The Federal Government has recently taken further steps towards major privacy reforms which are likely to be introduced in 2024. In late 2022, we discussed reforms to the Privacy Act 1988 (Cth) that have already taken effect, and in February 2023 we addressed the release of the Attorney-General’s Privacy Act Review Report (Report) intended to modernise and strengthen privacy regulation in Australia. The Government has now provided its formal response to the Attorney-General’s Report indicating its priorities for privacy reform.
Key Government priorities for privacy reform
There are 38 Report Proposals with which the Government has ‘agreed’. These are likely be implemented quickly and include:
- the creation of a new criminal offence for malicious re-identification of de-identified information where there is an intention to harm another or obtain an illegitimate benefit;
- the introduction of a mechanism to prescribe countries that have similar privacy protections to Australia. The requirements for the transfer of information overseas will be relaxed in relation to these countries;
- a requirement for businesses engaging in high risk activities (biometrics, facial recognition, AI) to undertake auditable Privacy Impact Assessments;
- organisations conducting research in the public interest will be able to rely on ‘broad consent’ in research contexts;
- the introduction of a Children’s Online Privacy Code for all under 18s which is aligned with international approaches, including the UK’s Age-Appropriate Design Code;
- a requirement for company privacy policies to describe the type of information used in any automated decision-making processes where the outcome could have a legal or significant effect on an individual’s rights. Individuals will have the right to request further information about how automated decision-making processes function;
- clarification that reasonable steps to secure personal information must include both technical and organisational measures;
- an increase to the enforcement powers under the Act, including the Information Commissioner’s ability to undertake public enquiries. The Federal Court and Family Court will be able to make any order they see fit after a civil penalty provision regarding privacy has been triggered; and
- the creation of tiers of civil penalty provisions based on the seriousness of privacy offences. The nature of a ‘serious’ offence will be clarified.
Proposals subject to further consultation
The Government also gave ‘in principle’ agreement to 68 Proposals, meaning further engagement and impact analysis is required. Notable proposals in this category include:
- extending the operation of the Privacy Act to small businesses that are currently exempt (those with an annual turnover of $3 million or less);
- expanding the concept of ‘Personal Information’ to include technical and inferred information (such as IP addresses and device identifiers) and requiring consent for the collection of precise geolocation tracking data over time;
- requiring online privacy settings to reflect the ‘privacy-by-default’ framework of the Privacy Act;
- prohibiting targeted marketing that uses sensitive information unless there is ‘socially beneficial content’;
- introducing a distinction between ‘controllers’ and ‘processors’ of personal information to reflect the operational reality of modern business relationships and to reduce the compliance burden for entities acting as ‘processors’;
- increasing notification obligations on APP entities transferring information to countries that are not prescribed;
- creating a direct right of action by individuals to apply to the courts for relief in relation to an interference with privacy. A statutory tort for a serious invasion of privacy will be created; and
- introducing enhanced protection requirements for Employee Records, currently exempt from the Privacy Act.
The Privacy Act Review Report is designed to complement the Digital ID system, the 2023-2030 Australian Cyber Security Strategy (22 November 2023), the National Strategy for Identity Resilience (10 August 2023), and the consultation paper Supporting Responsible AI in Australia to which the Government provided its interim response on 17 January 2024.
What do you need to do?
Although the above proposals are not law yet, it is likely that some or all of them will be introduced soon. Before the amendments come into effect, you need to ensure your business is prepared for changes to the Privacy Act including by ensuring that you have strong data security and management processes in place. If your business uses automated decision-making, biometric information or facial recognition technology you should ensure your data protection procedures meet Australian Standards in both technical and organisational contexts. Privacy policies must also be up to date and should include your information retention periods. Different periods for different categories of information are encouraged and must fit your organisation’s needs. If you do not already have a comprehensive privacy impact assessment process suitable for audit by the OAIC, that should also be considered.
Small businesses that do not currently have Privacy Act compliance measures in place should seek further advice, though we note that the small business exemption will not be removed until the Government has completed its consultation and analysis, appropriate supports are developed and the sector is deemed ready for the transition.
We will provide updates as the Report’s proposals are implemented by the Government.
More information
If you would like more information about this article, please contact:
Kathryn Speed
Principal
M: 0408 446 013
E: kspeed@pageseager.com.au
Rachel Hopkins
Senior Associate
T: (03) 6235 5195
E: rhopkins@pageseager.com.au
Published: 22 February 2024
