Fair and reasonable test

A centrepiece of the proposed amendments is the introduction of a new 'fair and reasonable' test. Going forward, APP entities would need to demonstrate that their collection, use and disclosure of personal information is 'fair and reasonable'. This will be assessed objectively.

Whilst a few options were canvassed by submitters, including the introduction of the GDPR-like ‘legal bases for processing’, the Report recommends this approach, which draws on the concepts of 'fairness' under the Australian Consumer Law and 'reasonableness' under the Privacy Act.

To assist entities in assessing whether their collection, use or disclosure of personal information is ‘fair and reasonable’, a list of matters to take into account will be specified in the Privacy Act, supported by further guidance in the Explanatory Memorandum. Importantly, the fair and reasonable test will apply regardless of whether individuals provide their consent to the relevant activity. This requirement is viewed by the Government as necessary to address concerns raised in the DPI Report in relation to some digital targeting and profiling practices, as well as the questionable effectiveness of privacy notices and consents. The matters that entities would need to consider in their ‘fair and reasonable’ assessment would include:

• the reasonable expectations of the individual;
• the kind, sensitivity and amount of personal information being collected, used or disclosed; and
• whether the impact on privacy is proportionate to the benefit of the activity.

Organisational accountability

There are two key aspects to this proposal:

• a requirement to appoint a senior employee within the entity who is responsible for privacy (although they may also have other responsibilities); and
• a requirement to record the purposes (including secondary purposes) for the collection, use and disclosure of personal information.

The Office of the Australian Information Commissioner's (OAIC) current guidance on the Australian Privacy Principles (APP Guidance) recommends that entities put these arrangements in place in order for them to comply with existing obligations under APP 1. However, the Report recommends elevating these requirements to legislated obligations. For some entities who relegate the role of Privacy Officer to a junior employee, or notionally to a team to hold this responsibility, this requirement may necessitate organisational change. The record keeping requirements (which are already implicit under current law) will be a necessary step for entities to undertake in any event, in order for them to implement the privacy compliance arrangements contemplated by the reforms.

Other relevant aspects

Other proposals relevant to these concepts would be a requirement to undertake privacy impact assessments (PIAs) for all activities with high privacy risks (that is, likely to have a significant impact on the privacy of individuals). Although this requirement appears to align with equivalent requirements under the GDPR and the APP Guidance (as well as recent determinations by the IC), and already exists for the Commonwealth public sector, further guidance about the projects that would require a PIA will be needed. The Government’s intention is for OAIC guidance to articulate relevant factors and provide examples of activities that would require a PIA.

In light of the OAIC's recent focus on the use of facial recognition technology, the Report also highlights the need to further consider how enhanced risk assessment requirements for the use of facial recognition technology and other uses of biometric information may be adopted.

The OAIC would also continue to develop practice-specific guidance for new technologies and emerging privacy risks, including the OAIC's expectations for compliance with the Privacy Act when engaging in high risk activities.

The Report highlights that the widespread adoption of digital technology and the consequent creation and storage of vast quantities of data, have raised questions about whether the definition of personal information remains appropriate. Amendments are proposed that would assist entities to identify information that should be categorised as being 'personal information'. However, questions about 'de-identified' information remain.

Personal information

To address issues arising from the decision in Privacy Commissioner v Telstra Corporation Ltd (2017) 249 FCR 24 (the Grubb case), the Report proposes amending the definition of personal information needing to be 'about' an individual, to information that 'relates to' an individual. There would still need to be a nexus between the individual and the information. This shift, although small, has the intention of encapsulating a range of technical information, including device IDs, Internet Protocol (IP) addresses, and more closely aligns with the GDPR. The definition would include a non-exhaustive list of information that could be personal information, supplemented by further guidance from the OAIC.

The definition of 'collects' would also be amended to expressly extend to information obtained from any source and by any means, including inferred or generated information (such as predictions of behaviour or preferences).

De-identified information

The Report examines the challenge of properly de-identifying personal information and the 'identifiability spectrum' – from unidentified information at one end, through to personal information, and then de-identified information at the other. Ultimately, the 'de-identification' of information is a risk to be managed, which may evolve over time, including as technology develops. To address some of the difficulties that entities perceive in understanding whether information is properly de-identified, the Report proposes to include a non-exhaustive list of circumstances to consider when assessing whether information is 'reasonably identifiable'.

