Catching up with international developments in privacy: The Commonwealth’s Privacy Act Review 2022

24 February 2023

In a paragraph

The Privacy Act Review – Report 2022 (Report) would lift the bar on protections for personal information under the Privacy Act 1988 (Cth) (Act). The proposed reforms would close the gap about halfway between Australia’s privacy laws and the European Union’s General Data Protection Regulation (GDPR), as well as moving us closer to recent privacy reforms in other key jurisdictions – Japan, Singapore, California.

Key proposals

  • Remove the current exemption for small businesses from the application of the Act (with appropriate resources made available to practically assist them in complying).
  • Retain the existing ‘employee records exemption’ but place new obligations on private sector employers regarding collection, use and protection of employee personal information.
  • Introduce a right to seek erasure, to de-index internet search results of certain types of personal information (eg sensitive, about a child), with limitations on that right, such as countervailing public interest or where contrary to the law.
  • Extend existing obligations about ‘offshoring’ to apply to de-identified datasets. Also, introduction of a new criminal offence of ‘malicious re-identification’ of de-identified information.
  • Introduce a ‘statutory tort’ for serious invasions of privacy, as well as a statutory direct cause of action for individuals in the Federal Court and Federal Circuit and Family Court of Australia.
  • Introduce GDPR terms ’controller’ and ’processor’, to lessen responsibilities on ‘mere’ processors.
  • Create new protections for those subject to automated decisions that affect their rights.
  • Require APP entities to self-set maximum and minimum retention periods.
  • Tighten up notification obligations under the notifiable data breaches scheme.

Background to the Report

On 12 December 2019, the Australian Government released its response to the Australian Competition and Consumer Commission’s final report on the Digital Platforms Inquiry, which investigated the impact of digital platforms on competition in media and advertising services markets. Among other things, the Inquiry recommended stronger privacy laws to protect consumers on digital platforms.

Shortly after, the former Commonwealth Attorney-General was commissioned to conduct a review. Following the publication of an issues paper, a discussion paper and several rounds of public consultation, the current Attorney-General (the Hon Mark Dreyfus KC MP) (Attorney-General) published the Report on 16 February 2023. The Report suggests that, to realise the benefits of data-driven technology, it is necessary to maintain sufficient community trust in new applications of technology – and greater privacy protections are needed to maintain that trust.

Removing the small business exemption

Under the existing version of the Act, most small businesses with an annual turnover of less than $3 million are not required to comply with the Act, unless they are engaged in certain activities such as providing health services.

The Report proposes removing the small business exemption, but only after:

  • an impact analysis has been undertaken to better understand the impact removal of the exemption will have on small businesses;
  • appropriate support is developed in consultation with small businesses;
  • in consultation with small businesses, the most appropriate way for small businesses to meet their obligations proportionate to the risk, is determined (for example, through a code); and
  • small businesses have had sufficient opportunity to comply with the new obligations.

Whereas previously small businesses were exempt from complying from some obligations of the Act and the Australian Privacy Principles (APPs), the removal of this exemption would require all small businesses to ensure their practices are fully compliant with Australian privacy law in respect of personal information that they hold.

Clarify the scope of personal information

Personal information is an expansive concept and is broadly defined as information or an opinion about an identified individual, or about an individual who is reasonably identifiable, whether the opinion is true or is recorded in a material form or not. Information about an individual may include information such as their name, date of birth and contact details.

The Report recommends expanding the definition of ‘personal information’ by replacing the word ‘about’ with the phrase ‘relates to’ to clarify that personal information will include information such as technical information (eg IP addresses, device identifiers and location data) and inferred information (eg predictions of behaviour or preferences). This will enable provisions of the Act to apply more readily to ‘new age’ modes of data collection including information that might be generated from social media algorithms.

However, the Report does suggest that information about an individual will not constitute personal information unless it is connected to a specific individual and is not too tenuous or remote.

New controls on de-identified information

The Report has recommended that APP 8 (relating to the obligation to take reasonable steps to ensure overseas recipients do not breach the APPs) and 11.1 (relating to obligations to protect de-identified information from unauthorised access or interference) be amended to apply to de-identified datasets.

While personal information may be de-identified, especially in the age of big data and ready access to publicly available identified data sets, IT capabilities may now readily permit ‘re-identification’ of that information and misuse. The proposed amendments to APP 8 and APP 11.1 are aimed at ensuring that the risks of re-identification are appropriately managed (eg by contractual undertakings that an overseas recipient of personal information not attempt to re-identify de-identified information).

The Report also proposes introducing a new criminal offence of malicious re-identification intended to cause harm or cause illegitimate benefit which would seek to punish those who seek to re-identify information, for example, in circumstances of ransom or identity theft.

