Australian privacy law reforms – how will they impact you?

Wednesday 3 May 2023

Katarina Klaric

Stephens Lawyers & Consultants, Melbourne

katarina.klaric@stephens.com.au


Introduction

Major reforms are proposed to Australian privacy and data protection laws to align the laws with global standards[1] and enhance protection with the removal of the current small business, media and political party exemptions for compliance with privacy laws. Individuals are also to be given a direct right to apply to the court for relief where there has been a privacy interference. Expanded investigative powers are also proposed for the privacy regulator, the Office of the Australian Information Commissioner (OAIC), to investigate and prosecute businesses for privacy and data breaches.

The proposed reforms are largely modelled on the leading standards set by the European Union and the United Kingdom data protection and privacy laws.[2] They are designed to provide greater transparency and accountability in relation to the collection, use, disclosure, storage and security of data in the digital economy. The proposed changes are intended to enhance cross-border data flows between Australia and its trading partners, benefiting Australian businesses and the economy.[3]

The proposed reforms follow recent major data breaches involving personal information of customers of Optus, Medibank and Latitude Finance, which have exposed millions of Australians to privacy risks or harm including identity fraud, scams, reputational damage and blackmail.

Businesses will have to start planning for the privacy law changes which are likely to be implemented within the next 12 to 18 months. This update provides an overview of the key proposed reforms and includes some steps businesses can take to get ready for the changes.

With the recent increase in penalties for repeated or serious privacy breaches – from AUD 2.22m to the greater of either AUD 50m or three times the value of any benefit obtained through the misuse of information, or 30 percent of a company’s adjusted turnover in the relevant period – businesses cannot afford to be complacent about privacy compliance.[4]

Key reform proposals

The key reforms proposed to Australia’s privacy law in the Privacy Act Review Report 2022 include:

  1. Clarification of the type of ‘personal information’ that is protected with the definition to be an expansive concept which includes technical and inferred information such as IP addresses and device identifiers, where it relates to an identifiable individual.[5]
  2. ‘Geolocation tracking data’ is to be specifically defined as ‘personal information’ where the data shows the individual’s precise geolocation and is collected by reference to a particular individual at a particular place and time and tracked over time. Businesses involved in the practice of the collection and use of geolocation tracking data will require the individual’s consent to collect and use such data.[6]
  3. The removal of the current small business exemption from compliance with the privacy laws, after impact analysis and consultation with small business to determine the best way of small business to meet privacy obligations under the Privacy Act, without being overly burdened and proportionate to the privacy risks involved.[7] At present, subject to a number of exceptions, small businesses are exempt from compliance with the Australia privacy laws where their annual turnover is AUD 3m or less.
  4. With the introduction of the concept of ‘controllers’ and ‘processors’ of information into Australian privacy law, small businesses which are involved in the processing of information on behalf of controllers will be brought into the scope of the Privacy Act in relation to its handling of personal information for a controller entity. Further consultation with small business and impact analysis is proposed to understand the impact that this change will have on small business information processors.[8]
  5. In the short term, small businesses which collect biometric information from the use of face recognition technology or obtain consent to trade in personal information will no longer be exempt from compliance with the privacy laws.[9]
  6. Privacy protection will be extended to employee records of private sector organisations, providing greater transparency to employees regarding their personal and sensitive information that is collected and used by their employer and how this is protected.[10] Further consultation will be undertaken with employer and employee representatives in respect of the implementation of the reforms having regard to the interaction between privacy and workplace relation law.
  7. Individuals will be provided with additional protection against their personal information being used for direct marketing and targeted advertising. Individuals will have an unqualified right to opt-out of their personal information being used for direct marketing and an unqualified right to opt-out of receiving targeted advertising. Businesses will have to obtain an individual’s consent to trade in their personal information.[11]
  8. Modelled on the General Data Protection Regulation (GDPR), individuals will have the right to object to collection, use and disclosure of personal information, the right to erasure of any of their personal information and a right to de-index on-line search results containing personal information. Individuals will also have the right to request that certain information is quarantined rather than erased. Exceptions will apply to these rights – which will allow businesses to refuse requests where there are countervailing public interests, other legal or contractual rights or where it would be technically impossible or unreasonable and frivolous or vexatious to comply with the request.[12]
  9. With the increased use of AI technologies in decision making processes, organisations will have to include information in privacy policies about the use of personal information in substantially automated decisions which have a legal or similarly significant effect on the individual’s rights. This proposal is part of broader reforms being considered to regulate AI and automated decision making (ADM).[13]
  10. Entities will have to undertake Privacy Impact Assessments before implementing any technology and/or commencement of any activities that will have high privacy risks. Businesses will have to produce the Privacy Impact Assessment to the privacy regulator, the Office of the Australian Information Commissioner (OAIC) on request. The OAIC will be required to provide guidance as to ‘high privacy risk’ technologies and activities including factors to be considered by entities in assessing whether a high-risk practice is involved.[14]
  11. Businesses will be required to establish their own minimum and maximum data retention periods in relation to personal information that they are holding, which take into account the type, sensitivity, the purpose for which the information is held, the entity’s organisational needs and data retention obligations under other laws. Businesses will also have to review their data retention policies on a regular basis.[15]

