Search
Close this search box.
Search
Close this search box.
Search
Close this search box.

Privacy Act Review Report

Digital Balance looks at the impact of the “Privacy Act Review – Report”, recommendations and key proposals

The Australian Privacy Act, which was enacted in 1988, regulates the handling of personal information by Australian Government agencies, businesses, and non-profit organizations. The act is designed to protect the privacy of individuals by requiring organizations to adhere to certain Privacy Principles.

After a lengthy review period, the Australian government has published a 314-page report by the Australian Attorney-General’s Department entitled “Privacy Act Review | Report 2022., which proposes several reforms to the Privacy Act. If accepted, these proposals update the legislation to address emerging privacy risks and improve protections for individuals.

Overview of the Proposed Reforms

The report, released in February 2023, contains 116 recommendations based on 30 “key themes and proposals”.

One of the key changes proposed is the introduction of a new privacy code for social media and other digital platforms. The code would require platforms to be more transparent about how they collect and use data, and would give individuals greater control over their personal information. The review also recommends that the Privacy Commissioner have greater enforcement powers to ensure that companies comply with the code.

Another major proposal is the introduction of a privacy tort, which would give individuals the right to take legal action if their privacy has been breached. This tort would allow people to seek damages if their personal information has been misused, and would give them the ability to sue companies or individuals for privacy violations.

The review also recommends the creation of a new privacy regulator, which would have the power to investigate and enforce privacy laws. The regulator would be able to impose fines and sanctions on companies that breach privacy laws, and would have the power to conduct audits and investigations.

Other proposed changes include requiring companies to conduct privacy impact assessments before launching new products or services, giving individuals the right to request that their personal information be deleted, and making it easier for people to access and correct their personal information held by companies.

Overall, the proposed changes represent a significant overhaul of Australia’s privacy laws and would give individuals greater control over their personal information. However, the changes are still subject to further consultation and are not yet set in stone. Companies operating in Australia will need to closely monitor developments and ensure that they are compliant with any new regulations that are introduced.

Strengthening Privacy Protections

One of the key areas of focus for the proposed reforms is strengthening privacy protections. The reforms aim to achieve this by introducing a new privacy tort, which will provide individuals with a right to seek compensation for serious invasions of privacy. This tort will be modelled on similar laws in other jurisdictions such as the United Kingdom, Canada, and New Zealand.

The proposed reforms also include a requirement for businesses and organizations to conduct privacy impact assessments (PIAs) before commencing any new projects or initiatives that involve the handling of personal information. PIAs will need to be conducted in a transparent and accountable manner, and will be reviewed by the regulator.

Another proposed reform is the introduction of a statutory cause of action for serious breaches of the Privacy Principles. This cause of action will allow individuals to seek compensation for non-economic losses such as humiliation, distress, and loss of reputation. This is intended to provide a greater deterrent against privacy breaches and encourage organizations to take privacy seriously.

Enhancing Consumer Control

The proposed reforms aim to enhance consumer control over their personal information. One of the ways this will be achieved is through the introduction of a new direct right of erasure. This right will enable individuals to request that their personal information be deleted in certain circumstances, such as when the information is no longer needed for the purpose for which it was collected.

The reforms also propose to introduce a new right to data portability. This will enable individuals to request that their personal information be provided to them or transferred to another organization in a machine-readable format. The right to data portability is intended to promote competition and enable individuals to switch providers more easily.

Improving Transparency and Accountability

The proposed reforms aim to improve transparency and accountability by introducing a range of measures that will enhance the visibility of data practices and the obligations of businesses and organizations. One of the key measures is the introduction of a requirement for businesses and organizations to provide more detailed and accessible privacy policies. These policies will need to be written in plain English and be easily accessible to consumers.

Another proposed reform is the introduction of a mandatory data breach notification scheme. This scheme will require businesses and organizations to notify affected individuals and the regulator in the event of a data breach. The notification must be made as soon as practicable and include information about the breach, the type of information involved, and any steps taken to mitigate the risk of harm to individuals.