In addition, the Report highlighted the harms that can result from third parties re-identifying information that has been de-identified. To this end, the Report proposes introducing a prohibition on entities from re-identifying any de-identified information that has been obtained from a source other than from the individual, with appropriate exceptions, such as if the re identification is conducted by the entity that de-identified the information, or a data processor acting on the instruction of the data controller.

Sensitive information

Equivalent changes to the definition of 'sensitive information' would be made for personal information (ie changing 'about' to 'relates to'), and clarifying that sensitive information can be inferred from information that is not (of itself) sensitive.

The Report proposes to remove current exemptions that under the Privacy Act. In this section, we have considered the small business and employee records exemptions. The political and journalism exemptions will also be narrowed through additional requirements that organisations must meet in order to obtain the benefit of those exemptions (including complying with security, destruction, and data breach reporting obligations).

Small business exemption

The Report proposes to remove the small business exemption. This means that all Australian businesses would be required to comply with the Privacy Act, regardless of their annual turnover.

However, the Report proposes a phased approach for its removal, recognising the need for further consultation with small business before its removal in order to better understand the impact on small business, what support they will need to adjust their privacy practices, and how best to provide that support and assist them in their compliance (perhaps through OAIC guidance or a code). The Report foreshadows 'a comprehensive package of assistance’ that will be developed and implemented'.

In the short term, the Report proposes to narrow the small business exemption, so that small businesses will not be exempt from the Privacy Act where they:

• collect biometric information for use in facial recognition technology; or
• trade in personal information (regardless of whether they have consent).

Limited controller-processor distinction for small business processors

There were calls from some submitters to introduce the GDPR concepts of 'controllers' and 'processors' into the Privacy Act. They argued it would better align the Australian law with EU and other laws and improve the functioning of the Act, particularly with respect to the reporting of data breaches.

Instead, the Report proposes the introduction of a partial controller-processor distinction following further consultation with small business and the completion of an impact analysis. Pending the complete removal of the small business exemption, it is proposed that the processor-controller distinction be introduced into the Privacy Act to impose limited privacy obligations on small business processors (who are exempt from the Act) who process personal information for controllers who are subject to the Act. In particular, the obligations that would apply to these small business processors would be APP 1 (open and transparent management of personal information, APP 11 (security and retention of personal information) and the NDB Scheme requirements (discussed in more detail in section 5 on Security, retention and data breaches, below).

Employee records exemption

It was widely expected that the employee records exemption would be removed in its entirety to align Australia with the GDPR (and laws of other countries). This would assist Australia in achieving 'adequacy' status from the European and UK regulators. Somewhat surprisingly, the exemption will not be removed entirely.

Instead, it is proposed to narrow the exemption (after a period of consultation) with the aim of:

• providing enhanced transparency to employees, having regard to the purposes for which their personal information is being collected and used;
• ensuring that employees’ personal information is protected from misuse, loss or unauthorised access and is destroyed when it is no longer required; and
• notifying employees and the IC of any data breach involving employee’s personal information that is likely to result in serious harm.

The proposal is not one-sided. The Government considered submissions made by industry groups such as Ai Group, saying it also aims to ensure that employers have adequate flexibility to collect, use and disclose employees’ information that is reasonably necessary to administer the employment relationship. This includes addressing:

• the appropriate scope of any individual rights (e.g. to access and correct personal information); and
• whether consent should be required to collect employees' sensitive information (potentially addressing some of the difficulties created by Lee v Superior Wood Pty Ltd [2019] FWC 2946, in which the Full Bench of the Fair Work Commission held that the exemption does not apply to the collection of employee personal information).

The proposal is not particularly detailed, leaving ambiguity as to what will remain of the exemption (particularly in relation to the scope of any individual rights, such as the rights to access and correct personal information). The Report states that further consultation should be undertaken with employer and employee representatives on how the protections should be implemented into law.

One of the key themes of the DPI Report was the need for privacy notices to be clear and understandable, so that individuals can make properly informed choices about their information and to enable consent (where required) to be more effective. Against that background, the proposals regarding policies, notices and consent are not as extensive as might otherwise have been the case.

Privacy notices

The Report favours retaining the uniquely Australian distinction between privacy notices and privacy policies, rather than merging these requirements (as is the case in overseas jurisdictions). Like the DPI Report, the Report highlights difficulties with privacy notices that are overly complex or long. To address this issue, the Report proposes introducing an express requirement for privacy notices to be clear, up-to-date, concise and understandable. OAIC guidance would clarify what needs to be included in privacy notices.

