Major privacy changes introduced

03 November 2021

Monday 25 October 2021 was a landmark day for privacy law in Australia, with not one but two sets of substantive reforms to the Privacy Act 1988 (Cth) (Act) announced by the Attorney-General’s Department. If that wasn’t enough, a Private Member’s Bill proposed further changes to the Act, with a second Private Member’s Bill also seeking new powers for the e-Safety Commissioner (Commissioner) to deal with defamatory posts on social media.

The most immediate step from the Attorney-General’s Department is the release of an exposure draft of Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Online Privacy Bill). The Online Privacy Bill enables the creation of a binding Online Privacy Code (OP Code) for social media and certain other online platforms, as well as increasing penalties and enforcement measures across the Act more broadly.

In addition to the Online Privacy Bill, the Attorney-General’s Department has also taken the next step towards broader reform of the Act as a whole. An Issues Paper last year invited comment on almost every aspect of the Act. Based on responses to the Issues Paper, a new Discussion Paper puts forward more specific proposals for reform dealing with a range of issues across the Act. These would include the first changes to the Australian Privacy Principles (APPs) since they were introduced in 2014, as well as some substantive changes to the way the Act is enforced, including by allowing individuals to directly take action for breach for the first time.

The introduction of a new statutory tort for the invasion of privacy is also listed as an option in the Discussion Paper. South Australia appears to have taken steps to go ahead alone in this respect, having recently opened consultation on its own Civil Liability (Serious Invasions of Privacy) Bill 2021 (SA Bill).

Online Privacy Bill

Prior to the last Federal election, the Government announced an intention to amend the Act to include new rules addressing online privacy issues, and increase the penalties and enforcement powers under the Act, noting that the ‘existing protections and penalties for misuse of Australians’ personal information under the Privacy Act fall short of community expectations‘. The Online Privacy Bill appears to now be the mechanism for implementing these proposals into law.

The adoption of an OP Code under the Online Privacy Bill has been proposed in order to address the specific privacy challenges posed by social media and other online platforms that collect a high volume of personal information, or trade in personal information, by adapting and expanding upon the requirements under the APPs. The Bill anticipates that the OP Code will be developed by industry for approval by the Commissioner, and set out more prescriptive detail about the manner in which the operators of social media services, data brokerage services and other large online platforms meet their obligations under the APPs.

In its report released following the ‘Digital Platforms Inquiry’, the Australian Competition and Consumer Commission recommended that the maximum penalties of the Privacy Act be increased to mirror the recently increased penalties for breaches of the Australian Consumer Law (ACL). Accordingly, in addition to the OP Code, the Online Privacy Bill will also strengthen penalties for all entities regulated by the Privacy Act (not just OP Organisations that are captured by the OP Code), and will increase the enforcement mechanisms and information gathering powers available to the Commissioner.

Application of OP Code

It is proposed that the OP Code will apply to the following categories of private sector organisation that are already subject to the Privacy Act, who will be known as ‘OP Organisations‘:

  1. organisations that provide social media services;
  2. organisations that provide data brokerage services;
  3. large online platforms; and
  4. ‘specified’ organisations.

The categories of OP Organisations captured by the Online Privacy Bill reflect that implementing stricter privacy regulations on social media platforms alone may not address privacy concerns arising from the broader online data sharing ecosystem.

These OP Organisations will need to meet the requirements of the OP Code, as well as the ordinary provisions of the Privacy Act. Private sector organisations that are not already subject to the Privacy Act will not be subject to the OP Code.

OP Organisations providing social media services

For the purpose of the OP Code, an organisation will be taken to provide a social media service if it provides an ‘electronic service’ that:

  1. has the sole or primary purpose of enabling online social interaction between two or more end-users;
  2. allows interactions between end users; and
  3. allows end-users to post material on the service.

The definition of ‘electronic service’ will capture a broad range of existing and future technologies, including hardware, software, websites, mobile applications, hosting services, peer-to-peer sharing platforms, instant messaging, email, SMS and MMS, chat services, and online gaming (though excludes certain broadcasting, datacasting or payment processing services).

However, the definition is not intended to capture organisations that enable online communication/interactions/content sharing as an additional feature – for example, business interactions with customers such as online feedback facilities.

