Federal Government signals broad support for significant Privacy Act reforms

By David Rountree, Isabelle Guyot, Florence Tan, Jake Boudsocq, Lucy Sheppard
Cyber Data & Privacy General Counsel Government Technology, Media & Telecommunications

Be ready for the biggest overhaul of privacy laws since 2014 12 min read

The Federal Government has agreed or agreed in-principle with the majority of the proposals outlined in the Privacy Act Review Report.

The first tranche of reforms, largely covering items that are easier to implement, is expected in 2024, while more significant and material changes are subject to further consultation (and a delayed timetable). Business will need to continue waiting for clarity on these long-anticipated reforms. However, organisations can take some steps now to get ahead of the implementation requirements and likely changes, for what is set to be the most significant overhaul of Australian privacy laws since 2014.

Overview: broad support but further work to do

The Government, through the Attorney General's Department, has released its response (the Response) to the 116 proposals set out in the Privacy Act Review Report (the Report) and committed to introducing legislative reform in 2024. It has 'agreed' or 'agreed in-principle' with the majority of the 116 proposals outlined in the Report, sending a clear message that stronger privacy protections for individuals need to be developed.

In practice, this means that the Government will likely implement privacy reforms in tranches, focusing initially on the items it has indicated it 'agrees to' (38 proposals), while conducting further engagement and impact assessments on the 'agreed in-principle' items (68 proposals).

The approach indicates the Government is continuing to take a reasonably cautious approach to implementation, and that the clarity anticipated from the Government's response will still be a while away. Given the review first arose from a recommendation in the ACCC's 2019 Digital Platforms Inquiry Final Report, this reform pace may frustrate those looking to guide future business and operational decisions. There are, however, a number of activities that clients can commence now in order to get a head start on assessing the likely implications for their operations and risks.

This Insight is separated into two sections:

  • Key actions: A list of practical steps organisations can take now to prepare while we await further detail on legislative reform and further consultation.
  • Summary of key responses: We break down each of the key areas of the Government's responses.

Key actions: what can organisations do now while we await further detail?

  • Much of the detail of legislative reform remains to be seen and will be subject to further consideration and consultation.
  • The first tranche of legislative reforms will likely be in 2024.
  • There are steps organisations can take now to be prepared for when the upcoming privacy reforms land. Many of the overarching objectives of the Privacy Act reforms can be managed through implementing more robust data governance processes and controls.
Actions Details
Know your existing privacy documentation suite (Proposals 10.1-10.3 and 21.8)

Understanding your privacy documentation suite (both external-facing collection notices and privacy policies and internal-facing policies and guidelines) and confirming it reflects your organisation's current data handling practices will be fundamental to grappling with the reforms. This includes ensuring you understand what your collection touchpoints are and what representations, notices or consents you are making or receiving.

Undertaking this work now will mean being best placed to manage the expected higher regulatory burden for dealing with personal information.
Evaluate your data governance frameworks managing the collection and use of information (Proposals 13.1 and 15.1)

The proposed requirement to determine and record purposes for collection of personal information at the time of collection will add an operational requirement, as well as provide a limit or restraint on future use outside of those purposes. In both cases, this will require more robust data governance frameworks.

Consider any material gaps in your data governance processes (eg whether you have the capability to document the purposes for which you collect information and update them over time as use cases evolve), and assess implementing uplifts.
Understand your consent frameworks (Proposals 11.1–11.4) Identify what use cases are reliant on individual consent and consider whether reliance on a higher standard of consent proposed by the reforms will be feasible for those use cases on a go-forward basis. If not, are there changes to business processes or operational practices required to prepare for a higher consent standard?
Identify usage of technical data not currently captured in privacy frameworks (Proposals 4.5-4.6) Determine whether organisational practices are heavily reliant on technical data like IP addresses and, potentially, de-identified data, and consider whether these need to be treated in line with privacy frameworks if they are not already.
Implement governance over automated decision-making processes (Proposals 19.1-19.3)