Strengthening the Powers of the Regulator

The proposed reforms aim to strengthen the powers of the regulator, the Office of the Australian Information Commissioner (OAIC). The OAIC will be given new powers to issue infringement notices for certain breaches of the Privacy Principles. These notices will carry penalties of up to $10 million for businesses and organizations, and $500,000 for individuals.

The reforms also propose to enhance the OAIC’s ability to enforce privacy obligations by introducing a new civil penalty regime. This regime will enable the regulator to seek civil penalties for serious or repeated breaches of the Privacy Principles. The maximum penalty for businesses and organizations will be the greater of $10 million or 3 times the value of any benefit obtained through the breach. For individuals, the maximum penalty will be $1.1 million.

Improving Cross-Border Data Flows

The proposed reforms aim to improve cross-border data flows by introducing a new framework for the handling of personal information by overseas recipients. The framework will require businesses and organizations to take reasonable steps to ensure that overseas recipients comply with the Privacy Principles. This will include undertaking due diligence and obtaining contractual commitments from overseas recipients.

The reforms also propose to introduce a new binding privacy code for social media and online platforms. The code will require these platforms to take proactive measures to protect user privacy and ensure that users are aware of how their personal information is being used. The code will be enforceable by the OAIC.

Impact of the Proposed Reforms

The proposed reforms are significant and will have a significant impact on businesses and organizations that handle personal information. Some of the key impacts include:

  • Increased Compliance Costs: Businesses and organizations will need to invest in new systems and processes to ensure compliance with the proposed reforms. This will include conducting privacy impact assessments, updating privacy policies, and implementing new data portability and erasure processes.

  • Increased Risks of Enforcement Action: The proposed reforms give the regulator new powers to issue infringement notices and seek civil penalties for serious or repeated breaches of the Privacy Principles. Businesses and organizations that fail to comply with the new obligations are likely to face enforcement action.

  • Increased Consumer Control: The proposed reforms give individuals new rights to data portability and erasure. This will enable individuals to have greater control over their personal information and make it easier for them to switch providers.

  • Increased Transparency and Accountability: The proposed reforms introduce a range of measures that will enhance the visibility of data practices and the obligations of businesses and organizations. This will help to build trust with consumers and improve the overall transparency of the data handling process.

The proposed reforms to the Australian Privacy Act have been met with concerns from some businesses who are worried about the potential cost implications. According to an article in The Australian Financial Review, large businesses could face bills of up to “$2,200 per customer” to implement the proposed reforms. This figure is taken from a US study by Gartner pricing each request to delete a customer’s data at $US1,524 ($2,206).

The report notes that businesses will need to invest in new systems and processes to ensure compliance with the new obligations, which could be costly. This includes conducting privacy impact assessments, updating privacy policies, and implementing new data portability and erasure processes. Simon Bush, the chief executive of the Australian Information Industry Association, said a right to erasure would “require significant technical challenges on industry”.

However, while there may be concerns about the costs of implementing the reforms, there is also the potential for significant benefits. The proposed reforms aim to enhance privacy protections, increase consumer control, improve transparency and accountability, and strengthen the powers of the regulator. This could help businesses to build greater trust with consumers and improve the overall transparency of the data handling process.

The report also suggests that the proposed reforms may lead to a shift in the balance of power between businesses and consumers, with individuals having greater control over their personal information. The article quotes Jon Lawrence, Executive Officer of digital rights advocacy group, Electronic Frontiers Australia, who states that “the proposed reforms are designed to ensure that individuals have greater control over their data and how it is used, and that businesses are more transparent about their data practices.”