Examples of social media services identified as being likely to fall within the ambit of the Code include:

  1. social networking platforms such as Facebook;
  2. dating applications such as Bumble;
  3. online content services such as Only Fans;
  4. online blogging or forum sites such as Reddit;
  5. gaming platforms that operate in a model which enables end-users to interact with other end-users, such as multiplayer online games with chat functionalities; and
  6. online messaging and videoconferencing platforms such as WhatsApp and Zoom.

OP Organisations providing data brokerage services

The OP Code will also apply to organisations that provide a ‘data brokerage service’.

The Online Privacy Bill provides that an organisation will provide a ‘data brokerage service’ if it:

  1. collects personal information from an individual via an electronic service (other than a social media service), or collects personal information from another entity that collected the information via an electronic service (including a social media service); and
  2. collects the personal information for the sole or primary purpose of disclosing the personal information, or information derived from the personal information, in the course of or in connection with providing a service.

This definition is intended to capture organisations whose business model is based on trading in personal information collected online, or information derived from such personal information, such as data derived from loyalty or rewards programs. Examples of data brokerage services identified by the Explanatory Paper to the Online Privacy Bill include Quantium, Acxiom, Experian and Nielsen Corporation.

However, organisations will not be taken to provide a ‘data brokerage service’ merely because they collect personal information and then subsequently disclose it for a secondary purpose. For example, if a charity collects personal information from donors, and then later discloses this information to a marketing agency to help run a fundraising campaign to previous donors, this will not see it captured as a data broker.

Large Online Platforms

The OP Code will also apply to ‘large online platforms’.

An organisation will be a large online platform if it:

  1. collects personal information about an individual in the course of, or in connection with, providing access to information, goods or services (other than a data brokerage service) by use of an electronic service (other than a social media service); and
  2. has over 2,500,000 end-users in Australia in the past year, or if an organisation did not carry on business in the previous year, 2,500,000 end-users in the current year.

An ‘end-user’ for the purpose of this definition is any individual who uses the electronic service. For example, it would include an individual who uses a search engine.

It is anticipated that this category will capture organisations who collect a high volume of personal information online, including major global technology companies (such as Google, Apple and Amazon), as well as media sharing platforms (such as Spotify).

Specified Organisations

In addition to the three categories of OP Organisations referred to above, the Online Privacy Bill gives the Minister the power to, by legislative instrument, apply the OP Code to other organisations, or classes of organisations. This will provide some flexibility to respond to the fast-moving online environment if it becomes necessary in the future.

Exclusions to OP Code

The OP Code will not apply to specific acts/practices that are exempt under the Privacy Act. In particular, an organisation will not breach the OP Code only because of an act or practice done or engaged in:

  1. under contract with an Australian Government agency; or
  2. outside of Australia, in compliance with an applicable foreign law.

Further, the OP Code will also not apply to Australian Government agencies on the basis that the OP Code deals with specific kinds of commercial activities that these agencies are unlikely to engage in.

Proposed Requirements of OP Code

The Online Privacy Bill sets out the matters that the OP Code must include, as well as additional matters the code may address. Once developed, the OP Code will set out these requirements in detail.

In its current form, the Online Privacy Bill requires the OP Code to (at a high level):

  1. prescribe how an OP Organisation will:
    • ensure that its APP Privacy Policy will comply with paragraph 1.4(c) of APP 1, being the need to ensure that the Privacy Policy explains the purposes for which the OP Organisation collects, holds, uses and discloses personal information;
    • ensure that it complies with APP 5, being the requirement provide notice to individuals about the collection of their personal information; and
    • ensure that it complies with APP 3 and APP 6, being the requirement to seek consent that is voluntary, informed, unambiguous, specific and current.
  2. require an OP Organisation to:
    • take such steps (if any) as are reasonable in the circumstances to not use or disclose, or to not further use or disclose, an individual’s personal information upon request from that individual (noting that this requirement is not intended to amount to a ‘right to erasure’ of the personal information, and will not prevent ‘secondary’ uses and disclosures of personal information that are currently permitted under the Privacy Act); and
    • in the event that an individual makes a request to an OP Organisation that it cease to use or disclose that individual’s personal information, comply with a new set of procedural requirements for the request process (which are modelled on the current procedural requirements in APP 12).
  3. in respect of all OP Organisations:
    • set out how all the APP requirements referred to above will apply specifically in relation to children or other vulnerable groups not capable of making their own privacy decisions, including imposing more specific obligations if necessary; and
    • include specific provisions about how these individuals (or their parents, guardians or representatives) should provide consent for the collection, use or disclosure of personal information.
  4. in respect of OP Organisations who provide social media services:
    • impose stricter requirements for how these OP Organisations must handle children’s personal information (with a child being defined as an individual who has not reached 18 years of age); and
    • require these OP Organisations to:
      1. take all reasonable steps to verify the age of individuals who use the social media service; and
      2. ensure that the collection, use or disclosure of a child’s personal information is fair and reasonable in the circumstances; and
      3. obtain the express consent of the child’s parent or guardian before collecting, using or disclosing the personal information of a child who is under the age of 16, and take all reasonable steps to verify the consent. In the event that a social media service becomes aware that an individual was under the age of 16, the social media service must take all reasonable steps to obtain verifiable parental or guardian consent as soon as practicable.

