INSIGHT

Government proposes major changes to privacy law

By Gavin Smith
Data & Privacy Technology & Outsourcing Technology, Media & Telecommunications

In brief 7 min read

The Federal Government has proposed radically increased financial penalties and new powers for the Office of the Australian Information Commissioner, in the wake of increased scrutiny of social media platforms and a growing consensus that Australia's privacy legislation has fallen behind global norms. The Technology, Media & Telecommunications team reports.

Background

Social media giants are increasingly feeling the heat. Both overseas and in Australia, a mounting regulatory burden is being placed on social media companies that were previously allowed a much freer hand.

This week, the Chairman of the Australian Competition and Consumer Commission (the ACCC), Rod Sims, publicly rejected Facebook CEO Mark Zuckerberg's call for a global approach to social media giants and the protection of personal data. And, in the wake of the live-streaming of the Christchurch terrorist massacre, the Federal Government has rushed to pass legislation creating a criminal offence for social media platforms who fail to remove abhorrent violent material from their platforms.

It isn’t just the social media giants who are under pressure, though. Today, data is a critical asset for a wide range of businesses and is being commercialised in increasingly sophisticated ways. All businesses need to be aware of the rapidly changing regulatory framework. Not only is the law changing quickly, but community expectations have moved ahead of what is strictly required (or permitted) from a legal perspective. Consumers now expect that their most personal information will be handled sensitively and carefully; and significant consumer backlash awaits companies that fail to meet these expectations.

The proposed changes

Although light on detail, the Federal Government is proposing to make the following changes to the Privacy Act 1988 (Cth).

Increased maximum penalties

Maximum penalties for serious or repeated interferences with privacy would be increased, from $2.1 million to the greater of:

  • $10 million; or
  • three times the value of any benefit that was gained by the company through misusing the personal information; or
  • 10 per cent of a company's annual domestic turnover.
Comment

The Office of the Australian Information Commissioner (the OAIC) has not sought a pecuniary penalty under existing privacy legislation.

This proposal picks up the recommendations made by the ACCC in its preliminary report for its digital platforms inquiry (the preliminary report) and would bring the the Privacy Act into line with the recently increased pecuniary penalties available under the Australian Consumer Law.

'Turnover'-based fines are becoming increasingly popular, both overseas and in Australia.

  • Under the General Data Protection Regulation (the GDPR), introduced in May last year in the European Union, penalties of the greater of €20 million or 4 per cent of the worldwide annual revenue of the company can be imposed (though, to date, the highest fine that has been given under the GDPR is €50 million against Google).
  • The Federal Government has also this week passed legislation with penalties of up to three years' imprisonment or $2,100,00 for individuals and $10,500,000 or 10 per cent of annual turnover for a company for failure to remove abhorrent violent material from a platform.

Infringement notices

There would be new powers for the OAIC to issue infringement notices for failure to cooperate with efforts to resolve minor breaches.

The maximum fines that could be issued under an infringement notice are $63,000 for companies and $12,600 for individuals.

Comment

This provides a simple, administrative remedy, rather than having to go to the Federal Court to seek the imposition of a pecuniary penalty. Infringement notices were, arguably, an omission from the 2014 Privacy Act amendments. The mechanism also mirrors the current powers given to the Australian Communications and Media Authority and the ACCC. The definition and classification of 'minor breach' and a 'failure to co-operate' will likely be subject to considerable debate and scrutiny.

Data breach review, publication and notification powers

There would be new tools available to the OAIC to:

  • ensure privacy breaches are addressed through third-party reviews;
  • publish notices about particular privacy breaches; and
  • advise people who have been directly affected by a privacy breach.
Comment

While the Government has proposed 'third party reviews', the OAIC is currently the only entity with the power to conduct privacy assessments to determine how well an organisation is complying with its privacy obligations.

In its preliminary report, the ACCC proposed the introduction of a third-party certification scheme that would require certain entities (eg those that collect a minimum amount of personal information) to undergo external audits by accredited third parties.

Under the ACCC proposal, companies that have been assessed as complying with their privacy obligations would be granted use of a privacy protection seal or mark. Companies that are not required to be certified could nonetheless 'opt-in' to be able to use the privacy protection seal.

Obligations to cease publishing personal data

There would be a new requirement that social media and online platforms cease publishing or disclosing a person's personal data once this is requested.

Comment

The ACCC recommended that companies be obliged to erase the data of consumers where that person has withdrawn their consent and the personal data is no longer needed for the reasons the information was collected.

The Government proposal currently only refers to ceasing to publish or disclose data.

The ACCC is currently seeking views on whether there should be a general obligation to delete data when an individual stops using a service or after a set period of time.

Protections for vulnerable groups

Specific protections for vulnerable groups, such as children, would be introduced.

Comment

Specific protections for vulnerable groups were not expressly referred to in the preliminary report, but the ACCC recommended consent requirements be strengthened across the board, including ensuring consent is clearly understood and unbundled. At present, it appears the Government is envisioning something narrower than the ACCC proposes.

It will be interesting to see how this could impact operationally, as it is difficult for digital products to verify vulnerability for the purpose of consent without collecting additional information.

Code for social media and online platforms trading in personal information

There would be a new code for social media and online platforms that trade in personal information. The code will require these companies to be more transparent about any data sharing, and will require more specific consent of users when they collect, use and disclose personal information.

Comment

This is consistent with the ACCC's preliminary recommendation number 9 in its preliminary report, which suggested the development of an enforceable code in consultation with digital platforms, to provide greater transparency and control over how personal information is collected. This would allow the development of regulation that is specific to digital platforms, as opposed to the whole economy.

Additional OAIC resourcing

The OAIC would be provided with an additional $25.1 million over three years, to investigate and respond to breaches of individuals’ privacy and oversee the 'online privacy rules'.

Comment

The OAIC was not granted additional resources following the introduction of the Notifiable Data Breaches scheme in February 2018, despite the significant increase in responsibility due to the volume of data breach notifications that it has received since that time.

In addition to the increased funding for the OAIC, it was announced in the Federal Budget that the OAIC would see an increase in staffing from 89 people to 124 people next financial year.

Proposals not yet adopted

Although these proposals adopt a number of significant aspects of the preliminary report, the Government has not yet adopted others. These include the:

  • proposal to strengthen notification and consent requirements; and
  • introduction of a direct right for individuals to bring actions for a breach of their privacy.

We expect that the adoption of these and any other recommendations will be parked until after the ACCC issues its final report on the digital platforms inquiry in June 2019.

What's next?

The Federal Government has just rushed through the Criminal Code Amendment (Sharing of Abhorrent Violent Material) Bill 2019, creating penalties for failing to remove abhorrent violent material online.

The Government has suggested that legislation to enact its proposed Privacy Act amendments will be drafted in the second half of this year, and that it will also incorporate relevant findings of the ACCC's current digital platforms inquiry. Much will depend on the result of the May election.

The OAIC has already welcomed the proposals, and indicated that it will develop guidelines on how it would use the new powers and penalties.

We will report on further developments as they come to hand. In the meantime, please contact us if you would like more information.