Proposals to keep an eye on:

  • Changes to the definition of personal information:
    Proposals 4.1 – 4.4 relate to the definition of personal information. The report suggests replacing the word “about” with “relates to” in the definition of personal information. This modification would result in a more inclusive definition, allowing for a broader range of information to be included. The proposed alteration would also align the definition with other Commonwealth legislation regulating privacy information, such as the Competition and Consumer Act 2010 and the Telecommunications (Interception and Access) Act 1979, which use the term “relating to.” The GDPR’s definition of ‘personal data’ also employs similar language. The report also proposes that inferred or generated information be regarded as ‘collected’ as per the Privacy Act’s meaning. The implications of this proposal will be significant for the AI industry.

  • Obligations concerning de-identified information:
    The Report recommends additional obligations concerning de-identified information in Proposal 4.5 with the suggestion of expanding the scope of Australian Privacy Principle (APP) 11.1 (obligations to protect de-identified information from unauthorised access or interference) and APP 8 (obligation to take steps reasonable in the circumstances to ensure overseas recipients do not breach the APPs) to apply to de-identified datasets. The Report suggests prohibiting APP entities from re-identifying de-identified information obtained from third parties and introducing a new criminal offence for “malicious” re-identification intended to cause harm or gain an illegitimate benefit. These proposals may have implications for organizations that utilize anonymization and de-identification for data analytics, including those in the AI industry.

  • Definitions of sensitive information:
    Proposals 4.7 – 4.9 cover the definition of sensitive information, expanding the definition to include genetic, genomic and biometric information in specific circumstances – it is considered personal information in all other cases. The proposal also covers the need for consent when collection, use, and disclosure of precise geolocation data that is collected and stored with a reference to a specific individual over time.

  • An updated definition of consent:
    Proposal 11 suggests an updated definition of consent, which must be voluntary, informed, current, specific, and unambiguous. This aligns with the current standard of consent set out in the existing APP Guidelines. However, the report does not propose changes to the circumstances in which an APP entity must seek consent, and it emphasizes that implied consent may still be relied upon as long as it is unambiguous. Additionally, the report recommends that the OAIC create guidelines for designing consent requests for online services, which could necessitate a significant user experience redesign for many such services.

  • The need to act fairly and reasonably:
    According to Proposal 12, it will be mandatory to act fairly and reasonably while collecting, using, and sharing personal information. The report emphasizes that this requirement will be assessed objectively and will remain in effect irrespective of any given consent. As a result, consent-seeking techniques such as tick boxes and privacy policies will not excuse inappropriate data handling. The report provides a list of criteria to consider when determining whether the collection, use, or disclosure of personal information is just and reasonable, which is a wide-ranging fairness concept that aligns with the ACCC’s push for a general ban on unfair trade practices during the fifth Digital Platform Services Inquiry.

  • Mandatory Privacy Impact Assessments (PIAs):
    Proposal 13 is focused on mandatory assessments for activities that pose a high privacy risk. The proposed definition of “high privacy risk activity” includes activities that are likely to significantly affect individuals’ privacy. To comply with this proposal, APP entities must assess potential privacy impacts, determine if the impacts are proportionate, and may need to mitigate them. To assist APP entities in understanding when a PIA is required, the OAIC will publish guidance that identifies factors that may indicate a high-risk activity.

  • Additional protections for children and vulnerable persons:
    Proposals 16 and 17 cover the codification of existing OAIC guidance on consent and capacity is proposed, along with the requirement for entities to ensure that collection notices and privacy policies are clear and understandable. The fair and reasonable test would also take into account the best interests of the child. Furthermore, a Children’s Online Privacy Code would be developed for services catering to children, similar to the UK’s Age Appropriate Design Code. The fair and reasonable test would also consider the significant impact on vulnerable persons, requiring a Privacy Impact Assessment. These proposals may require organizations to adopt different data-handling practices based on their customer base.