Despite these good intentions, entities would still be required to include certain additional matters in their privacy notices, including if the processing of personal information is a 'high risk' category, and the types of personal information that may be disclosed overseas. This additional information will undoubtedly increase the length and complexity of privacy notices, particularly if the notice is required to list all of the types of personal information that may be disclosed overseas.

Privacy policies

The proposed amendments to requirements regarding privacy policies are not extensive. There would be a new requirement to stipulate data retention periods (see section 5 on Security, retention and data breaches, below). This requirement already exists under the GDPR, meaning that many global organisations likely already meet this requirement.

To address the perceived difficulty that the public has in understanding privacy policies that are complex and lengthy, the Report proposes the introduction of standardised sector specific templates and layouts for privacy policies and notices, as well as standardised terminology and icons, to be developed through OAIC guidance or APP codes.

Consent

The definition of 'consent' would be amended to enshrine and build on current OAIC guidance on the meaning of consent. That is, the definition would include a requirement that it be voluntary, informed, current, specific and unambiguous. In addition, the Privacy Act will codify the principle that valid consent must be given with capacity. The proposal does not go quite as far as the GDPR definition, which also requires consent to be given by a 'clear affirmative action', as the Government's intention is, somewhat surprisingly, to retain the current practice of entities being able to rely on implied, as well as express, consent.

Other proposals regarding consent include a new requirement to obtain consent to collect precise geolocation tracking information, and an express recognition of the right to withdraw consent. OAIC guidance would be developed on the design of online consent requests, and 'privacy by default' would be required for online privacy settings.

Front of mind for the Report’s authors was the need to review the requirements regarding security and the retention of personal information, in light of recent high profile data breaches in Australia. They were also focused on addressing issues that have occurred in the reporting of those breaches.

Security requirements

In part, the proposals are aimed at providing greater clarity to entities about the measures that are considered to be 'reasonable steps' to protect personal information, and ensuring there is a more consistent implementation of foundational information security controls. To that end, the Report proposes to amend APP 11.1:

• to state that 'reasonable steps' include technical and organisational measures. This amendment reflects the GDPR equivalent requirements as well as current industry practices; and
• to include a non-exhaustive set of outcomes-based security factors (perhaps using the ACSC’s Cyber Security Principles as a starting point, but subject to industry consultation to determine what these factors might be).

These amendments would also be supported by enhanced OAIC guidance on what constitutes ‘reasonable steps’ to secure personal information.

In addition, to address the risks associated with de-identified information (as discussed in section 2 on The definitions of personal, sensitive and de-identified information, above), the requirements of APP 11.1 would be extended to de-identified information.

Retention of personal information

It is not uncommon for entities to retain personal information – sometimes for long periods of time – without necessarily considering their need to do so. However, as we have seen in recent data breaches, this practice can be risky, since it may enable threat actors to gain access to troves of personal (and perhaps even sensitive) information. The Report aims to address this issue through a range of proposals:

• enhanced OAIC guidance on APP 11.2, to more clearly articulate the steps that are considered 'reasonable' to destroy or de-identify personal information, noting that APP 11.1 would also apply to de-identified (i.e. not just personal) information;
• the Government to undertake a review of all legal provisions that require retention of personal information, and determine if they remain appropriately balanced with privacy and security objectives. This will no doubt be a significant endeavour, particularly if it were to result in amended retention requirements across an array of legislation. Therefore, entities should not expect changes to retention requirements in the short term; and
• amend APP 11 to require entities to establish their own minimum and maximum retention periods (and specify these in their privacy policy), and to ensure personal information is destroyed or de-identified in accordance with these requirements.

In respect of the last proposal, the information mapping exercise referred to in section 1, Overarching new concepts, above, will assist entities to understand the full range of personal information that they hold, and when retention that information will no longer be required for a lawful purpose.

Data breaches

In light of the significantly shorter timeframes for organisations to report data and cyber breaches under other Australian laws (such as under the security of critical infrastructure laws and the APRA CPS 234 requirements) and overseas laws (such as the GDPR), it is not surprising that the Report proposes to significantly reduce the timeframe for reporting a privacy breach to the OAIC – to 72 hours.