In order to ensure that the OP Code is flexible and responsive, the Online Privacy Bill also provides that the OP Code may set out the following optional requirements, if the Commissioner or OP Code developer wish to use them, or expand or clarify the obligations or procedures within the OP Code:

  1. set out how one or more of the APPs are to be applied or complied with;
  2. impose additional (but not contrary or inconsistent) requirements to the APPs;
  3. provide mechanisms to deal with the internal handling of complaints;
  4. provide for the reporting of complaints to the Commissioner;
  5. provide for the reporting to the Commissioner about the number of end-users in Australia; and
  6. any other relevant matter

Proposed Consequences of Breaching OP Code

The Commissioner will have the power to investigate potential breaches of the OP Code, either following a complaint or on the Commissioner’s own initiative. In the event that an investigation finds that a breach has occurred, the Commissioner’s full range of enforcement powers will be available.

Code Making Process

The OP Code itself has not yet been developed. However, after the Online Privacy Bill receives Royal Assent, the OP Code will need to be developed and registered within 12 months. The Commissioner will register the OP Code after it has been developed, and once the OP Code has been registered it must be complied with by OP Organisations.

Industry will have the first opportunity to act as the ‘OP Code Developer’ and draft the OP Code.

The Commissioner may request that an organisation or a group of organisations that will be bound by the OP Code, or one or more industry bodies or associations representing such organisations, act as the OP Code Developer.

If the Commissioner cannot identify a suitable OP Code Developer, or the OP Code Developer does not comply with the Commissioner’s request to develop the code, or the Commissioner decides not to register the code that has been developed, the Commissioner can develop the OP Code themselves.

Increased Penalties and Enforcement

Increased Penalties

In addition to the OP Code, the Online Privacy Bill will strengthen penalties and enforcement mechanisms for all entities regulated by the Privacy Act (not just OP Organisations).

For a natural person, the Online Privacy Bill increases the maximum civil penalty for serious and repeated interferences with privacy to 2,400 penalty units (which, based on currently penalty unit values, equates to $532,800).

For a body corporate, the maximum penalty will increase to an amount not exceeding the greater of:

  1. $10,000,000;
  2. three times the value of the benefit obtained by the body corporate from the conduct constituting the serious and repeated interference with privacy; or
  3. if the value cannot be determined, 10% of their domestic annual turnover (noting that the Bill sets out how to calculate turnover for the purposes of this provision).

New enforcement mechanisms

The Online Privacy Bill creates several new enforcement mechanisms for use by the Commissioner. At a high level, those enforcement mechanisms are:

