INSIGHT

Privacy Act Review – what you need to know

By Valeska Bloch, Isabelle Guyot, Winnie Ma
Cybersecurity & Privacy Data Technology Telecommunications

Strengthening protections. Streamlining compliance. 16 min read

The Government has commenced its long-awaited review of the Privacy Act 1988 (Cth) (Privacy Act), a key part of the Government's response to the ACCC's Digital Platforms Inquiry. The review is being undertaken by the Attorney-General's office and seeks to bring Australia's privacy laws into the digital era, strengthen privacy protections for individuals and streamline compliance for businesses working across international borders.

In this Insight, we consider the key implications arising from the recent release of the Attorney-General's Issues Paper.

Key takeaways

  • Submissions in response to the Issues Paper are due on 29 November 2020. A second issues paper will be released in early 2021 seeking more specific feedback on preliminary outcomes, including possible options for reform.
  • There are no surprises in the Issues Paper, as it broadly follows the recommendations stemming from the Digital Platforms Inquiry and Australian Law Reform Commission (ALRC) reports in 2008 and 2014 respectively. The review also builds on the Government's announcement in March 2019 of reforms to increase the maximum civil penalties under the Privacy Act and develop a binding privacy code to apply to social media platforms and other online platforms that trade in personal information.
  • The Attorney-General's review is likely to result in significant reform to the existing Privacy Act. Reforms are likely to include stricter requirements for when and how consent is obtained, an updated definition of 'personal information' to include technical data and online identifiers, additional protections in relation to de-identified information and enhancement of the OAIC's enforcement powers and further rights for individuals.
  • If implemented, these changes would require businesses to reconsider how they define personal information and revisit the operation of their consents and notification mechanisms for collecting, using and disclosing personal information. The changes are likely to necessitate technological change in order to implement and operationalise the reforms.
  • These changes are reinforced in the OAIC's statement welcoming the review, in which Commissioner Angelene Falk identified four key elements to support effective privacy regulation: global interoperability; enabling privacy self-management; organisational accountability; and a contemporary approach to regulation.
  • Overall, the reforms are likely to see a shift from a purely principles-based regime to more prescriptive measures for certain key protections, in line with privacy regimes implemented for the Consumer Data Right and CovidSafe.

Background

Privacy law reform has been the subject of significant consideration in previous reports of the ALRC and ACCC. The Issues Paper follows numerous recommendations of the ALRC published in the Serious Invasions of Privacy in the Digital Era (2014) and For Your Information: Australian Privacy Law and Practice (2008) reports. The Issues Paper also focuses on the Digital Platforms Inquiry Final Report (DPI Final Report) which was released by the ACCC in June 2019. The DPI Final Report made extensive recommendations to strengthen privacy protections for individuals and improve transparency and accountability in data handling practices. Last year, we unpacked these recommendations and their implications for privacy law in our Insight.

The Issues Paper deals with potential for reform through three key areas:

  1. Scope and Application of the Privacy Act
  2. Protections
  3. Regulation and Enforcement

We have identified some of the topics that are subject to the review below.

1 - Scope and application of the Privacy Act

A number of areas have been identified as part of the review in relation to the scope and application of the Privacy Act. In addition to the items explored further below, the following are under consideration by the Attorney-General's department:

  • the continued relevance of the objectives of the Privacy Act;
  • the type and nature of organisations regulated by the Privacy Act; and
  • the operation of the political parties exemption and journalism exemption.
Employee records exemption

In most circumstances, the handling of personal information contained within an employee record is exempt from the operation of the Privacy Act.

The Issues Paper identified a number of issues with the current operation of the employee records exemption, including:

  • there is a substantial amount of information, including sensitive information, that falls within the current exemption. This means that sensitive information relating to employees often does not need to be handled in accordance with the Privacy Act, despite public expectations that such information should be protected; and
  • the breadth of the exemption is currently unclear due to a recent decision of the Fair Work Commission, Lee v Superior Wood [2019] FWCFB 2946, which indicated that it only applies to employee records already held by a company, rather than the collection of new personal information.

