Home The Privacy Series: The Time is Now The Privacy Series: The Time is Now To help marketers prepare for the impact that the privacy reforms will have on the industry and our practices, we have created The Privacy Series. Each month we will deep dive into one of the key components set to reshape the Privacy Act to understand what they mean for marketers and their businesses. The time is now After years of consultation for legislative reform of the Privacy Act, part of which was a series of Proposals presented to and responded by Government, followed by months of anticipation of when the amendments would be introduced to Parliament, the time has – in part – finally arrived. On Thursday 12 September 2024, Attorney General Mark Dreyfus introduced a ‘slimmed down’ version of the Privacy and Other Legislation Amendment Bill 2024 (the Bill) to the House of Representatives as an ‘opening tranche’ for privacy reform. The Bill implements a first tranche of agreed recommendations from the Privacy Act review. Modernising a legislation for the current digital landscape and beyond from when it was first created in the late 1980s comes with insurmountable complexity. Technology has developed leaps and bounds, as have consumer expectations, commercial practices, and simply society in general. This makes it unsurprising that privacy reform will be delivered in multiple waves. While the inclusions of the opening tranche were not what was widely expected, this is telling of the reform complexities and of the Government’s willingness to work with industry to ensure the reforms work for both consumers and businesses moving forward. So, without mention of third-party data practices, an expanded definition of personal information, or the introduction of the Fair and Reasonable Test, what has initiated privacy reform in Australia? Below we will explore what has been included in the first tranche, what to likely expect in the second tranche, and what marketers should already be actioning and preparing for now. What has been included? The first tranche of agreed recommendations from the Privacy Act Review in this ‘slimmed down’ version of the Bill include: > Criminal Offences to outlaw Doxxing Doxxing is the act of publishing information about an individual that is private or identifying without their consent and often with malicious intent, such as for harassment or revenge purposes. Given this, the Bill has introduced new criminal offences to outlaw doxxing. Perpetrators will now risk a maximum penalty of six years' imprisonment for doxxing, or seven years' imprisonment when targeted because of race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality, or national or ethnic origin. > A new statutory tort to address serious invasion of privacy In the legal world, the introduction of a new statutory tort to address serious invasion of privacy is a long-awaited one, though may be regarded as less relevant for the day-to-day operations of marketers. In short, it aims to address invasions of privacy as a result of conducting our lives online, such as through smart phones, that do not fall under the category of doxxing. The tort will cover both intrusions on physical privacy as well as the misuse of information where there is a reasonable expectation of privacy. > Responding to large data breaches As we’ve witnessed lately with the multitude of large cyber-attacks that have occurred, coordinating a response to large-scale attacks can be challenging, particularly when multiple entities are involved. As such, the Bill will now allow for limited sharing and handling of personal information between certain entities in the case of an emergency or eligible data breach. The safeguards that apply include that sharing of information must only be for the purpose of preventing or reducing harm to individuals. > Stronger enforcement powers for Office of the Australian Information Commissioner The Bill will impose stronger enforcement powers and a tiered penalty structure for the Office of the Australian Information Commissioner (OAIC). The new tiered penalty structure is designed to capture a broader range of contraventions of the Privacy Act. This is a significant shift away from the existing practice of only penalising practices that constitute a ’serious’ or ‘repeated’ interference with the privacy of individuals. If approved the tiered approach will allow the OAIC to issue civil penalties and infringement notices, without the need to issue proceedings, for breaches of select Australian Privacy Principles (APPs) which are not considered serious. For example, APP 1.3 the requirements to have a privacy policy, or APP 7.2(c) or 7.3 (c) failing to provide a simple means for individuals to opt out of direct marketing. > Children’s Online Privacy Code Specifically defining children as any person under the age of 18 years will be a first for the Privacy Act. The development of a Children’s Online Privacy Code aims to clarify and enhance how relevant APPs would apply to children’s online privacy. By codifying protections, the right to privacy of a child is strengthened via specific enforceable obligations in the handling of children’s personal information. This will better protect children from a range of online harms and forms part of a broader movement for greater governance and regulation in this area. This is a key component impacting industry in this first tranche of the Bill that should prompt marketers to either immediately start or continue their preparation for full privacy reform and tranche two. > Automated Decision Making Automated Decision Making (ADM), as the phrase would suggest, involves systems being used to assist or replace the judgement of human decision makers. Decision-making by automated means using data, computers/machines and algorithms is becoming more commonly adopted by businesses in an array of different contexts. These decisions can be based on factual or inferred data, or digitally created profiles. As part of privacy reform, the new Bill has included the requirement of greater transparency and certainty surrounding the handling of personal information of individuals regarding ADM. To achieve this, an organisation’s privacy policy will now need to explain the types of personal information used and types of decisions made by computer programs/ ADM systems which could ‘reasonably be expected to significantly affect the rights or interests of an individual’. On face value, it appears like a relatively easy component for businesses to implement. Simply add a few explanatory lines into your privacy policy around your use of ADM to be compliant. However, arguably this has an immense ripple effect on data practices and flows into the likely inclusions in tranche two which marketers should