  • Right of erasure: Proposal 18.3 recommends the introduction of a right of erasure that will allow individuals to request the deletion of their personal information held by APP entities. This right will extend the obligation of entities to delete personal information once it is no longer necessary, and individuals will have the ability to exercise this right for any category of personal information. Additionally, the Report proposes a right of de-indexation, which is a reversal of the Discussion Paper’s rejection of the idea. This right will enable individuals to request that search engines de-index online search results that are excessive in volume, inaccurate, out of date, incomplete, irrelevant, or misleading. Furthermore, search engines will be required to de-index sensitive information and information about minors. Importantly, the Report suggests that these rights should be subject to exceptions, including competing public interests, legal requirements, technical infeasibility, and abuse of process.

  • The use of personal information in automated decision-making:
    Proposal 19 concerns the regulation of personal information used in automated decision-making. The Report proposes greater transparency around the use of personal information in “substantially” automated decisions that have a legal or similarly significant impact on an individual’s rights. Privacy policies will need to disclose the use of personal information for this type of automated decision-making, as well as the specific personal information used. Additionally, individuals will have the right to request information about how these automated decisions are made. These proposals will apply to a wider range of substantially automated decision-making than Article 22 of the GDPR, which is limited to solely automated decisions that have a legal or similarly significant impact on individual rights.

  • Stricter rules around targeted advertising:
    Proposal 20 suggests using personal information, de-identified information, or unidentified information, such as internet tracking history, for targeted advertising and content to children should be prohibited, as well as using sensitive information for targeted advertising and content to anyone. Additionally, individuals should have the right to opt out of receiving targeted advertising and content, and any permitted targeting should be fair and reasonable, with transparency requirements about the use of algorithms and profiling to recommend content to individuals. These proposals are inspired by the regulation introduced by the European Commission last year under the Digital Services Act.

  • Introduction of the concept of processors and controllers:
    Proposal 22 in the Report suggests introducing the concept of processors and controllers in Australian law, which aligns it with other jurisdictions such as the GDPR. This proposal aims to reduce compliance obligations for processors who act on the instructions of a controller under the Privacy Act. Many businesses are likely to welcome this proposal since they face difficulties implementing some of the existing APPs without direct contact with individuals. According to the report, processors would only need to comply with APP 1 (open and transparent management of personal information), APP 11 (security of personal information), and the notifiable data breach scheme. However, processors would only have to notify the OAIC and the controller, not the affected individuals.

  • Greater enforcement power and penalties:
    Proposal 25 introduces measures to enhance the enforcement of the Privacy Act in building on the enhanced penalties and expanded OAIC powers enacted in December 2022. The proposal recommends introducing new civil penalties and expanding the OAIC’s powers concerning investigations, public inquiries, and determinations. The Report also suggests amending section 13G of the Privacy Act to provide more guidance on what constitutes a “serious interference” with privacy. The criteria for such interference have been broadened to include interferences involving sensitive information or other sensitive data, adverse impacts on large groups of individuals, and failures to take appropriate measures to safeguard personal information. This is significant because, in conjunction with the December 2022 amendments, amended section 13G may now carry a maximum penalty of $50 million or more.

  • Direct right of action to enforce privacy rights:
    Proposal 26 introduces a direct right of action to enforce privacy rights. Individuals who have suffered loss or damage due to an infringement of their privacy would have the ability to seek compensation in the Federal Court or the Federal Circuit Court, as per the proposed change. It’s important to note that this direct right of action would not replace the existing complaints process, and individuals must first file a complaint with the OAIC before taking legal action. Additionally, representative groups will also be permitted to seek compensation on behalf of affected individuals.

  • Statutory tort of privacy:
    Proposal 27 recommends the introduction of a statutory tort for intentional or reckless serious invasions of privacy. Notably, the invasion of privacy does not need to cause actual damage, and individuals can claim damages for emotional distress. The Report proposes that the OAIC should be able to intervene in proceedings with leave of the court as amicus curiae for both the direct right of action under the Privacy Act and the tort for invasion of privacy. This proposal was suggested in the Australian Law Reform Commission’s 2014 Report ‘Serious Invasions of Privacy in the Digital Era’ and the ACCC’s 2019 ‘Digital Platforms Inquiry – Final Report,’ but has yet to be enacted into law.