        Businesses will still be required to destroy or de-identify personal information that they no longer need and which is not required to be retained by other legal frameworks. Recent privacy breaches indicate that organisations are holding a vast amount of data well beyond its ‘use by date’. By not destroying or de-identifying data they no longer require or are legally required to retain, businesses are at risk of privacy breaches.

  1. The Notifiable Data Breach scheme under the Privacy Act is to be enhanced, with additional reporting requirements and specific timeframes for reporting data breaches. Businesses will be required to report data breaches to the regulator, the OAIC, within 72 hours of becoming aware of the data breach.[16]

        Under the existing Notifiable Data Breach scheme, businesses which have reasonable grounds to believe that there has been a reportable breach must notify the OAIC and affected individuals ‘as soon as practicable’.[17] Businesses are also required to conduct an assessment to determine whether there has been a reportable breach, if they have reasonable grounds to suspect a data breach has occurred. Businesses are required to take reasonable steps to complete that assessment within 30 days.[18] Reports published by the OAIC indicate that about 70 per cent of reportable data breaches were notified to the regulator within a 30 day period of becoming aware of the incident.[19]

  1. The OAIC’s enforcement powers will be expanded to enable a better targeted regulatory response to privacy law breaches with an introduction of new mid-tier penalty provisions to cover interference with privacy without a ‘serious element’ and new low-level civil penalty provisions for specific administrative breaches of the Privacy Act and Australian Privacy Principles (APP) with the OAIC having powers to issue infringement notices.[20] The new penalty regime is likely to be modelled on the infringement notice framework of the Australian Competition and Consumer Act.[21] The OAIC will also be given enhanced powers to investigate potential breaches of civil penalty provisions of the Privacy Act, including powers to search premises and electronic material for evidential material and to seize such evidential material and other items.[22]
  2. The individual’s right of action for an interference with privacy will be expanded to permit individuals to apply to the court for relief including loss and damage suffered because of a privacy breach under the Privacy Act. A statutory tort for serious invasion of privacy will also be introduced.
  3. Under the current system, individuals’ claims for compensation under the Privacy Act are made through the OAIC, which can make determinations in respect of compensation claims and take court proceeding on behalf of individuals. The reported individual compensation awards made by the OAIC under the Privacy Act have, to date, have ranged from AUD 1,000 to AUD 20,000 for each privacy breach.

Getting ready for changes to the Australian privacy laws

There is no single solution for the protection of data and compliance with privacy laws. A whole of business approach is required. People are the most important part of the process and solution, followed by technology.

Safeguards against unauthorised use, disclosure, theft, cyber-attacks, industrial espionage and sabotage of IT system have to be agile and updated to deal with increasing sophistication of cyber-attacks or cyber incidents.