It is made clear in the Report that any changes in relation to de-identified data should be balanced against the public interest in permitting APP entities (that is, entities subject to the Act, including private sector organisations, and the Australian and ACT Governments) to use de-identified data for research or to improve their services. In addition, the Report emphasises that it would not be appropriate to apply all protections under the Act to de-identified information so as not to discourage APP entities from continuing to use such information.

New causes of action for individuals

Under the current version of the Act, individuals do not have the ability to directly take action against entities which mishandle their personal information. They are limited to making a complaint to the Office of the Information Commissioner (OAIC), who can decide what course of action to take.

The Report proposes to expand the causes of action available for individuals seeking redress for interferences with their privacy. This includes the establishment of a direct right of action for individuals who have suffered loss or damage as a result of an interference with their privacy. This would allow individuals and representative groups to apply to the Federal Court for compensation for that loss or damage. This right of action will not replace the existing complaints process. In addition to lodging a complaint with the OAIC, individuals and representative groups would still be required to have their complaint assessed for conciliation by the OAIC or a recognised external dispute resolution scheme (for example, an industry ombudsman) before making any court application.

The Report also proposes introducing a statutory tort for serious invasions of privacy, which would allow for individuals to commence court proceedings for breaches of privacy that are not currently covered by the Act. Under the current laws, individuals may only take limited action in respect of these breaches under online safety laws, defamation and/or by claiming a breach of the equitable duty of confidence. In the case of breach of confidence, this action is limited to circumstances in which a relationship of confidence exists. If there is no such relationship, then an action for breach of confidence would fail. Equally, it was considered that the tort of defamation was not an appropriate redress mechanism given the complete defence of truth that would render any disclosure of truthful personal information lawful. The introduction of a statutory tort would therefore materially expand the kinds of claims open to individuals.

Additional protections for employees

Under the current version of the Act, employers are not required to comply with the APPs in respect of the storage, use and disclosure of personal information contained in employee records. We have discussed the employee record exemption previously.

The Report does not propose to abolish the current exemption of employee records from the operation of the Act. However, additional obligations will apply to the handling of employee records relating to private sector employees with a view on the following:

  • improving transparency as to the purpose of collection and use of an employee’s personal information;
  • ensuring that employers are only able to collect, use and disclose personal information about an employee in a way that is ‘reasonably necessary to administer the employment relationship’;
  • protecting personal information from misuse, loss or unauthorised access including by mandating deletion of information about an employee when it is no longer required; and
  • notifying both the OAIC and employees when a data breach affects employee personal information.

The Report specifies that further consultation is required to determine how these additional obligations should be incorporated into legislation including whether the obligations should be incorporated into the Act or the Fair Work Act 2009 (Cth).

Introduction of ‘controller’ and ‘processor’

The Report further proposes to introduce the terms ‘controller’ and ‘processor’ into the Act. Basically, a controller is an entity which determines what is to be done with any given personal information, while a processor is an entity which acts on the instructions of the controller in handling, or processing, that personal information.

This mirrors the language of other major privacy laws, such as the GDPR, and may have the effect of reducing the obligations imposed on organisations that may be classified as mere ‘processors’ of information without any direct contact with individuals whose information is being handled. Pending removal of the small business exemption, a non-APP entity that processes information on behalf of an APP entity controller would be brought into the scope of the Act in relation to its handling of personal information for the APP entity controller. This would be subject to further consultation with small business and an impact analysis to understand the impact on small business processors.

Many Australian organisations manage these issues through informal principal-and-agent relationships, but formal recognition in the Act would likely clarify the position and its interaction with international norms.

Rights affecting automated decision-making

The Report also seeks to improve protections for those subject to ‘substantially automated decisions which have a legal or similarly significant effect on an individual’s rights’, including the introduction of a statutory right for individuals to request ‘meaningful’ information about how substantially automated decisions are made. Automated decision-making occurs when technology, including artificial intelligence, is used to assist or replace the judgment of human decision makers. Automated decision-making may occur in contexts such as generating advertising content for individuals based on their view data, credit or insurance approvals, or in government agencies such as Centrelink or the Australian Tax Office.

Further, where an individual’s personal information is to be used in automated decision-making, this would need to be disclosed in an organisation’s privacy policy.

Notifiable data breaches scheme (NDB Scheme)

The NDB Scheme has been in operation now for five years, requiring entities to notify the OAIC and impacted individuals of ‘eligible data breaches’. The Report proposes amendments to the NDB Scheme to tighten up those notification obligations as follows:

  • as to the timing of notifications, once an entity is aware there are reasonable grounds to believe there has been an eligible data breach, it will be required to notify the OAIC within 72 hours (mirroring similar data breach notification obligations under the GDPR) and notify affected individuals ‘as soon as practicable’, with an allowance in both cases for the provision of further information to be provided thereafter if it not initially available;
  • entities will be required to take reasonable steps to implement practices, procedures and systems to enable them to respond to a data breach;
  • notification statements about an eligible data breach will be required to set out the steps the entity has taken or intends to take in response to the breach, including, where appropriate, steps to reduce any adverse impacts on impacted individuals; and
  • the Attorney-General will be permitted to share information with appropriate entities to reduce the risk of harm in the event of an eligible data breach.