While the proposal will assist entities who are subject to other (stricter) reporting obligations to streamline their reporting, for many other entities, compliance with this requirement will necessitate significant operational change. The proposal also potentially raises issues, especially for individuals, who may receive multiple notifications as a cyber security incident evolves and more information comes to light. Although the amendment would allow for some flexibility in the timing of notices to individuals, it is possible that this approach may be confusing for individuals if entities are required to notify early, causing them unnecessary angst.

The content of a breach notice would also be updated to include (if appropriate) the steps taken to reduce any adverse impacts on the affected individuals, with further consideration given to an express requirement on entities to prevent or reduce harm that is likely to result from a data breach.

The Report also highlights the need to undertake further work to streamline the reporting process, including to assist the OAIC and entities with multiple reporting obligations. The Attorney-General would also be permitted (with appropriate safeguards) to share information with appropriate entities to reduce the risk of harm in the event of an eligible data breach.

Finally, following the introduction of the limited controller-processor concept (discussed in section 3, Partial removal of exemptions above), the distinction would operate so that only the 'controller' will be responsible for notifying individuals, but the 'processor' will prepare the statement and notify the OAIC. (This proposal operates in the opposite manner to the regime under the GDPR, pursuant to which controller manages all of the notification requirements.) If neither party notifies the OAIC, both parties will be in breach of the notification requirements.

Whilst on its face this proposal will be helpful, there could be situations in which confusion arises, particularly if a processor assesses the breach is an eligible data breach and notifies the OAIC, but the controller does not agree with the assessment and refuses to notify affected individuals. In addition, entities that are subject to both the Australian Privacy Act and the GDPR will need to operationalise these differing notification obligations.

Picking up some of the key themes raised in the DPI Report, the Government has shown particular concern with the harms that may flow to individuals as a result of the use of emerging technologies (such as AI). For example, there is concern about when those technologies are used to make automated decisions about, or to profile, individuals.

Automated decision-making

The Report recognises the growing use of automated decision-making tools across the public and private sectors. While there are many benefits and efficiencies gained from the use of such technologies, there are also risks if biases and prejudices are baked into the tools. Drawing on the experiences of the EU and California, the proposals are aimed at 'substantially' automated decision-making processes, i.e. those with minimal human oversight. The proposal is not aimed at situations where a human decision-maker has genuine oversight of a decision, reviews a decision, or has discretion to alter the decision. The Report proposes:

• that privacy policies should set out the types of personal information that will be used in substantially automated decisions that have a legal or similarly significant effect on an individual's rights;
• a high level indication of the types of decisions with legal or similarly significant effect in the Act that would be supplemented by OAIC guidance; and
• individuals will have a right to request meaningful information about how substantially automated decisions with legal or similar significant effect are made.

There is little detail in the Report about the types of automated decision-making that will be covered, but the Robodebt scheme is perhaps a notable example.

Direct marketing, targeting and trading in personal information

The Report sets out in some detail the harms that can result for individuals when they have no awareness of how and why they are being targeted, nor any control over the process. It also examines comparative overseas laws. As a starting point, to clarify these concepts, the Report proposes the inclusion of the following definitions:

• direct marketing – the collection, use or disclosure of personal information to communicate directly with an individual to promote advertising or marketing material
• targeting – the collection, use or disclosure of information that relates to an individual, including personal information, de-identified information, and unidentified information, for tailoring services, content, information, advertisements or offers provided to or withheld from an individual (either on their own, or as a member of some group or class)
• trading – capture the disclosure of personal information for a benefit, service or advantage.

The Report also aims to address findings from the DPI Report around individual control over direct marketing. To this end, the Report recommends that individuals should be provided with an unqualified right to opt-out of their personal information being used or disclosed for direct marketing purposes. However, the provisions of APP 7 which permit organisations to collect personal information (other than sensitive information) for direct marketing purposes from individuals directly without their consent would remain.

Additional specific recommendations regarding targeting and trading activities include the following:

• providing individuals with an unqualified right to opt-out of receiving targeted advertising;
• introducing a requirement that an individual’s consent must be obtained to trade in their personal information;
• specific prohibitions on direct marketing to, or the targeting of, children, with very limited exceptions if the activity is in a child’s best interests;
• a prohibition on trading in the personal information of children;
• a requirement that targeting activities should be fair and reasonable in the circumstances; and
• a requirement to provide information about targeting, including clear information about algorithms and profiling to recommend content to individuals.

As with the requirement to provide meaningful information about automated decision-making, this last requirement could prove very challenging for entities who themselves may well not understand how these algorithms operate.