  1. the creation of a new power to issue an infringement notice where a person fails to comply with the requirement to give information, or provide a document or record when required, in the course of an investigation being conducted by the Commissioner (Infringement Notice Power). Currently, section 66 of the Privacy Act creates a criminal offence where a person refuses to or fails to give information, or answer a question or produce a document or record when required to do so under the Privacy Act. The introduction of the Infringement Notice Power is intended to provide an alternative means of resolving these matters without resorting to the prosecution of a criminal offence, or the litigation of a civil matter;
  2. further to the above, the creation of a new, separate criminal offence in circumstances where a body corporate fails to comply with the requirement to give information, or provide a document or record when required in relation to investigations, and this conduct occurs on multiple occasions and constitutes a system of conduct or pattern of behaviour. This would enable the Commissioner to refer matters to the Commonwealth Director of Public Prosecutions for more serious, systemic conduct;
  3. the expansion of the types of declarations that the Commissioner can make in a determination at the conclusion of an investigation, including:
    • as a means of complementing the Commissioner’s existing power to make a determination that a respondent must take specified steps to ensure conduct constituting an interference of privacy is not repeated or continued, a new power to require that the respondent to engage an independent and suitably qualified adviser to assist in this process;
    • a new determination power to require the respondent to:
      1. prepare a statement about the conduct that led to the interference of privacy and the steps they have taken or will take to remediate the contravention; and
      2. publish the statement and/or provide a copy to the complainant or, in the case of a representative complaint, to each affected class member;
  4. the extension of the Commissioner’s existing power to conduct an assessment of an entity’s compliance with certain parts of the Privacy Act, to include the power to conduct an assessment of an entities’ compliance with the Privacy Act’s Notifiable Data Breaches Scheme (which commenced in February 2018);
  5. the creation of a new information-gathering power for the purposes of conducting assessments, which will enable the Commissioner to issue a notice to produce information or a document relevant to the assessment (Assessment Notice). A failure to lawfully comply with an Assessment Notice would be subject to the new Infringement Notice Power, or criminal penalty for a failure to give information to the Commissioner when required;
  6. the extension of the Commissioner’s capacity to share information, including:
    • a new power (subject to specific limitations) to share information with:
      1. a law enforcement body;
      2. an ‘alternative complaint body’ (which includes the ‘eSafety Commissioner’ under the Online Privacy Bill); and
      3. State, Territory or foreign privacy regulators.
    • the Commissioner will be permitted to share information in the context of transferring a complaint to another body, and for the purpose of the Commissioner, or receiving authority, exercising any of their respective functions and powers;
    • the power to disclose information acquired in the course of the Commissioner’s privacy functions on the OAIC’s website. This would include the ability to confirm whether the OAIC has received notice of an eligible data breach, and disclose information regarding assessment reports, section 52 determinations and enforceable undertakings without needing to meet a public interest test.

Broader Privacy Act reforms

In addition to the Online Privacy Bill, the broader review of the Act has arisen as part of the Government’s response to the Australian Competition and Consumer Commission’s Digital Platforms Inquiry. Although that Inquiry was focussed primarily on the dominance of Google and Facebook in digital advertising markets, the recommendations made by the ACCC were wide reaching, including suggesting specific changes to the Act as well as a recommendation for ‘Broader reform of Australian privacy regime to ensure it continues to effectively protect consumers’ personal information in light of the increasing volume and scope of data collection in the digital economy‘.

In response, the Government released an Issues Paper in October 2020, seeking feedback on a broad range of possible changes to the Act. The Issues Paper suggested an appetite for potentially significant change, with the only elements of the Act expressly out of scope being the highly specialised credit reporting regime, and data generated by the COVIDsafe app.

The new Discussion Paper focusses on more specific proposals for amendments, but these still touch on a large number of areas of the Act, and would be the most substantive changes since the commencement of the APPs in 2014.

Significantly, two key changes which would give individuals more direct abilities to enforce their rights remain on the table. These are:

  • an ability for individuals to directly bring action for breach of the APPs affecting their personal information. Under the existing Act, individuals have no ability to sue entities for breaching the APPs, and are instead limited to making complaints to the Office of the Australian Information Commissioner (OAIC), which can choose whether to take enforcement action; and
  • a potential statutory tort for invasion of privacy, which would apply in instances of highly offensive conduct, separate and distinct from the requirements of the APPs. A number of different options are put forward for how this might be framed.

Either change would be a sizeable shift in the privacy law landscape in Australia, and allow individuals to take matters into their own hands where aggrieved. They would also potentially pave the way for class actions in the event of data breaches or other privacy issues affecting large groups of people.

