Release of the Privacy Act Review Issues Paper

14 minute read 20.11.2020 Michael Thomas, Helaena Short

On 30 October 2020, the Attorney-General's Department published the Privacy Act Review Issues Paper, which outlines issues at the heart of the current privacy regime in Australia. We discuss the key considerations included in the broad-ranging review that privacy experts will need to be aware of.

Key takeouts

The Attorney-General's Department has published an Issues Paper in relation to its Review of the Privacy Act 1988 (Cth)

The purpose of the review is to consider whether the scope of the Privacy Act, and its enforcement provisions, remain fit for purpose.

Submissions in relation to the review close on 29 November 2020.

The Privacy Act Review

On 12 December 2019, the Australian Government announced that it would review the Privacy Act 1988 (Cth) (Privacy Act) to ensure that it empowers consumers, protects their data and positively services the Australian economy (Review). The Review was initiated in response to the Australian Competition and Consumer Commission's (ACCC’s) Digital Platforms Inquiry Final Report (DPI Report).

On 30 October 2020, the Attorney-General's Department published the Privacy Act Review Issues Paper (Issues Paper), which outlines the terms of reference for the Review.

The matters under consideration as part of the review include:

the appropriateness of the scope and application of the Privacy Act, including the definition of ‘personal information’ and the current permissible circumstances and exemptions relating to the collection, use and disclosure of personal information
the sufficiency of the current consent and notification requirements
the impact and sufficiency of the notifiable data breach scheme
the effectiveness of the current enforcement regime, and whether there should be additional legal protections for the enforceability of privacy rights or more serious penalties for breaches
feedback on an independent certification scheme to monitor and demonstrate compliance with the Privacy Act

The issues paper contains an overview of these matters, including the proposed options for reform, and 68 questions to which stakeholders can provide their input and feedback. In this update, we highlight some key sections in the Issue Paper.

Scope and application of the Privacy Act

The questions posed in this part of the Issues Paper go to the heart of the Privacy Act and therefore the current privacy regime in Australia. The Issues Paper considers the definition of ‘personal information’, the guidance provided by the Commonwealth in determining the scope of the definition, and whether the definition, in the digital age is still fit for purpose, posing the question: should the definition of personal information be changed?

In posing this question, the Report suggests that the definition could be expanded to include ‘technical data’, such as IP addresses, metadata and location data, inferred personal information, and information about deceased persons. It also considers de-identification processes, and whether particular de-identification or anonymisation protocols should be applied in order for information to fall outside of the ambit of ‘personal information’.

The Issues Paper considers the various exemptions to compliance with the Privacy Act, including the appropriateness of:

the employee records exemption;
the small business exemption;
the political exemption; and
the journalism exemption.

Employee records exemption

It discusses the broad nature of the employee records exemption, which may exempt employer-held records that contain a wide range of personal and sensitive information from the operation of the Privacy Act. In considering the appropriateness of this exemption, the Issues Paper notes that it is important to consider whether the removal of the exemption would impact the ability of employers to manage their human resources effectively. In doing so, the Issues Paper highlights the views of the Australian Law Reform Commission from its report 'For Your Information: Australian Privacy Law and Practice' – that the removal of the employee records exemption may have the effect of supporting the appropriate management of human resources, and that it need not interfere in the employer/employee relationship. The Issues Paper references one particular factor in a number of sections: whether Australia should seek an adequacy decision for the purposes of Article 45 of the European General Data Protection Regulation (GDPR) to facilitate cross-border transfer of personal data between jurisdictions subject to the GDPR and Australia. The Issues Paper notes that the removal of the employee records exemption from the Privacy Act may support the making of an adequacy decision. It also considers whether sensitive information should be removed from the employee records exemption.

Small business exemption

The small business exemption exempts businesses with an annual turnover of less than $3 million from compliance with the Privacy Act (but subject to a number exceptions). This exemption was included in the Privacy Act in recognition of the potential compliance costs for small business which (at the time of passing of the Privacy Act) were considered to pose little or no risk to the privacy of individuals.

The Review will consider whether the small business exemption continues to strike the correct balance between the rights of individuals and the unreasonable imposition of compliance costs on small businesses. As part of this consideration, the current $3 million threshold will be re-considered.

More broadly, the Review will consider whether the employee records exemption should remain in place at all, with the Issues Paper noting that there is no equivalent provision in the EU, and that the small business exemption was a 'key outstanding issue' preventing Australia from receiving an adequacy decision under the GDPR.