currently be preparing for. To fulfill the required transparency around ADM, marketers need to be clear about how the data they collect, intend to use and disclose is categorised, when and how personal information is collected, whether they have the right consents and the reason for which they hold onto such data both now and in the future. This requires marketers to shift their thinking and be more proactive rather than re-active when it comes to data. Sarla Fernando, ADMA’s Director of Regulatory and Advocacy has said “More transparency upfront about automated decision-making (ADM) is in line with ADMA’s approach to getting marketers to firstly understand the data they currently hold and then rethink their collection, use, disclosure, and management of data earlier in their campaign strategy and thinking. The inclusions of these proposals in this first stage of privacy reform is consistent with data minimisation, which is core to best practice in data management and handling. This is ultimately what customers are expecting”. What is still to come? The expected amendments that industry have been preparing for are still on their way in tranche two. For the Act to be ‘fit for purpose’ in the digital age, undeniably the scope needs to broaden. This means we will likely still see an expanded definition of personal information and (hopefully after further consultation with industry) the possible introduction of new definitions for ‘direct marketing’, ‘targeting’, ‘targeted advertising’, and ‘trading’. We’ll also likely see changing categorisation of de-identified information, sensitive information and location data. Then, regarding the pioneering Fair and Reasonable Test, this is still expected as part of full privacy reform given the favourable response by Government and industry. Other likely changes include consent and notices becoming more transparent and easier for consumers to navigate. Finally, there is the removal of the existing exemptions. To any current SME with an annual turnover of less than $3million that are currently exempt from the Privacy Act, be forewarned. The existing exemption could still be removed and given the Act has not been enforceable for data practices by SME’s with an annual turnover of less than $3million, full compliance will likely demand a vast amount of preparation and operational changes. What can marketers do now to prepare for tranche two? If your business has been stagnant in preparing for the changes, this opening tranche should drive action. As an industry we have known this is coming and while the first tranche has not included what we expected it to, there is a need for data practices to be improved to meet both international standards and consumer expectations. The road to best practice for data handling must start immediately to ensure compliance when the new legislation is enacted. The timeline is now irrelevant. Privacy reform has started and full privacy reform will eventuate. Proactively preparing for this now will not only better position your business operationally in the future, it will also send a clear message to your customers about your commitment to their privacy and trust. So, what can marketers do now to prepare for tranche two and inevitably full privacy reform? For starters, to address the inclusion of greater transparency for individuals regarding ADM, we’ll address the ripple effect this will have on data-practices as mentioned above. To satisfy transparency relating to ADM, an organisation’s privacy policy will need to outline the kind of personal information used and types of decisions made by computer programs which could ‘reasonably be expected to significantly affect the rights or interests of an individual’. The only way to effectively do this is to address your data and apply the expanded definition of personal information, whilst also considering the changing categorisation of de-identified information, sensitive information and location data. Why? If at any stage a program applies ADM to a customer journey and their rights or interests are significantly impacted by these decisions, you will have breached the Act. Particularly and more seriously so if the data collected and used is considered to be ‘sensitive’ then explicit consent would have needed to be obtained. Conducting a data audit in which you assess the data you collect, use and hold to determine the data you solely need to operate, resulting in data minimisation, will assist in both satisfying ADM transparency requirements and the proposals expected in tranche two. As part of a data audit to prepare, businesses should also review their current notice and consent to ensure these are in line with new expectations. They need to be transparent, easy to navigate and simple for customers to opt-in and opt-out of at any time. This will likely require a review of current systems so that businesses are privacy-designed operationally. Continue to reduce levels of third-party data and aim for first-party data collection as the preference, while also preparing for possible changes in direct marketing and targeting. To take proactivity one step further, look to strengthen data breach notification plans. Like an insurance policy, it is hopefully something that is never needed. However, should the situation arise, being armed and ready to swiftly respond will not only help appease impacted customers, it will also ensure the likely imposed 72 hour required notice period is achieved. Finally, be sure to also stay engaged in the conversation. Privacy reforms are here, privacy reforms are ongoing, and the marketing industry’s voice is crucial in these developments. Whether the full reforms are next week, next month or next year, being prepared and on the front foot is the only position you want your business to be in. FIND OUT FIRST, STAY CONNECTED Sign up to receive ADMA newsletters, updates, trends, special offers, events, critical issues and more Job role*Agency Account Manager/ExecutiveAgency Account/Strategy DirectorCDOCEO / Managing DirectorClient Service / Sales ManagerClient Service/Sales DirectorCMO / CCO / Marketing DirectorCreative Director / HeadData Analyst / Scientist / EngineerDesigner/Copywriter/Creative ManagerEarly Career Data Analyst / Scientist / EngineerHead of Analytics / Analytics LeaderHead of Category/Customer Experience/InsightsHead of Marketing/BrandHead of ProductHR/Learning and Development ManagersIT Director/ManagerLegal/RegulatoryMarketing ConsultantMarketing Executive / CoordinatorMarketing Freelancer / ContractorProduct / Brand / Digital / Communication ManagerSenior Data Analyst / Scientist / EngineerSenior Marketing/Brand ManagerOther You may unsubscribe at any time using the link provided in the communication. View our Privacy Policy.