CEO Update: Things are moving quickly in Australian privacy law..
In this post, I’ll seek to unpack some of the very rapid and very broad movements in the Australian privacy law space. It’s an area we should all be following with interest.
You may already know that The Privacy Legislation Amendment Bill 2022, passed both Houses of Parliament at the end of last year. This bill has significantly increased breach penalties and enforcement powers of the Office of the Australian Information Commissioner (OAIC). Albeit, these changes are still based upon the existing 1988 Privacy Law scope, principles and frameworks.
The focus of the government then moved quickly onto a wholesale review of the scope, principles and frameworks of the Australian Privacy Act of 1988 itself, all with a view to making recommendations to bring the Act up to speed for the present day challenges, risks and threats.
This review has recently been completed and the Attorney-General has released the “Privacy Act Review Report”. The report is recommending expansive reforms to the Privacy Act of 1988, all with a view to improving Privacy outcomes for Australians.
Comments from the Attorney-General’s department capture the intent…
“The proposed reforms are aimed at strengthening the protection of personal information and the control individuals have over their information. Stronger privacy protections would support digital innovation and enhance Australia’s reputation as a trusted trading partner.”
It’s a very extensive report, with 116 recommendations, based on 30 “Key themes and proposals”. Today, I’ll offer a helicopter summary of the key recommendations and proposals:
- The Report has recommended expanding the definition of ‘personal information’ to include information such as inferred information (being things like predictions of behaviour or personal preferences) and also technical information (being things like location data or IP addresses).
- The Report has recommended that the Act be extended to apply to small businesses handling personal information, who are currently subject to exemptions, plus further consultation is recommended to determine whether employee record information should be implemented in updated privacy legislation (or possibly elsewhere like the Fair Work Act).
Collection, use and disclosure of P.I.
- Stronger notice requirements for businesses when they collect personal information, that may be utilised or disclosed in any high risk.
- A new ‘fair and reasonable’ test is recommended to be defined and used to determine whether the collection, use and disclosure of personal information is necessary for an entity’s normal and reasonable functioning manner.
- The report recommends OAIC develop guidance on how online services should design consent requests. This guidance would outline specific processes, words or icons which could be used to obtain consent in an acceptable manner.
- The Report recommends broad updates to the way businesses would be able to disclose personal information to overseas entities. Recommendations appear to adopt ideas from the General Data Protection Regulation (GDPR) overseas transfer regime.
Rights of an Individual
The Report proposes a number of new rights for individuals in relation to personal information about them.
- Expanding individuals rights to access personal information and an explanation of how it was procured and how it is used.
- An individual’s right to object to the collection, use and/or disclosure of their information.
- An individual’s right to have their personal information erased by a business that has custody of it
NB: The proposed right to erasure, is certainly the most significant of these new individual powers.
New cybersecurity measures
- Aligned with calls from industry, it is recommended that greater clarity be provided around ‘reasonable steps’, that include both technical and organisational measures, that organisations can take to protect personal information from malicious actors.
- Recommendations have also been made with respect to changes to data retention. This is aimed at instilling organisation mindsets of deleting personal information, when it is no longer reasonably required or used.
- The Report recommends a new deadline of 72 hours for APP entities to notify OAIC of any notifiable data breaches, which is also another alignment with the GDPR.
Regulation and enforcement
The Report also considers some significant strengthening of regulation and enforcement. In summary:
- New Direct right of action for individuals.
- New civil penalties.
- Significantly Increased regulatory powers for OAIC, and significantly increased overall focus and involvement of the regulator.
- Statutory tort for serious invasions of privacy.
- Widened Federal Court powers.
So all in all, there are a lot of moving parts and a lot of potential regulatory changes coming down the line after the Review Report. This will likely have a wide range of implications for businesses of all shapes and sizes, doing business in, and with Australian’s. There is a public consultation process currently underway that closes on March 31. And from there, recent commentary has suggested that a reform Bill could well be brought to parliament in this term of government, i.e. sometime later in 2023 or 2024.
With the apparent focus of the Review Report often finding parallels with Europe’s GDPR, we think this is a good place to start thinking through possible outcomes of new legislation, a big part of which is the knowledge and duty of care for businesses to know and carefully consider those that they share Personal Information with.
As custodians of our customers data, that’s why we here at Known | Burst SMS | Conversr continue to invest heavily in our security and privacy posture. Both from a technical and operational level, but also through Security accreditations like ISO27001 and SOC 2 type II.
We consider the strengthening of the regulatory landscape a positive thing for industry and consumers and it’s our goal to be a partner of choice for customers, giving them certainty and comfort in this new world.
Thanks for joining me on this post, I hope it helped frame up some high level understanding of the potential changes very likely coming down the line.