In order to more clearly assign responsibility for notification in multi-party breaches, the newly proposed controller / processor distinction (outlined above) would also apply to NDB obligations, with processors responsible for reporting to the OAIC and to controllers and, in turn, controllers responsible for reporting to the OAIC and to individuals.

Introduction of right of erasure

The Report proposes to introduce a right of erasure (or a ‘right to be forgotten’) based on the GDPR. This right is associated with an extension of the obligation on APP entities to delete personal information once it is no longer required. This would allow individuals to request that internet search results containing their personal information be de-indexed where the personal information consists of:

  • sensitive information (eg medical history);
  • information about a child;
  • excessively detailed information (eg information containing an individual’s home address or phone number); or
  • inaccurate, out-of-date, incomplete, irrelevant or misleading information.

However, the right of erasure would be limited in the event that there is a countervailing public interest, where the exercise of the right would be contrary to law, or where de-indexing the search results would be technically infeasible, frivolous or vexatious.

Self-set maximum and minimum retention periods

In relation to the requirement for APP entities to delete or de-identify personal information that is no longer required, the Report recommends that an obligation be placed on APP entities to establish maximum and minimum retention periods that would govern the length of time they are able to store personal information. These retention periods would differ depending on the type of personal information held, the purpose for which it is held, the entity’s organisational needs and any further obligations the entity may have under law.

The introduction of this concept into the Act would align with international privacy law in this area, noting that jurisdictions such as the EU and Canada have already introduced similar regulations.

If implemented, the use of these retention periods may assist in reducing the storage of any ‘excess’ personal data by APP entities, thereby reducing the scope and volume of information that may be exposed through a data breach.

Enhanced enforcement and penalties powers

In addition to the recent increases to penalties available under the Act and enhancement of the OAIC’s powers, the Report proposes to further strengthen the enforcement mechanisms available under the Act.

Following a substantial increase in December 2022, the maximum civil penalty for serious breaches or repeated breaches of privacy is the greatest of:

  • $50 million;
  • three times the value of the benefit obtained from the contravention; and
  • 30% of the adjusted turnover of the corporate group during the ‘breach turnover period’.

The Report proposes the introduction of new low- and mid-tier civil penalty provisions for specific breaches of the Act and interferences with privacy without those breaches needing to be ‘serious’ offences. These might be enforced through infringement notices. Mid-tier penalties could be set at a maximum of 2,000 penalty units (the maximum penalty before the 2022 increase), which is currently $5,500,000.

Further proposals

In addition to the proposals outlined above, the Report makes further recommendations including:

  • entities to act fairly and reasonably when collecting, using and disclosing personal information;
  • amended definition of ‘consent’ to clarify that consent must be voluntary, informed, current, specific and unambiguous;
  • new requirement to conduct Privacy Impact Assessments for any high privacy risk activity (being activities ‘likely to have a significant impact on the privacy of individuals’);
  • prohibiting the use of an individual’s information (including their personal information and de-identified information) for the purpose of targeted advertising and content to children; and
  • improved protections for children and vulnerable persons, such as codifying OAIC Guidance on topics including capacity and consent.

What next?

The proposed reforms do not yet take the form of draft amendments to the Act, but have instead been expressed as principles. The precise scope of the reforms is expected to be refined following further consultation with affected parties. The Attorney-General is currently taking submissions on the Report’s proposals until 31 March 2023. Draft legislation is likely to be circulated during 2023 and it is possible that an amending Act will pass the Parliament this year, with changes taking effect as early as the end of 2024.

HWL Ebsworth has a dedicated Privacy team experienced in advising on all aspects of privacy law. If you require advice on the proposals, or help in putting in a submission, please contact a member of our team.

This article was written by Geoff Bloom, Partner, Elham Bolbol, Solicitor, and Kathryn McCormack, Graduate-at-Law. Thanks to Partners Matthew Craven, Andrew Galvin, Daniel Kiley, Andrew Miers and James Moore, as well as Kristina Mihalic, Special Counsel, for their respective contributions. 

Important Disclaimer: The material contained in this publication is of general nature only and is based on the law as of the date of publication. It is not, nor is intended to be legal advice. If you wish to take any action based on the content of this publication we recommend that you seek professional advice.

Subscribe to HWL Ebsworth Publications and Events

HWL Ebsworth regularly publishes articles and newsletters to keep our clients up to date on the latest legal developments and what this means for your business.

To receive these updates via email, please complete the subscription form and indicate which areas of law you would like to receive information on.

Contact us

GET IN TOUCH