Governance frameworks and transparency over personal information in automated decision-making is likely to be critical following the reforms. Organisations should assess any uses of personal information in automated decision-making activities and implement appropriate governance arrangements. This can include engaging with your stakeholders, including technical experts, to:

  • identify personal information used in making automated decisions; and
  • ensure the organisation is able to provide some transparency over how automated decisions are made.
Prepare for operational impact of individual rights, including on systems/ procurement (Proposals 18.1-18.10 and 26.1)

The experience of the EU General Data Protection Regulation (the GDPR) has shown that actually managing the exercise of individuals' rights can have a significant operational or cost impact. Organisations will require systems and processes to be in place to enable them to respond to the tranche of new proposed individual rights, and decisions made now may impact the ability to do so.

The capability to manage the new proposed individual rights (such as rights of erasure) should be kept front of mind when procuring, reviewing or implementing systems. Investment decisions and technology roadmaps should keep these potential changes front of mind, particularly in consumer-facing businesses.  
Review or implement data retention and destruction frameworks (Proposals 21.6-21.8) Data retention and destruction is already a key risk for businesses, and the proposed changes to the Privacy Act will further cement this. Acting now to begin the work to establish a robust data retention and destruction standard that can be operationalised across your business will stand you in good stead. For information about setting up a data retention program, see our Insight here
Implement PIAs for high-risk activities (Proposals 13.1-13.2) Undertaking a privacy impact assessment (PIA) for high-risk data activities is already best practice, and implementing these processes now will ensure that your organisation can establish clear expectations and governance processes over high privacy risk activities.

Commentary on the Government's responses to key proposals

Widening the scope of personal information

The Government has 'agreed in-principle' to clarify the scope of personal information with a non-exhaustive list (Proposal 4.1). This would likely include technical (eg IP addresses) and inferred information. This was expected and is increasingly a matter of accepted practice.

The Government has also clarified its view that an individual's identity does not need to be known if an individual is able to be distinguished from all others. It flagged that this would be clarified through updates to the definition of 'personal information' and/or additional Office of the Australian Information Commissioner (OAIC) guidance, and could have a flow-on effect for targeting activity based on anonymous information. For example, the Report discussed the concept of 'individuation', which refers to the singling out of an individual from a group despite not knowing their name or personal details. Practically, this is most readily observed in the case of website publishers or advertising businesses that use persistent cookies and other unique identifiers to isolate individuals and target them to receive tailored information based on their cyber activities. This may have a material impact on digital advertising models, and should be an area that is watched closely.

The Government has also 'agreed in-principle' to amend the definition of 'de-identified' to make clear that de-identification is not a static condition but an ongoing process, requiring the process of de-identifying personal information to be considered in context, having regard to the relative risk of de-identification in each case (Proposals 4.4 and 4.5).

Consultation regarding removal of the small business exemption

The Government has 'agreed in-principle' to remove the small business exemption, which would mean that businesses with an annual turnover of less than $3 million would become subject to the Act (Proposal 6.1). This reflects the Government's recognition that privacy issues impact all businesses in today's digital environment and members of the public have a reasonable expectation that personal information they provide to businesses, of any size, will be kept secure.

This proposal is subject to further consultation with small businesses in order to understand the impact of the removal of this exemption on them, and what further legislative reforms can be implemented to support small business to comply with their obligations having regard to the different risk profiles attaching to different businesses' information handling acts and practices. If implemented, the Government has stated that this proposal will be subject to an appropriate transition period to ensure small businesses are in a position to comply with new obligations.

Review and consideration of enhancing privacy protections for employee records

Employee records of current or former private sector employees are currently exempt from the Privacy Act, having been regulated instead through workplace relations laws. The Government has 'agreed in-principle' that further consultation should be undertaken with employer and employee representatives on how enhanced privacy protections for such employees can be implemented within the Privacy Act. Such consultation will also need to consider how privacy and workplace relations laws should interact.

It is unclear at this stage what form these protections will take, including whether future legislative reforms will bring about a removal or modification of the exemption, and to what extent existing workplace relations laws will also be enhanced to address the matters identified in the Report.