Political exemption

The political exemption was included in the Privacy Act to support freedom of political communication in acknowledgement of the large amount of personal information that is used in the electoral process. The Review will consider whether political acts and practices should continue to be exempt from the Privacy Act, acknowledging that this is not the case in comparable jurisdictions such as the United Kingdom and New Zealand.

Journalism exemption

The Issues Paper notes that the journalism exemption is critical to maintaining a democratic society, but that it is still necessary to balance the need to maintain free flow of information to the public through the media against for the need to protect personal information. The Issues Paper notes that while the rationale for the exemption is broadly accepted, there have been questions about whether the scope of this exemption is too wide. Additionally, the Review will consider the media privacy standards and whether any of the acts and practices of media organisations should be covered by some or all of the personal information protections under the Privacy Act.

Protections

The Issues Paper raises for consideration the effectiveness of the collection notice mechanism. Australian Privacy Principle (APP) 5 requires that organisations take such steps as are reasonable in the circumstances to notify individuals of certain matters at the time at which the organisation collects personal information (or, if that is not practicable, as soon as practicable after collection). The Report notes that the DPI Report recommended that notification requirements in the Privacy Act should be significantly strengthened, proposing that:

all collections of personal information (whether direct or indirect) be accompanied by a notice unless the individual already has the information contained in the notice or there is an overriding legal or public interest reason for notice to not occur;
the notice must be 'concise, transparent, intelligible and easily accessible', clearly setting out how the information will be collected, used and disclosed; and
the use of layered notices and standardised icons and phrases should be encouraged to reduce the information burden.

The Issue Paper outlines key issues that the Attorney-General's Department will consider in examining the appropriateness of notice requirements. These include:

considering whether the notice ensures that the individual is aware of all relevant matters, including a consideration of whether the notice is appropriate for people with differing capacities to engage with the information contained in the notice;
the added complexity of third party collections, and whether it is appropriate for an individual to be provided with notice whenever their personal information is collected, regardless of whether this collection is direct or indirect; and
how to best communicate with individuals to ensure they are able to engage with and absorb the information (thereby reducing the information burden).

The Issues Paper acknowledges that individuals granting their consent to the collection, use and disclosure of their personal information for various purposes is central to the protections in the Privacy Act, and a key measure to allowing individuals to exercise control over their personal information. The Issues Paper observes that under the current regime, an individual's personal information can often be collected without their consent, and it is only the collection of sensitive information that is subject to the consent of the individual (subject to a number of exceptions). As with collection notices, the DPI Report recommended that the consent requirements in the Privacy Act be significantly strengthened, proposing that:

consent should apply in relation to any collection, use or disclosure unless the personal information is necessary for a contract between the parties, required by law or subject to overriding public interest reasons;
valid consent should require a clear affirmative act which is given freely, specific, unambiguous and informed. This is proposed to include the de-bundling of consents and the setting of pre-selected data consents to 'off' as a default; and
measures be adopted to reduce consent fatigue such as standardised icons or phrases.

The Issues Paper highlights the need to consider whether consent should be required in relation to the creation of personal information that may contain inferred sensitive information. Inferred personal information is information collated from a number of sources which reveals something new about an individual. Inferred information can meet the definition of 'personal information' or 'sensitive information' even where it has been inferred from de-identified information or technical data.

The Issues Paper poses the question 'are the current general permitted situations and general health situations appropriate and fit-for-purpose? Should any additional situations be included?”

The general permitted situations contained in the Privacy Act provide that, in certain circumstances, it is permissible for personal and sensitive information to be collected, used and disclosed, without the consent of the individual. A review of the general permitted situations and general health situations offers the opportunity for respondents to assist the Attorney-General's Department to understand:

whether there are circumstances regulated by the Privacy Act that, in the experience of industry, are not appropriate or fit-for-purpose; and
whether there are situations not included in the Privacy Act that, in the experience of industry, would be appropriate to be included.

The Issues Paper considers the appropriateness of control and security of personal information measures in the Privacy Act, noting that the proliferation of digital services has led to an expansion in the amount of personal information collected in relation to individuals, However, it notes that once consent has been given, those individuals often have limited control over how their information is used. As part of the Review, the Attorney-General's Department will consider whether a right to be forgotten should be included in the Privacy Act, similar to that contained in the GDPR and if so, in what circumstances this right should not apply.

