2023 is expected to bring significant changes to Australian privacy laws.
Australian Attorney-General Mark Dreyfus announced on December 20, 2022 that a review of the Privacy Act, commissioned under the previous government, has been completed and a final report has been received by his department.
The review, which examined whether current laws effectively protect personal information, found that Australia’s privacy laws are “out of date and not fit-for-purpose in our digital age.” Mr. Dreyfus hinted that 2023 will see an “overhaul” of the Privacy Act.
Potential changes from the new privacy regime could include broadening the definition of personal information, removing exemptions such as the employee records exemption, and changing requirements for privacy policies and collection notices. Additionally, a fair and reasonable requirement for handling personal information, changes to rules for cross-border flows of data and increasing individual rights such as a right of erasure, a direct right of action, and a tort of privacy are under consideration.
The privacy act review discussion paper released in October 2021 had more than 70 major changes to the Act, which if accepted would see us move to a very high standard of privacy, equal to, or potentially stricter than GDPR, CPRA, etc. Mr Dreyfus has said that there was “extensive feedback” on the discussion paper, including a submission from Digital Balance, but the final report has yet to be made public.
Recent additional changes
The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022, was passed in November 2022, then fast-tracked after several high-profile data breaches (Optus, Medibank, etc) and received royal assent on 12 December 2022. This Act increases penalties for breaches, allows regulatory action against foreign companies that breach the Privacy Act, and gives the Australian Information Commissioner new powers to investigate and enforce breaches of the Privacy Act. This amendment made three key changes:
- Companies in breach of the Australian Privacy Act now face maximum penalties that are the greater of:
- AUD 50 million;
- Three (3) times the value of the benefit derived by the company from the breach; or
- 30% of the company’s adjusted turnover (if the value of the benefit cannot be derived)
- The Office of the Australian Information Commissioner can require a person or company to provide information or documents and answer questions and has the power to issue infringement notices on those that fail to comply.
- So long as foreign entities carry on business within Australia, they will be within the ambit of the Privacy Act – there will be no longer be a threshold for foreign entities to hold or collect personal information within Australia before the Australian Privacy Act applies to their activities.
A brief history of the Australian Privacy Act
Since its introduction in 1988, the Australian Privacy Act has undergone several changes, including the introduction of the National Privacy Principles in 2000-2001, new registration requirements for certain organizations in 2004, and amendments related to the collection, use, and disclosure of personal information by law enforcement agencies in 2007-2010. In 2014, new privacy obligations were introduced, and in 2017, the Privacy Amendment (Notifiable Data Breaches) Act was passed, expanding the reporting requirements for data breaches. Here is a timeline of some of the key changes to the Australian Privacy Act since its introduction in 1988:
- 1988 – The Australian Parliament passed the Privacy Act 1988 (Privacy Act) at the end of 1988, and it commenced in 1989. It gave effect to Australia’s agreement to implement the Organisation for Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, as well as to its obligations under Article 17 of the International Covenant on Civil and Political Rights. It set out 11 Information Privacy Principles for how Australian Government agencies must handle personal information.
- 1991 — The Privacy Amendment Act 1990 came into effect on 24 September 1991 to regulate the handling of consumer credit reports by credit reporting bodies and credit providers (Part IIIA of the Privacy Act).
- 1994 — ACT Government agencies became bound by a version of the Privacy Act through the Australian Capital Territory Government Service (Consequential Provisions) Act 1994.
- 2000 – The Privacy Amendment (Office of the Privacy Commissioner) Act 2000 established the Office of the Privacy Commissioner and separated the Privacy Commissioner from the Human Rights and Equal Opportunity Commission on 1 July 2000.
- 2001 – The Act was amended to include the National Privacy Principles (NPPs), which established a set of rules for private sector organisations to protect personal information.
- 2004 – The Act was amended to include new provisions requiring certain types of organisations, such as credit reporting agencies and telemarketing companies, to register with the Privacy Commissioner.
- 2007-2010 – The Act was amended several times to provide for the collection, use, and disclosure of personal information by criminal intelligence agencies and other law enforcement bodies.
- 2014 – The Privacy Amendment (Enhancing Privacy Protection) Act 2012 came into effect, which introduced new privacy obligations for organisations, including a requirement for organisations to notify individuals and the Privacy Commissioner of serious data breaches.
- 2018 – The Privacy Amendment (Notifiable Data Breaches) Act 2017 established the Notifiable Data Breaches scheme for all organisations and agencies with existing personal information security obligations under the Privacy Act.
- 2019 – Privacy Amendment (Notifiable Data Breaches) Act 2017 came into effect, which expands the reporting requirement for data breaches to include more organisations, and strengthening the obligations of entities to provide notification to the Commissioner and affected individuals.
- 2021 – Privacy Amendment (Privacy Safeguards) Bill 2021 amends the Privacy Act 1988 to strengthen the regulatory framework for cross-border data flows and strengthens the OAIC’s ability to take enforcement action.
- 2022 – The Privacy Amendment (Consumer Data Right) Act 2020 came into effect which introduced the Consumer Data Right (CDR) which allow consumers to control how their personal data is collected, used and shared with other businesses.
- 2022 – Privacy Amendment (Public Interest) 2020 came into effect which will changes to privacy regulation framework that is targeted to enhance public interest matters in privacy.
- 2022 – The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 came into effect.
Digital Balance will continue to provide updates to changes to Australian privacy legislation as details become available.
To get ready for the upcoming changes in privacy laws, it is important for companies to prepare for a cookie consent mechanism on their websites. If you haven’t already done so, Digital Balance can help you evaluate options from different vendors like our partners Ensighten, OneTrust, Tealium, and others as well as assist you in the implementation process. Additionally, we recommend that you perform a review of your privacy policies. Even though Digital Balance can’t give legal advice, we can evaluate your policies and assess their potential effect on data collection for analytics and marketing purposes.
With the sunsetting of Google’s Universal Analytics (GA3) in June 2023 and the need to implement GA4 as a replacement now is the time to review your data capture, analytics settings, and third-party cookies. You can watch or MD, Richard Taylor with our take on the future of onsite analytics and advertising tracking in 2023 and beyond on this post.
Contact us using this form and a member of our team will be in touch.