The ALRC has previously recommended that the exemption be removed.

Should any changes be made, the role of consent in an employee-employer relationship is likely to be a live issue and is specifically dealt with in the Issues Paper. This is because there is substantial doubt as to an employee's ability to freely provide their consent given the power imbalance in an employee-employer relationship. This has been raised in the context of the General Data Protection Regulation (GDPR) in the guidelines on consent adopted by the European Data Protection Board, which suggest that an employee cannot freely provide their consent to their employer and therefore it is problematic for employers to process the personal data of their employees on the basis of consent.

In light of the above, there is a reasonable chance the Attorney-General will recommend removing this exemption, although the role of any overlapping state-based legislation is likely to be a live issue.

Small business exemption

The Issues Paper considers in some detail the background to the small business exemption, its operation and current challenges. In particular, the Issues Paper considers a number of specific details of the current exemption, including:

  • the balancing of privacy risks and compliance costs, including previous recommendations made by various parliamentary committees and the ALRC to remove the small business exemption, noting that no other comparable jurisdiction exempts small business from general privacy law;
  • the exceptions that apply to the exemption and their continued suitability, including whether other exceptions to the exemption should apply. This includes specific consideration of the appropriateness of the exemption for small businesses that trade in personal information but obtain consent of the individuals; and
  • the appropriateness of the $3 million threshold, noting the different definitions of a 'small business' that exist under various Australian laws for small businesses.
Ensuring the Act protects an appropriate range of technical information & inferred information

In the DPI Final Report, the ACCC recommended expanding the definition of personal information to include technical data such as IP addresses, location data, device identifiers and any other online identifiers. The Government supported this recommendation in principle.

The Issues Paper reiterated concerns that the current definition of personal information does not adequately capture technical information. We think this recommendation is likely to be adopted.

While the proposed formulation is superficially similar to the GDPR definition of personal information, the final wording of any change to the definition will be critical, as it currently also appears to assume these named categories of data (such as IP addresses) do in fact 'identify an individual'.

The Issues Paper also identifies 'inferred information' as information that deserves protection under the Privacy Act, noting the increasing risks that come from organisations inferring sensitive information based on other data. Whilst in our view inferred information is already likely to be captured within the existing definition in many circumstances (where such information is attached to an identified individual, on the basis that it is an opinion about an individual), this may remove any ambiguity in the existing definition and ensure that the added protections afforded to sensitive personal information are afforded to this type of information.

Protections in relation to de-identified, anonymised and pseudonymised information

The Issues Paper identifies growing concerns around the use and disclosure of de-identified information, given that such information is not regulated by the Privacy Act and there is an increasing risk it can be re-identified.

The paper identifies a number of ways of dealing with these increased risks:

Any regulation of de-identified information is likely to require substantial operational and legal uplift by organisations that currently rely on de-identification of data to enable use or sharing of personal information that would not otherwise be permitted under the current APPs.

  • Australia could move to a higher standard of de-identification, eg requiring anonymisation of data so it is irreversibly stripped of identifiable information, as consistent with the GDPR;
  • the Privacy Act could be amended to regulate de-identified information; and/or
  • creation of an offence for re-identifying personal information (following on from the Privacy Amendment (Re-Identification Offence) Bill introduced to Parliament in 2016 but which lapsed in 2019.

Given CSIRO's Data61 and the OAIC's statements in their De-identification Decision Making Framework which refer to the limitations of ever being able to entirely de-identify information, we anticipate it is more likely that the Government will look to regulate de-identified information rather than apply higher standards (which in practice can be difficult to meet whilst still being able to usefully use such information).

The paper does not specify how de-identified information may be regulated, but it may be that a subset of the Australian Privacy Principles (APPs) continue to apply to de-identified information.

Any regulation of de-identified information is likely to require substantial operational and legal uplift by organisations that currently rely on de-identification of data to enable use or sharing of personal information that would not otherwise be permitted under the current APPs.