Overseas data flows

Finally, the Review will consider the issue of overseas data flows (the movement of data across national borders), which is becoming an increasingly important component of international trade, particularly given the proliferation of digital platforms and services. The Issues Paper highlights that there is no global standard for the protection of personal information, and that Australia is, generally speaking, caught between two international privacy regimes:

the GDPR (and, as of 1 January 2021, the United Kingdom General Data Protection Regulation), for which there is not presently an adequacy decision in place; and
the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (CBPR) system, to which Australia was accepted on 23 November 2018, but which is yet to be implemented domestically.

The Issues Paper highlights the differences between the GDPR and the CBPR systems, and raises that the Review will consider whether it is necessary or desirable to seek an adequacy decision under the GDPR, and whether requiring Australian organisations to comply with domestic law, the CBPR system and GDPR in order to maintain an adequacy decision, would be overly burdensome.

Regulation and enforcement

The Review will consider whether the current enforcement system under the Privacy Act, under which the Office of the Australia Information Commissioner is responsible for investigating and resolving complaints, is working effectively and strikes the right balance between conciliating complaints, investigating systemic issues and taking punitive action for serious non-compliance. It will also consider whether the current remedies available to the OAIC are sufficient or need to be expanded.

Importantly, the Review will consider whether the Australian privacy regime should also include:

a direct right of action by individuals under the Privacy Act; or
a statutory tort of privacy.

A direct right of action was recommended in the DPI Report and supported in principle by the Commonwealth Government. The Issues Paper acknowledges that the current ability of individuals to litigate a claim for a breach of privacy under the Privacy Act is limited, and that the creation of a direct right of action would give individuals greater control over their personal information and would 'provide an additional incentive for APP entities to comply with their obligations under the Act'. The Issues Paper considers a number of ways that a direct right of action could be framed, including:

limiting such an action to serious breaches of the Privacy Act;
requiring conciliation with the OAIC or another administrative body before the complaint can proceed;
making the action an alternative to conciliation, thereby affording the individual the opportunity to determine whether to take their complaint to the courts or to the OAIC; and
in circumstances where the individual is permitted to seek damages, imposing a cap on the damages that be awarded.

The Issues Paper observes that there is currently no tortious right of action for an invasion of privacy under the Privacy Act or any other Commonwealth, State or Territory statute. The DPI Report recommended the introduction of a statutory tort of privacy, and although the Commonwealth Government acknowledged this, it noted that careful consideration of this would be necessary, having regard to existing legal protections available to individuals.

The Issues Paper considers the way in which a statutory tort for serious invasion of privacy might be framed, and notes the following:

Unlike a direct right of action, a statutory tort for invasion of privacy would enable individuals to seek redress for invasions of privacy that are not necessarily covered by the Privacy Act;

It has previously been proposed by the Australian Law Reform Commission that a statutory tort of privacy may address:

intrusion into seclusion, which would cover activities such as watching, listening to and recording a person's private activities; and
misuse of private information, encompassing unauthorised disclosures of personal information amounting to a serious invasion of privacy.

The Review will also consider whether the notifiable data breach scheme under Part IIIC of the Privacy Act has been effective and how it could be improved.

Finally, the Review will consider how the Privacy Act interacts with other Commonwealth, State and Territory regimes relating to the handling of personal information, and whether it is appropriate for the privacy regime in Australia to continue to be implemented pursuant to a patchwork of Commonwealth, State and Territory laws.

Next steps

The Review of the Privacy Act is broad ranging and goes to the very core of privacy regulation in Australia. Although the Review is in its early stages, it is has the potential to affect almost every organisation and industry, but with particular impact on:

small businesses that currently rely on the small business exemption;
media organisations that currently rely on the journalism exemption;
the healthcare industry;
organisations that handle large volumes of personal information;
organisations that handle sensitive information;
organisations offering digital products or solutions rely on de-identified or anonymised information falling outside of the current Privacy Act regime; and
multi-national companies that regularly transfer personal information between the EU and Australia.

The Attorney-General's Department is seeking submissions in relation to the 68 questions posed in the Issues Paper. Submissions are due by 29 November 2020. In 2021, a discussion paper will be released, seeking specific feedback on preliminary outcomes, and possible options for reform. The most effective reforms are facilitated through engagement from industry and other relevant stakeholders, to ensure that any eventual steps taken by government are fit for purpose. We encourage you to provide a submission to the Attorney-General's Department in relation to any of the 68 questions posed which may be of concern or interest to your organisation.