A number of the proposals are aimed at providing individuals with greater transparency and control in relation to their personal information, and are based on similar rights recognised in the GDPR and by other overseas jurisdictions.

The proposed individual rights would be subject to certain exceptions.

Access to personal information and explanation

The existing right of individuals to access their own personal information held by an entity would be expanded to include a right to request an explanation of what the entity has done with the information and (if the information has been collected from someone other than the individual) the source of the information.

The existing discretion for organisations to impose a 'not excessive' charge for responding to an access request would be changed to permit a 'nominal fee' to be charged for providing access or explanation in response to a request. The Report states that charges should be waived for vulnerable people, and contemplates the possibility of the nominal fee being prescribed by the regulations.

Object to processing

Individuals would have the right to object to the collection, use or disclosure of their personal information in certain circumstances. This would not be an absolute right, but would rather enable individuals to question or challenge an entity's handling of their personal information (such as whether a collection is 'fair and reasonable'). The entity would then be required to provide a written response with reasons.

The Report indicates that a response could involve explaining why a practice complies with the Privacy Act obligations, and the outcome of a successful objection could include the entity agreeing to change the information handling practice, or assisting the individual to decide how they wish to engage with the entity in the future or make an OAIC complaint.

Erasure

In addition to entities’ de-identification and destruction obligations under APP 11.2, individuals would also have the right to request erasure of their personal information held by an entity. The entity would be required to comply with such a request, subject to:

• certain general exceptions; and
• certain limited information being quarantined rather than erased, so that it remains available for the purposes of law enforcement (while also restricting the entity's own ability to use that information).

If the information has been collected from or disclosed to a third party, the entity would be required to inform the individual of the third party, and notify the third party of the erasure request, unless doing so would be impossible or involve 'disproportionate effort' (a term which is not further explained in the Report).

The Report states that the right of erasure would not apply retrospectively to information that was already de-identified; however if an erasure request is made in relation to de-identified information that is later re-identified, the entity would be required to erase the re-identified information.

Correction

The existing APP 13 right of correction of personal information held by an entity would be extended to include generally available publications online over which the entity maintains control. This proposal is intended to recognise the potential harm to individuals where misleading or inaccurate personal information is published online, while balancing the public interest in freedom of expression and academic research by providing for public interest exceptions.

De-indexing of internet search results

The proposed right to de-index online search results (otherwise known as the 'right to be forgotten') would:

• be jurisdictionally limited to Australia (i.e. to a search engine's Australian domain names); and
• only relate to online search results containing personal information which is sensitive information; information about a child; inaccurate, out of date, incomplete, irrelevant or misleading; or excessively detailed. Proposal 18.5 cites home address and personal phone number as examples, while the Report explains that 'excessive information' means information that ‘would reveal too much about an individual in all the circumstances, such as all of their personal details or identification documents’.

Search engines would be able to refer a 'suitable' de-indexing request to the OAIC for assessment for a fee, however the Report indicates that the OAIC could refuse such a referral.

Compliance with rights of individuals

The following proposed obligations on entities are intended to support the effective exercise of rights by individuals:

• for entities that are organisations only (i.e. not Commonwealth agencies) – acknowledge receipt of a request to exercise a right of an individual within a reasonable time, and provide a timeframe for responding (except in relation to acknowledgement by agencies, for which no timeframe is required);
• in addition to notifying individuals about their rights at the point of collection (see section 4 on Privacy notices, policies and consent, above), provide individuals with reasonable assistance to exercise their rights. The Report does not provide details as to the scope of 'reasonable assistance', but appears to suggest that it could include consulting with an individual to reach a mutually agreed outcome, (which could be different from what may have originally been requested by the individual);
• take reasonable steps to respond to a request within a reasonable timeframe (30 days for agencies unless a longer period can be justified; no maximum period specified for organisations); and
• if a request is refused, provide reasons for the refusal and information about how the individual can lodge a complaint with the OAIC.

General exceptions to the rights of individuals

All rights of individuals would be subject to the following category-based exceptions:

• competing public interests: for example, freedom of expression and law enforcement activities. This would involve an evaluation that weighs the public interest in undertaking (or continuing to undertake) a particular information handling activity or practice, against the public interest in protecting privacy. As noted in the Report, the Privacy Act currently provides for a number of exceptions to authorise the collection, use and disclosure of personal information in the context of health services, research and national security;
• relationships with a legal character: for example, where complying with a request would be inconsistent with another law or a contract;
• technical exceptions: this category is intended to include situations where complying with a request would be technically impossible (e.g. technical limitations on being able to give access to or erase data held in a particular digital form), unreasonable, or frivolous or vexatious.