2 - Protections

Notices

The Issues Paper also identifies issues with the collection notices currently provided by organisations. It emphasises that notices must be presented in a way that can be easily understood by an individual to ensure that individuals are made aware of relevant matters. However, it is acknowledged that there are complexities in providing notices where information is provided by third parties.

We anticipate that, following on from the DPI Final Report, improved transparency of how organisations handle personal information is likely to be a key reform. This may see a shift from principles to increased prescription as to form, content and provision of notices, including the introduction of standardised language and/or icons. A real issue though, as with consents, will be how to manage information fatigue in individuals, as well as how to approach third party collection of personal information – two key risks identified in the Issues Paper.

Given the current lack of certainty and evolving market practices when it comes to what (and in what manner) information should be included in notices, we can see benefits to the adoption of a standardised approach, depending on how this is implemented.

Consent requirements

The importance of individual consent to data handling is a critical piece of the Issues Paper. We outline some key observations below:

  • Following on from the DPI Final Report, there is likely to be increased focus on unbundling consents (from other consents as well as from provision of services). Bundled consents, whilst identified in existing APP guidance as a type of consent that should be avoided, is incredibly common in the market, and a known risk area. Given the juxtaposition between APP guidance and market practice, it is possible that this is a concept where the principles-based nature of the Privacy Act may not meet continuing community expectation and is likely to be subject to reform.
  • Requirements for valid consent may also become more prescriptive. Mechanisms such as 'pro-consumer defaults' or specific requirements to obtain consent from children are discussed.
  • The Issues Paper also identifies an increased role for consent as a lawful mechanism to enable data handling over other types of mechanisms (such as reasonable expectations). Whilst the Issues Paper appears to place increasing weight on consent, this contrasts to some of the practical consequences of the position under GDPR - where the strict consent requirements limited the usefulness of consent for organisations (which instead are more likely to rely on a 'legitimate interests' basis for handling of personal information).
Overseas transfers

Current protections under the Privacy Act in relation to the overseas transfer of personal information is a key area of focus in the Issues Paper. We outline some of our observations below.

Obtaining adequacy under GDPR

  • The paper considers the benefits and disadvantages of Australia seeking adequacy under the GDPR. Although it is noted that Australia's trade with EU countries is less substantial than that with the APEC region, there are likely to be significant benefits for Australian organisations if Australia receives adequacy under GDPR – both for enabling transfers from EU to Australia, as well as the value this is likely to bring to Australia's trade with other countries given the worldwide view of GDPR as a high watermark for privacy protection.
  • However, the practical difficulties of obtaining adequacy under GDPR do not appear to have been fully considered in the paper. Whilst the small business exemption and employee records exemption are identified as likely barriers to adequacy (based on previous considerations of adequacy under the regime prior to the GDPR), developments in the GDPR likely mean that Australia's national security laws are also very likely to prove a barrier – particularly given the June 2020 decision of the European Court of Justice in Schrems. It is not clear whether there would be any appetite on behalf of Government to seek to address this latter issue in order to obtain adequacy.

Suitability of existing protections on overseas disclosures

  • The suitability of Australia's current protections on information disclosed overseas is also identified, including a discussion on the usefulness of current provisions which require accountability of transferors, as opposed to a prohibition-based regime.
  • Whilst the Issues Paper does not seem to indicate there is likely to be substantial change in terms of accountability, it does appear that the question of an OAIC or government-approved 'whitelist' of countries which meet Australia's privacy standards is likely to be reconsidered. This would be a relatively simple way of improving privacy protections for information disclosed overseas and reducing red tape for organisations that currently have to make their own assessments as to the suitability of foreign privacy laws. The political consequences of having a whitelist is likely to be a key issue in accepting this potential reform.
  • Although the Issues Paper identifies increasing concerns around overseas data, we do not get the sense it is leaning towards implementing prohibitions in relation to data transfers – an interesting position given increasing use by FIRB of data export restrictions as part of foreign investment approvals.
Right to erasure and destruction

The Issues Paper discusses the ACCC's recommendation from the DPI Final Report to include a right to erasure for individuals, in contrast to a mandatory deletion obligation once data is no longer necessary (the latter being identified as creating a significant regulatory burden for organisations). The GDPR has a similar right to erasure (commonly known as the 'right to be forgotten').