Shoring up consent, collection, use and disclosure practices

The Government has 'agreed in-principle' to:

  • Introduce a new 'fair and reasonable in the circumstances test' to the collection, use and disclosure of personal information (Proposal 12.1-12.3). The test is expected to balance an organisation's own interests against those of the individual and the general public. It remains to be seen whether the test will be similar to the legitimate interest test in the GDPR.
  • Require that organisations determine and record the primary and secondary purposes for collecting, using and disclosing personal information at or before each collection (Proposal 15.1). This will likely result in significant complexity for organisations, both in operationalising and documenting these assessments, and ensuring these assessments are regularly re-evaluated as data use cases evolve. It could also mean that new use purposes not previously contemplated will only be able to be implemented by consent.
  • Clarify 'consent' to be 'voluntary, informed, current, specific and unambiguous' (Proposals 11.1-11.4). This will codify existing OAIC guidance on consent and the Response indicates that the Government expects that, with this higher standard, reliance on consent will be reserved for high-risk privacy situations. It's not yet clear how this view will be reconciled with the potential implication of the proposal immediately above, which could mean that new use purposes not contemplated at the time of collection will only be able to be implemented by consent. In addition, individuals will have an express ability to withdraw consent in an easily accessible manner. This could have a material impact on the structure of current consent processes.
Transparency when using automated decision-making

The Government has 'agreed' to the following enhanced protections for automated decision-making:

  • a requirement for greater disclosure of the use of personal information in automated decision-making activities in privacy policies by including the types of personal information that will be used to make legal decisions or decisions with a similarly significant effect on an individual's rights (Proposal 19.1);
  • the inclusion of high-level indicators of the types of decisions with a legal or similarly significant effect on an individual's rights in the Privacy Act (Proposal 19.2); and
  • a right for individuals to request meaningful information about how automated decisions with a legal or similarly significant effect are made (Proposal 19.3).

These proposals are not surprising, given the significant focus on the impact of artificial intelligence (AI), as well as the broader consultation on AI risks, and are a reasonably targeted means to implement AI-focused reform. However, these proposals are likely to have a broad impact across industry, with banking and finance, education, healthcare and government services specifically called out in the Response. The key challenge for organisations will be whether the process of automated decision-making is actually discernible, and heightens the focus for AI governance.

Enhancing individual rights

The Government has 'agreed in-principle' to:

  • The introduction of new individual rights that would enable individuals to:
    • request the erasure of their personal information (Proposal 18.3);
    • challenge the collection, use and disclosure of their personal information (Proposal 18.2); and
    • request the de-indexing of internet search results containing their personal information (Proposal 18.5).

    Ensuring individuals can exercise these rights will likely require organisations to invest in systems and processes to ensure they can facilitate compliance and respond to individual requests in a timely manner.

  • A new direct right of action for individuals. Individuals (including a group) who have suffered loss or damage as a result of an interference of privacy would be allowed to directly claim against entities, providing a more direct pathway to compensation under the Privacy Act (Proposal 26.1). This paves a clear road for more class actions. In addition, the Government has agreed in-principle to the long-discussed introduction of a statutory tort for serious invasions of privacy that could cover conduct outside the scope of the Privacy Act.
Specific regulations for direct marketing, targeted marketing and data trading

The Government 'agreed in-principle' that:

  • individuals should have an unqualified right to opt out of their information being used or disclosed for direct marketing purposes (Proposal 20.2); and
  • entities using targeted advertising should be subject to greater transparency about the use of targeting systems, including information about the use of algorithms and profiling (Proposal 20.2).

Importantly, the Government appears to have acknowledged some of the flaws in the proposal to provide a right to opt out of all 'targeted' advertising. This is a welcome development, as the definition of 'targeting' in the Report is broad and an ability to opt out of this type of marketing may have significant flow-on effects for existing online advertising activity and business models. However, how this will work in practice will likely be significantly entwined with the proposals on the scope of personal information, including the proposal that personal information should include where a person can be identified if they are able to be individually separated (even on an anonymous basis). This change may result in a practically similar outcome.

