The long road to Australian privacy reform

15 minute read 05.10.2023 Paul Kallenbach, Ian Lockhart, Sonja Read, Susan Kantor, Michael Thomas, Lachlan McNamara, Tamaryn Leach

The Federal Government's response to the Privacy Act 1988 review outlines reform plans and their impact on regulated entities.

Key takeouts

The Government has committed to stronger privacy protections for Australians, to be achieved through major legislative reform.

For the 38 proposals that are 'agreed', legislation will be introduced in 2024, informed by further consultation with the community, regulated entities, and government agencies.

For the 68 proposals that are 'agreed in principle', the Attorney-General's Department will continue to consult, engage and work closely with regulated entities to determine how these reforms can be appropriately implemented.

On 28 September 2023, the Federal Government published its response to the Privacy Act 1988 (Cth) (Privacy Act) Review Report (Report).

The Report was published on 16 February 2023, and marked the conclusion of the Attorney-General's Department's long-running review of the Privacy Act, to propose a pathway to modernise and strengthen Australia's privacy framework. The Report tabled 116 proposals for privacy reform. You can read more about the Report in our substantive reforms to Australia privacy law update.

Public consultation was undertaken to inform the Government's response to the Report. Approximately 500 written submissions were received from individuals and public and private sector organisations. A clear expectation was expressed in these submissions that the Government will amend privacy laws to ensure the collection, use and disclosure of personal information is reasonable, reflects community expectations, and is sufficiently protected from unauthorised access and misuse.

In summary, the Government has responded to the Report’s 116 proposals as follows:

agree to 38 of the 116 proposals – meaning that the Government will now move to prepare draft legislation to implement these proposals, with further targeted consultation to take place to settle the final form of legislation;
agreed in-principle to 68 of the 116 proposals – meaning that the Government has indicated a need for additional engagement with regulated entities and the undertaking of a comprehensive impact analysis in relation to these proposals prior to their implementation, to ensure an appropriate balance is struck between the benefits of the proposals and the associated economic costs; and
noted ten of the 116 proposals – meaning no immediate further action will be taken in relation to them.

Notably, the proposal to provide individuals with an unqualified right to opt-out of receiving targeted advertising, and all proposals relating to extending the operation of the Privacy Act to registered political parties, were noted by the Government.

In this update, we highlight the key proposals to which the Government has agreed or agreed in-principle; explain the likely changes to Australian privacy law, and explore the roadmap through which these changes would be implemented.

Throughout this update, we use the term regulated entity. This term is used in the Government's response, capture both APP Entities currently subject to the Privacy Act and entities that are not currently APP Entities but which will be regulated under the proposed reforms.

Key focus areas for reforms

The Government response identifies the following key focus areas for reform of the Privacy Act:

Bringing the Privacy Act into the digital age
Uplifting protections
Increasing clarity and simplicity for entities and individuals
Improving control and transparency for individuals over their personal information
Strengthening enforcement

Bringing the Privacy Act into the digital age

A key focus of the Report was that the Privacy Act is not currently fit for purpose, given the rapid change of technology since its introduction in 1988 and the significant amendments to the Act in 2014. In its response, the Government has agreed to amend the objects of the Privacy Act to reflect that its primary focus is on the protection of personal information, rather than necessarily 'privacy' in the broader sense in which many individuals may understand that concept. The Government has also agreed in-principle to a number of proposals which are directed at better tailoring the Privacy Act to the digital age, including the expansion of core concepts such as what constitutes ‘personal information’ (P4.1) and ‘collection’ (P4.3) and introducing new concepts, such as including a definition of de-identification which makes it clear that this is a contextual concept (P4.5).

It is clear from the Government's response that proposals which have been agreed in-principle will likely still be implemented (the Government expressly states that it will be consulting 'in implementing these changes' in its response) and that the consultation to be subsequently conducted is to determine the best way for such implementation to occur. It is possible however that in carrying out its consultation, the Government will decide on an approach which is different from that set out in the relevant proposal in the Report. Accordingly, we recommend that regulated entities continue to engage with the Government's consultation process.

Finally, although the Government has agreed to consult further on the introduction of a criminal offence for malicious reidentification of de-identified information (P4.7), it has only noted the proposals in the Report recommending further specific protections for de-identified information. The Government acknowledged its agreement with the objective of these proposals, so it is possible that some specific protections for de-identified information may be reflected in the draft legislation.

Uplifted protections

The Government's response notes that it is important to uplift protections in the Privacy Act, stating that it is necessary to move away from the 'notice and consent' approach under the current model, which requires individuals to self-manage their privacy.

By uplifting protections under the Privacy Act, the Government aims to increase the accountability of entities in handling personal information, so that protections in the Privacy Act better align with community expectations. To this end, the Government has agreed in-principle to the introduction of a 'fair and reasonable test' which will be applied to the collection, use and disclosure of personal information (P12.1). The Government states in its response that the 'contours' of this test will evolve over time through the publication of OAIC guidance and through enforcement processes (both in OAIC determinations and judicial consideration).