Overall, the proposed amendments to the current overseas disclosure requirements would assist entities to better comply with APP 8 and facilitate such disclosures. In particular, the Report proposes:

• a mechanism to prescribe countries and certification schemes that are substantially similar to the APPs, effectively by creating a 'whitelist' or 'adequacy' regime similar to that under the GDPR; and
• the introduction of standard contractual clauses (again, similar to that under the GDPR) for use when transferring personal information overseas.

These measures have been called for by many professionals practising in this area since the introduction of APP 8 in 2014.

Conversely, it is proposed to further strengthen the 'informed consent' objection under APP 8.2(b) by requiring entities to consider the risks of an overseas disclosure and inform the individual that privacy protections may not apply if they consent to the disclosure. In practice, the reliance on this exemption tends to be limited, so the impacts are unlikely to be wide-ranging.

Finally, on a related point, the Report proposes further consultation on the meaning of an 'Australian link'. This is to address extra-territorial application issues arising from the amendments made to section 5B(3) of the Privacy Act in the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Cth) and flagged by the Senate Legal and Constitutional Affairs Legislation Committee as part of its review of that Bill. The aim of the consultation would be to identify a means of better connecting an overseas entity's personal information handling practices with Australia.

The Report contains a number of proposals designed to strengthen privacy protections for children and individuals experiencing vulnerability.

Children

It is proposed to define a child as an individual who has not reached 18 years of age. This definition is relevant to the proposals considered below.

This definition does not change the assessment of when a young person has capacity to consent. As per current OAIC guidance, this must continue to be determined on a case-by-case basis or, if that is not practical, an entity may assume an individual over the age of 15 has capacity (unless there is something to suggest otherwise). The Report proposes to codify the principle that valid consent must be given with capacity, with exceptions for circumstances where parent or guardian involvement could be harmful to the child or otherwise contrary to the child’s interests.

The Report proposes under the following categories:

• fair and reasonable – best interests of child: entities would be required to have regard to the best interests of the child as part of considering whether a collection, use or disclosure is fair and reasonable in the circumstances. The Report acknowledges that the best interests of the child may not always be the sole factor to be considered, but that it should be a primary consideration (referring to guidance from the UK Information Commissioner's Office on conflicts in this area);
• transparency: entities would be required to ensure collection notices and privacy policies are clear and understandable, in particular for any information addressed specifically to a child. This could be supported by OAIC guidance as well as the proposed Children's Online Privacy Code (and may include the use of visual or graphical communication);
• Children's Online Privacy Code: there would be a Children's Online Privacy Code (Code) that applies to online services that are likely to be accessed by children (with certain exemptions). The Report recommends the Code be modelled on the UK's Age Appropriate Design Code, which encourages entities to implement high privacy settings by default and contains prescriptive standards for pro-privacy defaults in certain circumstances. The relevant proposals state the Code could provide guidance on the format, timing and readability of collection notices and privacy policies; and address how the best interests of child users should be supported in the design of an online service. (For example, it could consider whether specific requirements are needed for assessing capacity, whether certain processing should be limited, and default privacy settings);
• marketing, targeting and trading: direct marketing to a child would be prohibited, unless the personal information used for direct marketing was collected directly from the child and the direct marketing is in the child's bests interests. Targeting a child, with an exception for targeting that is in the child's bests interests, and trading the personal information of children would be prohibited as well.

Marketing, targeting and trading are considered further in section 6, Automated decision-making, direct marketing, targeting and trading in personal information, above.

• de-indexing: individuals would have a right to de-index online search results containing personal information which is information about a child (see further section 7, Individuals' rights, above); and
• PIA: PIAs would be required for high privacy risk activities. Children are not specifically listed in this proposal. However, the Report indicates that high privacy risk activities that could be listed in the Privacy Act or OAIC guidance could include the collection, use or disclosure of children's personal information on a large scale.