  • A shorter timeframe for notifiable Data Breaches:
    Proposal 28 suggests a shorter timeframe for Notifiable Data Breaches. The Report recommends that eligible data breaches should be reported to the OAIC within 72 hours of becoming aware of reasonable grounds to believe that a breach has occurred. Notification to affected individuals should also be made “as soon as practicable.” Currently, if an entity suspects a data breach, it has a 30-day period to assess the situation. The Report further proposes that any statement issued to the OAIC or impacted individuals regarding a data breach should include the actions that the entity has taken or plans to take in response. The proposed changes would align Australia’s notification regime with the GDPR and increase transparency and accountability around data breaches.

Conclusion

The proposed reforms to the Australian Privacy Act are significant and will have a significant impact on businesses and organizations that handle personal information. The reforms aim to enhance privacy protections, increase consumer control, improve transparency and accountability, strengthen the powers of the regulator, and improve cross-border data flows. While the reforms are likely to increase compliance costs and the risks of enforcement action, they will also enable businesses and organizations to build greater trust with consumers and improve the overall transparency of the data-handling process.

Steps you can take now

As more information becomes available regarding the privacy legislation in Australia, Digital Balance will keep providing updates.

To ensure compliance with the upcoming changes in privacy laws, it is essential for companies to prepare a consent mechanism on their websites. If you haven’t done this yet, Digital Balance can assist you in exploring options from our partners such as Ensighten, OneTrust, Tealium, and other vendors, and help you with the implementation process.

Moreover, we suggest that you conduct a review of your existing data collection methods and privacy policies. While we cannot provide legal advice, we can assess the potential impact of your policies on data collection for analytics and marketing purposes. Contact us and a member of our team will be in touch.

The content and advice contained in this post may be out of date. Last updated on February 23, 2023.

Contact us

to discuss a range of services and support to suit your business needs and goals.

* Required field

Latest Blog Posts

VWO Test

Chief Marking Officers are in a perpetual balancing act demonstrating ROI from marketing activities under the scrutiny of the Chief Financial Officer

Read More »

Need Some Help?

We can work onsite or remotely with you and your team to provide capacity uplift or ongoing support as you need.

Need additional MarTech resources to supplement your team for special projects or to provide given expertise?

Data quality and integrity is key to any data strategy. We undertake audits and health checks that can give you peace of mind.

If you know your data could be working harder, but you’re not sure where to start, we can help.

We can help you build dynamic dashboards based on important metrics to fully inform the business.

Is it a CDP or a DMP that is right for your organisation? Let us help you work through the pros and cons.

Let us show you how to bring your online and offline data together to create a best picture of your customers.

Free assessments

Data Trust

This five-minute checkup will help assess trust in your marketing data.
Complete The Assessment

First-Party Data Proficiency Index

This five-minute checkup will help assess your first-party data strategy.
Complete The Assessment

Privacy Maturity Assessment

This five-minute checkup will help assess your privacy preparedness.
Complete The Assessment

Martech Talks: The Four Stages Of Attribution Excellence

This webinar was recorded in April 2024.

Download the full 2024 Digital Experience Benchmarks report from Contentsquare.

Note that the information contained in this presentation should not be taken as legal advice. Digital Balance and its partners recommend that you undertake your own legal investigation.

Martech Talks: The Four Stages Of Attribution Excellence

This webinar was recorded in October 2023.

Note that the information contained in this presentation should not be taken as legal advice. Digital Balance and its partners recommend that you undertake your own legal investigation.

Martech Talks: Privacy and Data Governance

This webinar was recorded in August 2023.

Note that the information contained in this presentation should not be taken as legal advice. Digital Balance and its partners recommend that you undertake your own legal investigation.

Martech Talks: Privacy Changes and Data Security

This webinar was recorded in July 2023.

 

Note that the information contained in this presentation should not be taken as legal advice. Digital Balance and its partners recommend that you undertake your own legal investigation.