stated in the Explanatory Statement that this does not amount to a right to be forgotten, but a recognition that an OP Organisation should cease use or disclosure of personal information, when requested to do so and if it is practical for the organisation to do so;

It must also contain specific provisions relating to children which:

Outline how OP Organisations are to comply with all requirements in the OP Code as they relate to children, and outline how these requirements will have 'stricter rules and stronger protections' in relation to handling the personal information of children;

Specifically state how children, or their parents or representatives, are able to provide consent for the collection, use, or disclosure of the personal information of a child; and

In the case of social media platforms, require that:

  • they take all reasonable steps to identify the age of individuals using their services;
  • they ensure the collection, use, or disclosure of a child's personal information is 'fair and reasonable in the circumstances';
  • the best interests of the child is the primary consideration in determining what is fair and reasonable;
  • they obtain express consent from a parent or guardian before collecting, using or disclosing the personal information of a child under the age of 16, and take reasonable steps to verify that consent is legitimate; and
  • in the event that the entity becomes aware that valid parent/guardian consent has not been gathered in relation to a child under 16, they take steps to gain valid consent as soon as practicable.

New requirements that may be included in the Online Privacy Code

The Bill contains optional matters that the entity drafting the OP Code can use, if they wish, to expand or clarify the obligations that must be contained in the OP Code. These matters include:

  • specifying how additional APPs are to be complied with by OP Organisations;
  • impose additional obligations in relation to the existing APPs, provided the obligations are not inconsistent or contrary to the APPs;
  • specify mechanisms for the internal handling of complaints, or for the reporting of complaints to the OAIC;
  • provide for reporting on the amount of end-users in Australia; or
  • any other relevant matter.

Importantly, due to the catch-all 'any other relevant matter' provision, the extent to which the OP Code will place obligations on OP Organisations is to a large extent open ended, and will depend on the discretion of the entity drafting the OP Code.

Process for development and implementation

The OP Code will be developed and registered in the 12 months following the date the Bill receives Royal Assent.

Industry will have the first opportunity to develop the OP Code, with the Commissioner to develop a code if a suitable entity cannot be identified to develop it on the behalf of the industry. This is consistent with the process currently contained in the Privacy Act, although the Discussion Paper does contain a proposal to change this process to allow the Commissioner to develop a registered code in the first instance.

Considering the breadth of industries potentially regulated by the OP Code, and the lack of a peak body that could be said to sufficiently represent the interests of this broad class of organisations, it is possible that the Code will ultimately need to be developed by the Commissioner.

Regardless of whether the OP Code is industry developed, or developed by the Commissioner, it will be subject to public consultation. Further, a registration process will take place, in which the Australian Competition and Consumer Commission and eSafety Commissioner, will be consulted on the proposed OP Code, to ensure it is fit for purpose.

Regulation and enforcement

The enforcement of compliance with the OP Code will be largely similar to the enforcement of the Privacy Act. The Commissioner will be empowered to investigate potential breaches of the OP Code, and will have a 'full range' of enforcement powers to do so.

The Bill – increased enforcement powers

The OP Code provisions in the Bill are accompanied by amendments to the enforcement and penalties provisions currently contained in the Privacy Act.

The Explanatory Paper states that these amendments are being considered with the OP Code prior to the completion of the review of the Privacy Act, as they 'compliment' the OP Code, and are needed to protect the privacy of Australians online.

The additional enforcement powers in the Bill include the below:

Maximum civil penalty

An increase in the maximum civil penalty for a serious and/or repeated interference with privacy to 2,400 penalty units for an individual (currently $532,800); or for a body corporate an amount not exceeding the greater of:

  • $10,000,000.00;
  • three times the value of a benefit obtained by the body corporate from the conduct which was a serious or repeated interference with privacy; or
  • 10% of domestic annual turnover (if a value attributable to the interference cannot be determined).

Infringement notices

Increased enforcements powers include power to give infringement notices with associated civil penalties for failing to provide the Commissioner with requested information, answer questions, or provide documents relevant to an investigation.

This will streamline the process for imposing penalties for non-compliance with such requests, as the Commissioner will be able to issue an infringement notice, rather than resorting to Court processes to enforce penalties.

Separate criminal offences will be created for body corporates which repeatedly refuse to comply with a request for information.

Determination powers

New types of determination powers will be included, which will enable the Commissioner to:

  • make a determination that an entity must engage an independent a suitably qualified adviser to ensure that conduct constituting an interference with privacy is not repeated or continued; or
  • make a determination that a respondent must prepare a statement about conduct that led to an interference with privacy, and steps they have taken or will take to remediate the contravention, and publish the statement or provide a copy to the complainant, or each affected class member in a representative complaint.