The Discussion Paper also proposes changes to a number of elements of the APPs. Noteworthy proposals in this respect include:

  • changing the definition of ‘personal information’, to capture all information which ‘relates to’ (rather than all information ‘about’) an individual, and make clearer that it includes information inferred or generated by an entity;
  • introducing an overriding requirement that any collection, use or disclosure of personal information be ‘fair and reasonable in the circumstances‘, with the potential to prescribe a list of factors as to whether actions would be considered fair and reasonable;
  • strengthening requirements as to what constitutes valid consent, which is not currently addressed by the Act, so that consent would need to be ‘voluntary, informed, current, specific, and an unambiguous indication through clear action‘ in order to be valid;
  • allowing consent to be withdrawn at any time;
  • being more prescriptive about the information to be provided to individuals when collecting personal information, so as to make these more readily understandable, potentially including by introducing standardised forms, wording or icons;
  • narrowing the circumstances in which an entity may be able to avoid providing notice to individuals regarding the collection of personal information;
  • requiring additional steps of entities where they collect personal information about an individual other than directly from that person;
  • tightening the link between the notice provided to individuals on collection of personal information, and the ‘primary purpose’ and ‘secondary purposes’ for which that information can later be used, especially where information is proposed to be used for the purpose of influencing an individual’s behaviour or decisions;
  • requiring entities to keep records of the secondary purposes for which personal information is used or disclosed;
  • potentially removing APP 7, so that direct marketing activities would be dealt with under the general principles of APP 6, rather than standalone rules;
  • being more proscriptive about the steps required of entities to ensure the security of personal information, and its destruction once no longer required;
  • reforming the requirements for cross-border transfers of personal information, including potentially introducing standard contractual clauses for those circumstances; and
  • requiring entities to adopt ‘pro-privacy default settings‘, or an obvious and clear way for individuals to adopt the most restrictive privacy controls.

Another proposal would add to the list of matters required to be addressed in an organisation’s privacy policy, such as whether the organisation is likely to use personal information as part of automated decision making, or for influencing individuals’ behaviour or decisions. Even if this proposal is not adopted, almost all organisations are likely to need to review and revise their privacy policies to ensure that they reflect changes to underlying APPs.

Further proposals would see new rights for individuals which would mirror some of those found under the European General Data Protection Regulation (GDPR), including:

  • a right to object to the collection, use or disclosure of personal information; and
  • a right to request erasure of their personal information, but only in certain limited circumstances.

Another new right would allow individuals to compel an organisation to reveal the source of personal information, unless that would be impossible or would involve disproportionate effort.

However, a GDPR-style right to portability of data has not been proposed, on the basis that this legislative role is instead being addressed in Australia via the Consumer Data Right scheme.

The existing APPs do not distinguish between personal information relating to adults or minors.1 Building on the Online Privacy Bill, some of the proposals in the Discussion Paper would also involve placing additional restrictions on the manner in which entities handle personal information relating to children. One such proposal would potentially require consent to be sought from parents, rather than their child to whom personal information relates, for minors under 16 years of age.

The Discussion Paper also puts forward proposals for more robust requirements as to when personal information can be said to be truly anonymised (rather than merely de-identified), and, in support of this, also suggests offences for individuals who seek to re-identify data (similar to those previously proposed in the Privacy Amendment (Re-identification) Offence Bill 2016).

Another proposal in the Discussion Paper would see new categories of high risk practices defined, and be subject to stricter rules. These might include:

  • large scale direct marketing activities, including online targeted advertising;
  • collection, use or disclosure of sensitive information on a large scale;
  • collection, use or disclosure of personal information about children on a large scale;
  • collection, use or disclosure of location data on a large scale;
  • collection, use or disclosure of biometric or genetic data, including the use of facial recognition software;
  • the sale of personal information on a large scale;
  • automated decision making with legal or significant effects; and
  • any activities involving personal information where likely to result in a high privacy risk or risk of harm to an individual.

The relatively recently introduced mandatory data breach notification scheme does not appear likely to be subject to any major changes, but the Discussion Paper does suggest additional details which should be added to the notices, including details of steps being taken by the entity to address the breach. Even if the mandatory data breach notification scheme is left largely unchanged though, it may take on a new significance if individuals are separately given new abilities to sue companies for privacy issues.

With the Online Privacy Bill already proposing to substantially raise the maximum penalties for ‘serious’ or ‘repeated’ interferences with privacy, the Discussion Paper separately considers the potential for new penalty provisions with lower applicable standards, including:

  • a ‘mid-tier‘ civil penalty provision, with lower maximum penalties; and
  • an infringement notice regime for certain ‘low-level‘ breaches of the APPs.

