Privacy Act Review: Attorney-General releases plan for next steps

The Privacy Act Review has been a work in progress since 12 December 2019, initially in response to the Australian Competition and Consumer Commission’s Digital Platforms Inquiry. Throughout this journey we have endeavoured to keep our community up-to-date, through our article series:

• Privacy Act Review: Children’s privacy in the spotlight
• Privacy Act Review: Key changes on the radar for NFPs
• Privacy Act Review: Schools, are you ready?
• Privacy Act Review: We have a Privacy Bill, but some promised reforms will have to wait
• Privacy Act Review: Small charities and NFPs likely to be captured
• Privacy Act Review: Coming Soon

Now we have the next step in the process: the Government Response to the Privacy Act Review which responds to the Attorney-General’s Department Report published in February 2023 and adopts 38 of the 116 recommendations. Other recommendations are agreed to “in principle”. The Government Response has narrowed proposed amendments into five categories:

1. Bring the privacy act into the digital age;
2. Uplift protections;
3. Increase clarity and simplicity for entities and individuals;
4. Improve transparency and control; and 
5. Strengthen enforcement.

We explain these categories in more detail below.

Bring the privacy act into the digital age

This means changing the scope and application of the Privacy Act 1988 (Cth) (Privacy Act) to apply to a broader range of information and entities. For example:

The Government agrees in-principle that the small business exemption should be removed in light of the privacy risks applicable in the digital environment.¹

However, the small business exemption will not be removed from the Privacy Act until further consultation has been undertaken and supports are afforded to small businesses to assist compliance.

Uplift protections

We’ve written previously about how privacy-by-design can help future-proof your operations for subsequent privacy breaches or data breaches. Now we have an official statement that:

The Government agrees in-principle that privacy settings for online services should reflect the ‘privacy-by-default’ framework of the Privacy Act.²

This is part of the possible amendments that collection, use and disclosure must be fair and reasonable in the circumstances, distinct from other requirements to collect or disclose such as consent. A fair and reasonable threshold for collection, use and disclosure is said to partly address “dark patterns” which are designs in systems and processes to nudge users towards consenting to more privacy intrusive practices.

An uplift in protections will likely also see more detail included in the Privacy Act as to what reasonable steps to secure personal information entail; that is, it entails both technical and organisational measures. Retention is another feature:

The Government agrees in-principle that entities should be required to establish their own maximum and minimum retention periods for personal information they hold and specify these retention periods in privacy policies.³

Some organisations will already have strict retention policies, such as schools in Victoria who are required to adhere to the Public Records Office Victoria Recordkeeping standards under Ministerial Order 1359. Another major possible change is the reduction in the notification period under the Notifiable Data Breach Scheme to 72 hours. Again, this is only agreed to “in principle” and further consultation is flagged as the next step.

Increase clarity and simplicity for entities and individuals

This includes introducing definitions of key terms, such as collection, disclosure and consent. Another key change would be the introduction of a distinction between controllers and processors of personal information. These are terms found in the European Union’s General Data Protection Regulation (GDPR); generally considered the global gold standard in privacy protections for individuals. Aligning with the GDPR is acknowledged to “reflect the operational reality of modern business relationships, and reduce the compliance burden for entities acting as processors”.⁴

To further support international trade and business, the Government agrees a mechanism should be introduced to prescribe countries with substantially similar privacy laws. This replicates the function of adequacy decisions under the GDPR.

Improve transparency and control

Australians overwhelmingly (84%) want more control over their data. While privacy policies and collection notices are intended to provide individuals with transparency, consultation revealed concerns that privacy policies and collection notices are often complex, lengthy, legalistic and vague. To address this, the Government agrees in-principle that:

• privacy notices should be clear, up-to-date, concise and understandable, with appropriate accessibility measures in place;
• standardised templates for privacy policies and privacy notices should be developed for voluntary adoption by entities. This could include standardised icons, layouts and phrases to better support consumers to make quick and informed decisions.
• collection notices should also specify if information is collected, used or disclosed for high privacy risk activities, how to exercise individual rights and the types of personal information that may be disclosed to overseas recipients. 

We may also see the introduction of individual rights in addition to the existing rights of access and correction. These could include the right to an explanation of how information is used and the right to require deletion (i.e., similar to the GDPR’s right to erasure). Individuals could also be given the ability to bring legal action under a statutory tort for serious invasions of privacy, which would be based on a model proposed by the Australian Law Reform Commission in 2014.⁵

Strengthen enforcement

While we saw increased penalties for serious interference with privacy introduced in 2022, there is a possibility for:

• a mid-tier civil penalty provision to address interferences with privacy which do not meet the threshold of being ‘serious’; and
• a low-level civil penalty provision for specific administrative breaches of the Privacy Act and Australian Privacy Principles. 

How we can help

There are a lot of proposed reforms, but no Bill before Parliament as yet. At this stage, we recommend organisations focus on getting their house in order to prepare for changes to the law. One place you can start is to reflect on what data you collect and where you store it. We can help with this first stage through a Privacy Audit, designed to map your information handling practices and identify areas for improvement. We can work with you to address any more specific concerns your may have to design a tailored product for your organisation. More details about how we can help with privacy and data security is here.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

Disclaimer: This article provides general information only and is not intended to constitute legal advice. You should seek legal advice regarding the application of the law to you or your organisation.

---

¹ Australian Government, Government Response Privacy Act Review Report, (28 September 2023) page 7.

² Australian Government, Government Response Privacy Act Review Report, (28 September 2023) page 9.

³ Australian Government, Government Response Privacy Act Review Report, (28 September 2023) page 10.

⁴ Australian Government, Government Response Privacy Act Review Report, (28 September 2023) page 17.

⁵ Australian Government, Government Response Privacy Act Review Report, (28 September 2023) page 21; Australian Law Reform Commission, Serious Invasions of Privacy in the Digital Era (ALRC Report 123) 3 September 2014.