People experiencing a vulnerability

It is not proposed to define vulnerability in the Privacy Act. Instead, it is proposed that OAIC guidance contain a non-exhaustive list of factors (both individual characteristics and situational factors) that indicate when an individual may be experiencing vulnerability and are at higher risk of harm from interferences with their personal information. 'Experiencing' vulnerability recognises that a person can move in and out of vulnerability. It is proposed that:

• 'serious' interference: a 'serious' interference with privacy would be clarified to include activities impacting people experiencing a vulnerability;
• guidance on supported decision making: OAIC guidance on capacity and consent would be updated to reflect recent developments in supported decision-making. This includes providing greater clarity on when and how third parties who give decision-making support should be recognised, and steps to ensure authorities, nominations and consents are valid; and
• consultation: further consultation would be undertaken to clarify the issues and identify options to ensure that financial institutions can act appropriately in the interests of customers who may be experiencing financial abuse or may no longer have capacity to consent. The Report acknowledges that consideration should be given to whether changes should also apply to other sectors.

The fact that people experiencing a vulnerability may be at higher risk of privacy harms will also impact how other proposals apply to entities. For example, the Report notes this may be particularly relevant in relation to the proposed:

• fair and reasonable test: the requirement that the collection, use and disclosure of personal information must be fair and reasonable in the circumstances; and
• PIAs: the requirement to conduct PIAs for high privacy risk activities. The Report states 'it is proposed that an entity conduct a PIA before commencing an activity where the entity is aware, or ought to be aware, that an individual (or group of individuals) is experiencing vulnerability and the activity might have a significant effect on that individual (or cohort)'.

Many of the other proposals in the Report will also indirectly strengthen privacy protections for people experiencing a vulnerability (in particular those around transparency and sensitive information).

In recognition of the public interest in human research and the challenges in obtaining specific consent for research in evolving areas of investigation, the Report proposes an amendment that permits broad consent for the purposes of research in certain circumstances. There are also proposals to consult further on broadening the scope of research permitted without consent, and developing a single exception for research without consent supported by a single set of guidelines.

Direct cause of action

There are currently very limited rights of direct right of action for individuals under the Privacy Act. The Report proposes that the Privacy Act would provide a right for individuals to apply to the Federal Court or the Federal Circuit and Family Court of Australia (FCFCA) for relief in relation to an interference with privacy. The right of action would be available to any individual or group of individuals (and claims made by representative groups on behalf of such persons) who have suffered loss or damage as a result of a privacy interference by an entity.

Before Court action could be commenced:

• the claimant would first need to make a complaint to the OAIC, and have the complaint assessed for conciliation by either the OAIC or a recognised external dispute resolution (EDR) scheme;
• the IC or EDR must be satisfied there is no reasonable likelihood of the complaint being resolved by conciliation, or alternatively the IC decides that the complaint is otherwise unsuitable for conciliation; and
•  if the IC decides that the complaint is unsuitable for conciliation on the basis that the complaint does not involve an interference with privacy or is frivolous or vexatious – the claimant must seek the leave of the Court to bring an application.

The OAIC would be able to seek the leave of the Court to appear as amicus curiae or to intervene in proceedings.

The Courts would have a wide discretion to make any order they see fit in relation to remedies, including any amount of damages (that is, there is no proposed statutory cap on awards of compensation), where liability and loss or damage (which could include injury to a person's feelings or humiliation) is established.

Tort for serious invasions of privacy

A statutory cause of action for serious invasions of privacy was previously recommended by the Australian Law Reform Commission (ALRC) its Report No 123, Serious Invasions of Privacy in the Digital Era (3 September 2014). The tort recommended by the ALRC:

• relates to serious invasions involving misuse of private information or intrusion into seclusion, where such actions were committed intentionally or recklessly (i.e. more than mere negligence) and the plaintiff would have had a reasonable expectation of privacy in the circumstances;
• would allow for a range of remedies including damages (including for emotional distress, and exemplary damages in exceptional circumstances), injunctions, declarations and apology orders; and
• would be subject to the court being satisfied and a number of available defences to a defendant.

The statutory tort for serious invasions of privacy proposed in the Report would be based on the model proposed in ALRC Report 123, and will be subject to consultation with states and territories on how this would be implemented in a nationally consistent way.

These changes are likely to have a significant impact on how risk allocation for privacy-related breaches in ICT services and other supply contracts is addressed.

The Report sets out a range of proposals to build on the Privacy Act reforms enacted in November 2022, broaden the range of enforcement mechanisms, further strengthen penalty regimes, and increase regulatory and enforcement powers.

Tiered approach to penalties

Section 13G of the Privacy Act prescribes maximum civil penalty amounts for serious and repeated inferences with privacy (which were increased by the November 2022 reforms).