Enhanced assessment powers

New enhanced assessment powers will enable the Commissioner to assess an entity's compliance with the Notifiable Data Breach Scheme. This includes information gathering powers which will enable to commissioner to carry out assessments of 'any kind'.

Disclosure of information and information sharing powers

New disclosure of information and information sharing powers will enable the Commissioner to:

Share information with law enforcement bodies, alternative complaint bodies and State, Territory and overseas privacy regulators (subject to limitations in the Bill). The eSafety Commissioner will be appointed an 'alternative complaint body' to facilitate information sharing between the OAIC and eSafety Commissioner; and

Publish information acquired in the course of the Commissioner's functions on the OAIC website, to inform the general public of privacy issues. This will include:

  • notices of eligible data breaches;
  • information regarding assessment reports;
  • information regarding determinations and enforceable undertakings (without the need for a public interest test); and
  • information about ongoing investigations, subject to a public interest test.

It is important to note that these increased enforcement powers are not limited to enforcement of the OP Code. These amendments would apply to infringements of the Privacy Act and APPs more generally.

It will be important for organisations to consider these increased powers carefully when managing complaints and engaging with the OAIC.

Extraterritorial application

The Bill contains provisions designed to clarify the application of the Privacy Act to foreign organisations.

Importantly, the provisions in the Bill will remove the requirement in the Privacy Act that for a foreign organisation to be captured by the provisions in the Privacy Act, it must collect or hold personal information from sources within Australia.

This means that foreign organisations that ‘carry on business’ within Australia will be subject to the provisions of the Privacy Act even where they do not collect and hold personal information directly from sources within Australia (for example, via servers that are physically located in Australia).

Part 2: Privacy Act Review – discussion paper

The Department received over 200 submissions in response to its Issues Paper published in October 2020.

It has developed the Discussion Paper in response to these submissions and through targeted consultation. The review of the Privacy Act is ongoing. However, the Discussion Paper provides us with useful insights into which of the proposed reforms raised in the Issues Paper have broad support, and which may be more contentious for the Government to implement.

Engagement with overseas legislation

A number of submissions to the Department raised the need for the Privacy Act to be consistent with overseas regimes. The European General Data Protection Regulation (GDPR) in particular was generally held out as being of a 'desirable international privacy standard', as well as a number of other jurisdictions that have GDPR adequacy decisions (such as Canada and New Zealand). Supportive submissions noted the inherent international nature of data, and the need for international consistency to better facilitate cross-border transfers of information within the digital economy.

One way for the review of the Privacy Act to achieve this greater consistency and interoperability would be to make changes that would facilitate a GDPR adequacy decision. This would bring the protections in Australia closer to those in the GDPR, which is broadly considered to be the international ‘gold standard’.

Future of the exemptions in the Privacy Act

There was general support amongst the submissions received by the Department for all entities to be subject to the Privacy Act, unless there was a compelling reason for an entity to be granted an exemption. This would require a broadening of the scope of the Privacy Act to remove the small business and employee records exemptions.

The submissions did raise some concerns about compliance burden on entities that previously relied on the small business and employee records exemptions. The Discussion Paper raises the possibility that if it is not appropriate to entirely remove the small business and employee records exemptions, it may be possible for small businesses to only be required to comply with specific parts of the Privacy Act, or to have reduced obligations under the APPs.

If, however, international consistency is a key objective of these reforms, then the employee records and small business exemptions are not reflective of the weight of international practice, and in particular, the GDPR. We think it likely that the removal (or, at least significant diminution) of these exemptions will be a key requirement for Australia to achieve 'adequacy' for the purposes of the GDPR.

The Discussion Paper also highlights support amongst the submissions for a diminution in scope, or complete removal, of the political exemption.

In relation to the journalism exemption, there was broad support from media organisations that the exemption was appropriate as drafted. It is noted in the Discussion Paper that there were limited actual examples provided of invasion of privacy by media organisations that would have supported the removal of the exemption. Of the exemptions in the Privacy Act, the journalism exemption appears to have the strongest support for being maintained, although there were submissions proposing the removal of all of these exemptions.

Greater rights and controls for individuals

The Discussion Paper highlights the potential for privacy reforms to embed greater privacy rights and controls for individuals. This includes:

  • increased controls around notice and consent;
  • the right to object to data portability; and
  • the right to erasure or to be forgotten.

Notice and consent

Discussion Paper acknowledges that the time at which individuals have the most ability to influence how their personal information is used is when they give consent to the collection or use of that information.

There was a 'strong interest' amongst submissions received by the Department as to how the regulation of collection, use, and disclosure of personal information should be updated.