Specific protections for children

The Government has 'agreed' to developing a Children's Online Privacy Code. This involves a code for online services 'likely to be accessed by children' (Proposal 16.5). This code development will likely commence shortly, which will require further consultation, along with the other proposals directed to children's privacy and protection. A 'child' would be defined as being under the age of 18 – a higher threshold than other jurisdictions (eg GDPR provides additional protections for children under 16 – although this can be lowered by member states to 13) (Proposals 16.1 and 16.2).

Clarifying data security and data retention requirements

The Government has:

  • 'Agreed' to developing greater clarity on what ‘reasonable steps’ involve for securing personal information. This contemplates enhanced OAIC guidance on what 'reasonable steps' are – a development likely to be welcomed by many businesses (Proposals 21.1 and 21.3).
  • 'Agreed in-principle' to a requirement to establish, disclose and periodically review retention periods for personal information. Entities must proactively establish and publish their own maximum and minimum retention periods in relation to personal information. While we know data retention has been top of mind across industry in the wake of recent major data breaches, the requirement to publish these periods means it is imperative that organisations establish a robust data retention standard that can be operationalised and review that standard periodically for currency. Given the fragmented nature of current statutory data retention requirements, this will require significant investment by organisations. The Government's agreement to review legislative retention requirements indicates we are moving closer towards some much-needed streamlining of existing data retention regulation (Proposals 21.6–21.7).
Data breach notifications and enhanced information sharing

The Government has:

  • 'Agreed in-principle' to a 72-hour notification requirement in the event of an eligible data breach, aligning the Notifiable Data Breaches scheme under the Privacy Act with other similar regimes under the Security of Critical Infrastructure Act 2018 (Cth) and APRA Prudential Standard CPS 234 (Proposal 28.2).
  • 'Agreed' to enhanced information sharing to mitigate the impacts of a data breach by empowering the Attorney-General to permit limited sharing of information between entities to lessen the risk of harm to individuals following a data breach. This would likely include permitted disclosure to both government bodies and industry (Proposal 28.4).

These were expected developments and, once enacted, will require organisations to hone their incident response processes and enable them to coordinate efficiently with third parties as permitted in the circumstances.

Engaging with third parties and disclosing personal information overseas

The Government has:

  • 'agreed' to ease the means by which personal information can be disclosed overseas by prescribing certain countries and certification schemes as providing substantially similar protection to the Australian Privacy Principles (Proposal 23.2); and
  • 'agreed in principle' to introducing standard contractual clauses (potentially designed to be interoperable with the GDPR) (Proposal 23.3).

These proposals would simplify how organisations contract with overseas entities. Many Australian organisations that operate cross-border entities would already be familiar with these types of concepts and frameworks through their existing arrangements with offshore parties.

Enhanced enforcement: new civil penalty provisions

The Government has 'agreed' to introduce a new 'mid-tier penalty' for interferences with privacy that are not otherwise serious, and a 'low level' penalty for specific administrative breaches (Proposal 25.1). The low level penalty will be dealt with by infringement notices; a new concept in compliance with Australian privacy law that expands on the Commissioner's power to issue infringement notices for failure to comply with a production notice (as introduced in December 2022). This will greatly ease the regulatory process of enforcement, and we consider it is likely to become a key part of the regulatory arsenal.

Next steps

The Government has committed to introducing legislation in 2024.

Some notable proposals that the Government has reserved its position on subject to further consultation and/or consideration are the scope of the extraterritorial application of the Privacy Act (Proposal 23.1) and the introduction of a criminal offence for malicious re-identification of de-identified personal information (Proposal 4.7). We anticipate that further developments in these areas will have broad-ranging impacts for business across sectors.

In the interim, we expect stakeholder consultation to continue as the Government seeks to refine legislative drafting, cement its position on various proposals it has agreed to in-principle, and evaluate the remaining proposals it has left on the table.

While many of the more significant changes to organisational processes and procedures will need to wait until we have greater detail on how these proposals will be enacted, organisations can take steps to ensure they maintain good data governance today and identify what enhanced operational and organisational capabilities may be needed once privacy reforms are in force.