The Government has acknowledged the growing concerns in the community around the security of personal information held by regulated entities, and that the volume of information held is growing. To increase the security of personal information, the Government has agreed that the 'reasonable steps' that an organisation must take to satisfy Australian Privacy Principle (APP) 11 must be specified in the legislation, both at a technical and organisational level (P21.1), and has agreed that this should be augmented with additional guidance from the Office of the Australian Information Commissioner (OAIC) (P21.3).

The Government has also addressed reforms to the Notifiable Data Breaches Scheme, which may have demonstrable impacts on entities navigating the challenges of responding to eligible data breaches. This includes agreement in-principle to new organisational accountability obligations aimed to encourage entities to integrate privacy-by-design into their operating procedures. The new notification timeframes set out in P28.2 – a requirement to notify the OAIC as soon as practicable, and not later than 72 hours – has been agreed in-principle, with the Government stating it will 'further explore appropriate timeframes with stakeholders and alignment with other relevant reporting frameworks'. This will significantly shorten the timeframe for regulated entities to notify eligible data breaches (in line with GDPR requirements) and it is important that if, this change is implemented into law, regulated entities ensure that their policies, procedures and systems are able to address this truncated timeline.

The Government has considered in its response a number of high privacy risk activities, acknowledging the community's expectation of additional requirements under the Privacy Act. This includes agreeing that consideration needs to occur as to how facial recognition technology and the collection of biometric information should be treated under the Privacy Act (P13.2). The Government has also agreed in-principle to the requirement for private sector organisations to conduct a Privacy Impact Assessment for activities which are considered to be a high privacy risk, which would be determined in accordance with guidance to be developed and published by the OAIC (P13.1). This has the potential to increase the timelines and compliance burden for regulated entities who wish to use personal information in ‘high risk’ projects and applications.

Importantly, the Government appears to acknowledge that automated decision making (ADM) is a high risk activity, and has agreed to proposals requiring privacy policies to set out how personal information will be used in ADM, where that application has a legal or similar effect on an individual's rights (P19.1 and P19.2), and that individuals should have the right to request meaningful information about how such decisions are made (P19.3).

Increased clarity and simplicity for entities and individuals

The Government has acknowledged in its response to the Report that Australia's privacy regime must allow businesses to take advantage of the opportunities presented by emerging technologies and that amendment to the Privacy Act is required to provide 'clarity and simplicity' for regulated entities. This is intended to provide regulated entities with the certainty required to adopt and develop new technologies.

To achieve this, the Government has:

agreed in-principle to introduce clarified definitions for key terms and concepts in the Privacy Act (P4.3, P4.5, P4.10, P11.1, P23.6);
agreed in-principle to the introduction of a distinction between controllers and processors of personal information, to bring Australia in line with the GDPR and tailor the compliance burden to the activities being conducted by the entity (P22.1);
agreed in-principle to measures to reduce inconsistency between the Privacy Act and other legislation, both as part of the Commonwealth's broader digital and data regulatory framework and with State and Territory privacy laws (P29.1 and P29.3);
agreed that a mechanism should be introduced to prescribe countries with substantially similar privacy laws (similar to an adequacy decision under the GDPR) (P23.2); and
agreed in-principle to a range of mechanisms to facilitate overseas data flows, including the development of standard contractual clauses for non-specified countries (P23.3) and a strengthened informed consent regime for the transmission of personal information to non-specified countries when the use of standard contractual clauses is not appropriate (P23.4 and P23.5).

Improved transparency and control

The Review of the Privacy Act posited that individuals have limited transparency and control over their personal information, and that documents that are designed to inform individuals and facilitate transparency and control over personal information (such as collection notices and privacy policies) are often legalistic and complex.

To support improved transparency and control, the Government has agreed in-principle to a number of proposals designed to improve the quality of consent given by individuals, and allow for the withdrawal of that consent (P11.1 and P11.3). Additionally, a number of proposals have been agreed in-principle to improve the quality of privacy policies and collection notices (P10.1 and P10.3), including specific inclusions in collection notices which relate to high privacy risk activities (P10.2).

Importantly, the Government has agreed in-principle to a number of proposals designed to give individuals greater rights over their personal information.

This includes, amongst other things, the ability for individuals to request explanations as to how personal information is used through an enhanced right to access process (P18.1), and an ability to challenge an organisation's information handling practices (P18.2).

The Government has also agreed in-principle to both the implementation of a direct right of action for individuals (P26.1) and a statutory tort for serious invasions of privacy (P27.1).