The submissions suggested that an overreliance on notice and consent would place unrealistic burdens on individuals, because it would increase the burden on individuals to understand how their personal information will be used. This issue will likely become more pressing as the use of individuals’ personal information by online platforms becomes more nuanced and complex.

To address this, the Discussion Paper suggests that additional ‘baseline’ protections could be included in the Privacy Act, so that Australians can have a degree of confidence that when they engage with entities, they are protected by law from the misuse of their personal information and associated harm. The Discussion Paper raises the possibility of the inclusion of a ‘legitimate interest’ test, similar to that adopted in the GDPR, which would require entities subject to the Privacy Act to handle personal information in a 'fair and reasonable' manner. As part of this, submissions suggested the need to have express privacy-by-design provisions in the Privacy Act, in order to increase the level of organisational accountability.

Right to object to portability

The Discussion Paper highlights that in order to augment individual rights under the Privacy Act, there should be a right to withdraw consent to, or object to, the ongoing collection, use or disclosure of personal information.

The inclusion of such a right had general support in the submissions, drawing comparisons with the equivalent right in the GDPR.

A similar right is included in the proposed OP Code, and an equivalent provision in the Privacy Act would be designed to be a complimentary obligation imposed on all APP Entities.

Right to erasure

The Department is considering whether to include a right to erasure or right to be forgotten in the Privacy Act.

Submissions in support of a right to be forgotten suggest that its inclusion in equivalent overseas legislation, including the GDPR and California Consumer Privacy Act, demonstrate that compliance with this requirement is not overly burdensome, and these laws could provide an appropriate template for equivalent provisions in the Privacy Act.

Generally speaking, it appears from the Discussion Paper that there is support for the right to be forgotten being included in the Privacy Act, at least to some extent. The Discussion Paper does highlight, however, that this right should be subject to reasonable conditions and limitations.

Regulation and enforcement

The Discussion Paper highlights that the submissions broadly recognise the need for strong regulation and enforcement in order to encourage compliance with the Privacy Act and the remedying of non-compliance.

Submissions advocated for increased enforcement powers for the Commissioner and the OAIC, as well as adequate resourcing to enable the OAIC to progress complaints more quickly. The Discussion Paper acknowledges that, historically, the OAIC has been primarily concerned with resolving complaints and that because of the ever increasing complexity of personal data flows, this may not necessarily be an appropriate primary function.

To increase the enforcement alternatives available to the OAIC, it has proposed a tiered approach, which would enable the OAIC to take varying levels of action, depending on the severity of the interference with privacy that an entity has engaged in.

The Department acknowledged the merit in this approach, and proposes the inclusion of civil penalty provisions that would cover 'less serious' conduct that that currently covered by section 13G.

It is important to note that the submissions calling for greater enforcement powers for the Commissioner would not have had the benefit of the proposed additional powers contained in the Bill. The Discussion Paper highlights that any further amendment to the Privacy Act would be complimentary to these powers.

The Discussion Paper also considers a possible direct right of action, and a statutory tort for interference with privacy, both of which would enable an individual to bring proceedings against an entity for interference with their personal information/privacy.

The direct right of action would enable an individual to bring proceedings for a breach of the Privacy Act.

Submissions to the Department generally suggested a 'gatekeeper' model would be appropriate, where the individual must first complain to the OAIC before being able to bring a civil action. Additionally, they highlighted that it would be important for the Privacy Act to appropriately articulate a 'harm threshold' to ensure that:

  • matters being litigated by individuals are of a sufficient severity to warrant litigation; and
  • the Courts are not overwhelmed by an influx of privacy litigation.

Submissions in relation to the statutory tort of privacy generally highlighted the increased ease with which privacy is interfered with as a reason for the need to implement a statutory tort. The Discussion Paper highlights that not all submissions made to the Department were in support of a statutory tort and that the Department is still considering whether such an action is appropriate.

What's coming next for privacy reform?

The Department is currently consulting on all aspects of privacy legislation reform it is undertaking.

The Bill and its supporting materials, the Online Privacy Bill Explanatory Paper and the Online Privacy Bill Regulatory Impact Statement are available via the Attorney-General's Department website.

Submissions in relation to the Bill may be made until 6 December 2021, and may be made through an online portal at the above website.

The Privacy Act Review Discussion Paper is also available online.

Submissions in relation to the Discussion Paper may be made until 10 January 2022, and may be made through an online portal at the above website. Submissions may also be made before this date in relation to anything else of relevance to the Terms of Reference of the Privacy Act Review.

The success of legislative reform often depends on the engagement of industry and other interested parties.

Therefore, we encourage interested parties to consider making a submission to the Department with their views on the proposed reforms.

Please contact us if you would like assistance with preparing a submission in relation to either the Bill or the Discussion Paper, or would like to discuss this update more broadly.