New enforcement abilities are also proposed for OAIC, some of which could involve significant changes to existing models such as:

  • adding new roles for external dispute resolution providers to conciliate matters before they need to reach the OAIC;
  • requiring the payment of levies or fees to the OAIC, particularly for entities operating in a high privacy risk environment, or where entities rely on the services of the OAIC rather than engaging external dispute resolution providers.

As one of its potentially more ambitious goals, the paper proposes the establishment of a working group to seek to harmonise privacy laws across Australian Commonwealth, State and Territory jurisdictions. There is considerable scope for reform in this area, with large variance between local regimes around the country, including in Western Australia and South Australia where no relevant legislation currently exists, but as per any cross-jurisdictional cooperation, progress may be slow.

Some of the more hotly contested matters in response to the Issues Paper were whether changes should be made to the exceptions and exemptions contained in the Act. Under current law, the APPs do not generally apply to small business operators and political parties, to media organisations engaging in journalism, or to the manner in which employers hold, use and disclose information contained in employee records. The Discussion Paper ‘does not put forward reform proposals‘ in relation to these exemptions at this stage, ‘as it is necessary to seek further feedback in light of the Proposals outlined‘ for other parts of the Act.

Matters raised by the earlier Issues Paper which now appear to have been left aside include:

  • proposals to more closely align with the EU GDPR, or to make amendments to the Act with a view to specifically seeking a decision from the European Commission that our law provides ‘adequate’ protection for foreign transfers of data under the GDPR;
  • issues associated with Internet of Things (IoT) devices as a standalone category;
  • making any significant changes to the ‘permitted health situations’ or ‘permitted general situations’ which provide exceptions to certain parts of the APPs.

Submissions in response to the Discussion Paper are due by 10 January 2022.

Private Member’s Bills

Monday 25 October 2021 also saw two private members introduce their own legislative proposals for reforms around privacy or social networking platforms.

Greens leader Adam Bandt put forward the Privacy (COVID Check-in Data) Bill, which would ‘introduce a ban on using COVID-19 check-in data for enforcement related activity purposes by preventing Commonwealth, State or Territory authorities from using or providing COVID-19 check in data for law enforcement purposes.

Nationals backbencher Anne Webster put forward the Social Media (Basic Expectations and Defamation) Bill, under which social media ‘service providers can be liable for defamation if that service provider is issued with a defamation notice by the [e-Safety] Commissioner and the defamatory material is not removed within 48 hours.

While the likelihood of either Bill becoming law is relatively slim, they show a growing interest in these kinds of issues, far beyond mere academic considerations. Given that both Bills deal with matters traditionally regulated at a State level, the interaction between those two layers of regulation would need to be carefully considered if either Bill were to further progress.

SA Bill

The South Australian Civil Liability (Serious Invasions of Privacy) Bill 2021 proposes to introduce a new cause of action for serious invasions of privacy, following a recommendation from the South Australian Law Reform Institute.

If passed, the SA Bill would allow an individual to bring legal action where there had been ‘a serious intrusion into their seclusion/privacy or a serious misuse of their private information‘.

To establish a cause of action under the law, a person would need to establish that:

  • there was ‘a reasonable expectation of privacy‘;
  • the invasion of privacy was ‘serious‘; and
  • the conduct was undertaken intentionally.

Exceptions would apply for journalists who follow relevant professional conduct standards, or where the public interest outweighs the privacy concerns. Defences inspired by some of those in defamation law would also exist.

Feedback in response to the SA Bill is due by 26 November 2021.

Our privacy law team is able to assist in advising clients on how best to meet their obligations under the Privacy Act and APPs, and the impact of these new proposals.

This article was written by Luke Dale, Partner, Peter Campbell, Partner, Daniel Kiley, Special Counsel, and Caitlin Surman, Senior Associate.

1 In some contexts this distinction may already be indirectly relevant. For example, where an entity is required to take reasonable steps to protect personal information, such steps may need to be more robust where large volumes of personal information about minors is involved.

Subscribe to HWL Ebsworth Publications and Events

HWL Ebsworth regularly publishes articles and newsletters to keep our clients up to date on the latest legal developments and what this means for your business.

To receive these updates via email, please complete the subscription form and indicate which areas of law you would like to receive information on.

Contact us