These mechanisms have the potential to significantly increase the compliance burden for regulated entities. Under the proposed new regime, regulated entities will need to be prepared to deal with significantly more detailed requests for information from individuals, as well as managing risks associated with a direct right to action, which could make individuals with whom organisations are engaging more willing to agitate if they are not satisfied with responses received from organisations in relation to how their personal information is being handled.

Strengthened enforcement

Acknowledging the important role that effective enforcement has in protecting the privacy of individuals, the Government has agreed to a range of proposals designed to increase the enforcement capabilities of the OAIC. This includes a strategic review of the OAIC, to ensure that it is structured to have a greater focus on enforcement (P25.10). Further, the Government has agreed to implement increased penalties in relation to interferences with privacy, including:

clarifying that serious interferences with privacy do not need to be repeated to be subject to civil penalties (P25.2);
implementing civil penalties for mid-tier and low-level privacy interferences (P25.1); and
conferring increased latitude on the Federal Court and the Federal Circuit and Family Court of Australia to make orders once a civil penalty has been imposed (P25.6).

As with many of the proposals being considered by the Government, the increased focus on enforcement by the regulator, and broadened avenues for civil penalties to be imposed on regulated entities, has the potential to increase the compliance focus, and therefore the compliance burden for organisations who are subject to the Privacy Act.

The exemptions remain (for now)

A number of the exemptions currently contained in the Privacy Act were the subject of proposals either to dilute their operation, or remove them entirely.

Small business exemption

The Report proposed that the small business exemption (which, subject to certain exceptions, currently exempts businesses with an annual turnover of $3 million or less from the operation of the Privacy Act) be removed, subject to a period of consultation with small businesses to develop the best way to regulate their use of personal information, proportionate to the economic impost of regulation and the risks associated with how personal information is used by them (P6.1).

The Government has agreed in-principle to this proposal. In its response, the Government acknowledges the impact that increased privacy regulation may have on small businesses, and commits to consultation with small business to understand the unique impact increase that regulation would have on small businesses and how regulation can be modified, or how specific tools can be developed to ease the burden of compliance. It appears likely, on the basis of the Government's commentary, that the small business exemption will still be modified in some way or perhaps removed; however, the extent to which small business will be regulated will be determined through consultation. Given the regulatory burden that will be placed on small business by the removal of the exemption, it seems possible that the Government will consider proportionate regulation, which takes into account the size of the business and the risks associated with how a business uses personal information.

The removal of the small business exemption will impose significant new regulation on small business, and it is essential this sector engages with the Government as part of the proposed consultation process. Industry groups immediately reacted to the Government's Response, repeating concern about the proposal to remove the small business exemption. The Government can expect robust dialogue if this proposal is to proceed.

Employee records exemption

Particularly in the context of recent court decisions, such as Lee v Superior Wood [2019] FWCFB 2946, there had been speculation that the employee records exemption would also be diluted or removed. The proposal in the Report that the employee records exemption be modified to increase privacy protections for private sector employees (P7.1) has been agreed in-principle by the Government. The Government response acknowledges the confluence of privacy and workplace relations laws in this space, and highlights the need for consultation and further consideration of the impact that removing the employee records exemption may have (including on small business) and how the removal of this exemption may be timed with new privacy obligations being imposed on small business.

The road ahead

As discussed throughout this update, the Government has given two responses to the majority of proposals outlined in the Report – either agreed or agreed in-principle. The distinction between these two responses, in our view, largely relates to timing, rather than a question of whether the proposal will be implemented or not.

Regardless of whether a proposal has been agreed or agreed in-principle, there will likely be significant reform activity throughout 2024, as the Government moves into the implementation phase of the reform journey.

For proposals that have been agreed, it is likely that we will see amending legislation developed and introduced into Parliament in the course of 2024.

For proposals that have been agreed in-principle, the Government will continue consultation on these proposals, with a view to appropriately balancing the privacy protections, the subject of the proposals with the economic impacts and regulatory burden on regulated entities. It will be important for organisations impacted agreed in-principle proposals to engage with this further consultation, to ensure that the draft legislation is fit for purpose and takes account of the compliance cost and burden placed upon them.

These next steps will build on amendments to the Privacy Act passed in 2022, which substantially increased penalties for repeated or serious privacy breaches, and conferred on the OAIC increased powers to investigate data breaches.

In its response, the Government has acknowledged that regulated entities will need adequate time to prepare for the amendments to the Privacy Act, to ensure that they are able to achieve and maintain compliance. As part of progressing these reforms, consideration will be given to appropriate transition periods, suitable guidance material and other support for regulated entities to facilitate compliance.

We will continue to keep you updated as this complex and far-reaching reform journey progresses.

It is clear from the Government's response to the Report that the process of reforming the Privacy Act will continue through 2024 and beyond. This will be a significant reform journey, that should be actively monitored and engaged in by all entities who collect, use, store, disclose and otherwise deal with Personal Information.

If you would like to discuss this update, or if we can assist your organisation to respond to these reforms in any way, please contact our team.