The Report proposes the removal of the word 'repeated' so that civil penalties can be imposed in respect of single serious incidents. It also proposed to clarify that a 'serious' privacy interference may include those that involve the following (which is not necessarily an exhaustive list, and with specific further guidance to be provided by OAIC):

• sensitive information or other information of a sensitive nature;
• large groups of individuals that are adversely affected;
• impacts to people experiencing vulnerability;
• repeated breaches;
• wilful misconduct; and
• serious failures to take proper steps to protect personal data.

In addition, it proposes to create of tiers of civil penalty provisions (so that regulatory responses can be better targeted having regard to the nature of a privacy breach), which include:

• low-level civil penalties, and infringement notice powers for the IC with set penalties, for specific 'administrative' breaches of the Privacy Act and APPs (eg, breaches of APPs 1.3, 2.1, 6.5 or 13.5, or a failure to give the IC information as and when required by the Privacy Act);
• mid-tier civil penalties for other privacy interferences that do not have a 'serious' element.

Requirement for entities to identify, mitigate and redress actual or foreseeable loss

Section 52 of the Privacy Act currently allows the IC to make a determination that includes one or more prescribed declarations. This includes requiring a respondent to take reasonable action to redress any loss or damage suffered by a complainant as a result of a privacy breach.

To support a more proactive approach to mitigating the consequences of privacy breaches to individuals, it is proposed that the IC would have the power to specifically require an entity to identify, mitigate and redress any actual or reasonably foreseeable loss or damage to a complainant or affected individual (with guidance material to be published by OAIC).

Offence for malicious re-identification of information

In addition to the general prohibition on third parties re-identifying de-identified information to address harms caused by threat actors, (see section 2, The definitions of personal, sensitive and de-identified information, above), the Report proposes consultation on the introduction of a criminal offence for malicious re-identification of de-identified information. This is specially for circumstances where there is an intention to harm another person or obtain an illegitimate benefit, and would be subject to appropriate exceptions. For example, the Report indicates that the offence should not apply to research involving cryptology, information security and data analysis, and testing of information security safeguards. Nor would the offence apply to government data disclosed under the regime established by the Data Availability and Transparency Act 2022 (Cth), as that Act already provides for its own criminal penalties in respect of such data.

OAIC powers

OAIC powers are proposed to be strengthened to include, on direction or approval by the Attorney-General:

• make an APP code where it is the public interest, and there is unlikely to be an appropriate industry representative to develop the code;
• make a temporary APP code for a maximum 12 month period if it is urgently required and in the public interest; and
• undertake public inquiries and reviews into specified matters (which the Report states would include the ability to take evidence and require production of documents, but not extend to a hearing power).

The OAIC's investigation powers would also be expanded to include those in Part 3 of the Regulatory Powers (Standard Provisions) Act 2014 (Cth) and a discretion not to investigate a complaint that has already been adequately dealt with by an EDR scheme.

Courts’ powers

The Federal Court and FCFCA would be given a broad discretionary power to make any orders they consider appropriate in relation to contraventions of civil penalty provisions relating to interferences with privacy.

Other matters

Other proposals relating to the OAIC's regulatory functions and operations include:

• further investigation into the effectiveness of an industry funding model for the OAIC (i.e. funding of enforcement related litigation costs);
• making changes to OAIC annual reporting requirements to provide greater transparency around complaint outcomes, including numbers of dismissed complaints; and
• conducting a strategic internal organisational review to ensure the OAIC structure has a greater enforcement focus.

The Report recognises that, although one of the purposes of the Privacy Act is to develop consistent baseline protections for personal information, there are a number of other schemes that operate in Australia covering the same or similar subject matter. Examples of this include the My Health Record and the Consumer Data Right. Disparate rules across multiple schemes adds to the compliance burden for impacted entities.

To address these issues, the Report proposes:

• the Attorney-General will develop a privacy law design guide to support Commonwealth agencies when developing new schemes with privacy-related obligations;
• encouraging regulators to continue to foster regulatory cooperation in enforcing matters involving mishandling of personal information; and
• establishing a Commonwealth, State and Territory working group to harmonise privacy laws, focusing on key issues.

Whilst harmonisation of privacy laws across the Commonwealth and States and Territories would be welcome, the Report falls short of requiring mandatory consultation between regulators or, for example, a single point of contact for reporting data breaches. The current system requires multiple reports to multiple regulators.

Finally, the Report recommends a review of the amendments to the Privacy Act within three years of their commencement.