Some steps that businesses may consider taking to get ready for the changes to the privacy laws and to minimise the risk of non-compliance include:

  1. Undertaking audits of the organisational data collection, purpose of collection and data flow to ascertain the type of data that is collected, managed and held and who is authorised to access this information. Legal advice may also be required.
  2. Undertaking a review of the organisation’s data retention policies and practices and destroying data that is not required by the business and not required to be retained by law. Businesses can minimise the risk by only collecting and holding data that is required.
  3. Having a cybersecurity expert assess and monitor the organisation’s computer system for potential vulnerabilities to cyber-attacks and implement appropriate measures to deal with risks.
  4. If the business uses cloud-based computer services and software applications, agreements with third party cloud services providers should be reviewed for privacy compliance, security and data protection.
  5. Reviewing their agreements with third parties to whom data is transferred or disclosed and any agreements with third party data processors for privacy compliance.
  6. Implementation of appropriate security measures for the protection of confidential information/data (including when emailing sensitive personal information). Measures and controls could include encryption, password protection, multi-facet authentication and monitoring data flows.
  7. Implementation of appropriate technological measures to deal with possible cyber threats including viruses, ransomware, malware, hacking and other cyberattacks.
  8. Development and implementations of guidelines for ‘best practice’ for responding to cybersecurity breaches including post-breach communication to affected individuals for reduction of ‘harm’ to both the affected individuals and the business.
  9. Monitoring and keeping up to date with the latest scams and cyber threats including phishing emails and telephone calls requesting passwords and other personal information and keeping management and employees updated.
  1. Undertaking a review of existing non-disclosure agreements and requiring all staff who are to have access to personal information/confidential information to sign non-disclosure agreements.
  2. Education and training of management and employees in relation to best practices for data management and security, privacy compliance, cybersecurity and responding to cybersecurity and privacy breaches.
 

Notes

[1]           Privacy Act Review Report 2022, published by the Australian Government in February 2023.

[2]           General Data Protection Regulations (GDPR), Digital Services Act 2022 (EU); European Commission Proposed Artificial Intelligence Act 2022(EU).

[3]           Privacy Act Review Report 2022, at [1].

[4]           Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (‘Privacy Amendments’) came into effect on 13 December 2022.

[5]           Proposal 4, Privacy Act Review Report 2022, at [2] and [5].

[6]           Proposal 4.10, Privacy Act Review Report 2022, at [5].

[7]           Proposal 6.1, Privacy Act Review Report 2022, at [6].

[8]           Proposal 22.1 Privacy Act Review Report 2022, at [13].

[9]           Proposal 6.2, Privacy Act Review Report 2022, at [6].

[10]          Proposal 7.1, Privacy Act Review Report 2022, at [6].

[11]          Proposal 20.1–20.4, Privacy Act Review Report 2022, at [12].

[12]          Proposal 18 Rights of Individuals, Privacy Act Review Report 2022 at [11].

[13]          Proposal 19 Automated Decision Making, Privacy Act Review Report 2022 at [12].

[14]          Proposal 13.1–13.3, Privacy Act Review Report 2022, at [9].

[15]          Proposal 21 Security, retention and destruction, Privacy Act Review Report 2022, at [13].

[16]          Proposal 28 Notifiable data breach scheme. Privacy Act Review Report 2022, at [15].

[17]          Sections 26WK and 26WL, Privacy Act.

[18]          Section 26WH Privacy Act.

[19]                    OAIC, Notifiable Data Breaches Report: July to December 2021[Report, 22 February 2022]; OAIC, Notifiable Data Breaches Report: January to June 2022 [Report, 10 November 2022].

[20]         Proposal 21.1 Privacy Act Review Report 2022, at [14].

[21]         Privacy Act Review Report 2022, at [255].

[22]         Proposal 25.3, Privacy Act Review Report 2022, at [14].