The Issues Paper acknowledges the tension between public interest, including freedom of information, and a right to erase. However, the paper appears to take the ACCC's view as to the burden of implementing more onerous restrictions to destroy information (outside of a right to erasure) - no specific questions are asked of respondents about whether the current obligation to destroy information should be further enhanced – instead there are only questions about whether a right to erasure should be implemented and the features of such right, as well as the potential impact on organisations.

Whilst the Issues Paper acknowledges that a right to erasure should be subject to legal obligations to retain information, there may not be a full appreciation (at least amongst consumers) of the scope and complexity of Australian laws which require information to be retained, particularly in sectors that are heavily regulated. Any implementation is likely to require further guidance from regulators as to what types of information fall within what can be fairly broad legal retention requirements to prevent any accidental breach (of any new right to erase or existing retention requirement).

3 - Regulation and enforcement

Direct right of action and tortious claims for invasion of privacy

The Government supported the DPI Final Report's recommendation to introduce a right for individuals to bring actions and class actions against organisations to seek compensatory damages as well as aggravated and exemplary damages.

Direct right of action

The Issues Paper considers a number of options for the direct right of action, as well as the need to balance giving individuals greater control over their information and incentivising organisational compliance, with the need to ensure court resources are appropriately directed and not overwhelmed by trivial breaches. These options include:

  • limiting the right to serious breaches;
  • permitting the Commissioner to be heard in proceedings and provide expert assistance; and/or
  • requiring complaints to go through conciliation by OAIC or another body (like the Australian Human Rights Commission model) or offer a choice of going through court or OAIC (like CDR).

Statutory tort of privacy

The Issues Paper also considers implementation of a statutory tort of privacy, following recommendations in the DPI Final Report, ALRC and various state reforms looking at the issue. The ALRC had previously recommended that a statutory tort cover two types of invasion of privacy – intrusion into seclusion and misuse of private information.

However, the Issues Paper notes that the need for a tort of privacy may be negated by recent reform to criminal laws that specifically address serious invasions of privacy such as image-based abuse.

Whilst not definitive, it appears the Issues Paper leans more towards a direct right of action or other mechanism to provide individuals with redress for serious breaches of privacy, rather than introducing a tort for invasion of privacy.

Interaction with other regulatory schemes (domestic and foreign)

The Issues Paper flags a number of overlapping regimes (federal, state and foreign) that seek to protect personal information and the increasing compliance burden on organisations. This includes specific issues that have arisen over time that have warranted stronger privacy protections or specific frameworks, such as the Consumer Data Right, MyHealth or CovidSafe.

Whilst the Issues Paper acknowledges overlap and duplication in state law (and the complexities this may lead to), the Issues Paper appears limited to consideration of harmonisation of privacy protections under federal law. There are certainly a number of areas under federal law which may benefit organisations in rationalisation and improved clarity by removing overlap, eg retention and destruction of TFNs.

Whilst this is a matter of jurisdiction, it is interesting to consider whether there is appetite across state and federal authorities to consider further harmonisation, particularly if the protections under the Privacy Act are strengthened (eg if the employee records exemption is removed). This is particularly pertinent to health organisations that are captured by both the Privacy Act and state-based health laws.

Enforcement

A number of potential areas for reform to assist the OAIC with enforcement have been suggested, building on already announced (but not yet implemented) reforms to increase penalties for breaches of the Privacy Act.

The Issues Paper asks whether the current framework for interferences with privacy is working effectively, and whether additional mechanisms should be available to the Commissioner. In particular, whether the current enforcement approach achieves the 'right balance' between conciliation, investigation and taking punitive action.

Any reforms in this area are likely to require additional funding and resourcing for the OAIC so that it can utilise existing and new mechanisms it has for enforcement under the Privacy Act.

The scope of the review also extends to the Notifiable Data Breach Regime.

Out of scope

The operation of credit reporting provisions under Part IIIA and the CovidSafe App under Part VIIA are out of scope of the review.