The time has come for the Privacy Act Review Discussion

Nearly two years after first announcing the need for the Privacy Review in response to the Australian Competition and Consumer Commission (ACCC) Digital Platforms Final Report, and almost a year since their release of the Issues Paper that kickstarted the actual Review of the Privacy Act (1988), the Attorney-General’s Department (AGD)  has released its Discussion Paper and the 200+ page document is filled with potential reforms of the Privacy Act.

In this round of consultation, the Government is seeking feedback over the next three months. While this may seem like a long time to gather your thoughts – there is a LOT to consider specifically:

1. The Scope and Application of the Act, including Objects of the Act, Definition of Personal Information and Flexibility of the Australian Privacy Principles (APPs)

2. Protections, specifically Notice, Consent, Additional Protections, Restricted and prohibited acts and practices, Pro-privacy default settings, Children and vulnerable individuals, Right to object and portability, the right to erasure of personal information, Direct marketing, targeted advertising and profiling, Automated decision-making, Accessing and correcting personal information, security and destruction of personal information, organisational accountability, overseas data flows and cross border privacy rules and domestic certification.

3. Regulation and Enforcement, focusing on Enforcement, A Direct right of Action, A statutory tort of privacy, the notifiable data breaches scheme and interactions with other schemes.

The paper is a comprehensive outline on key issues and includes feedback the AGD received from the 200 submissions (including ADMA’s)  in response to the Issues Paper released at the end of October last year. The Discussion Paper includes a number of potential areas of reform which the government is now considering.

At first glance there aren’t too many surprises contained in the Discussion Paper as many of the suggested reforms mirror the recommendations from the ACCC Digital Platforms Inquiry.

As expected the suggested Privacy Act reforms looks at broadening the definition of 'personal information' – after-all, as stated in the Discussion Paper, the definition of ‘personal information’ and 'de-identified’ determines the scope of the Act and even though the definition was always intended to be expansive, in today's digitally led environment it somehow fails to properly and clearly identify how it applies to ‘technical information’. So, a revisit of this integral definition is both timely and necessary. Unsurprisingly, the Discussion paper looks into express consent and notice – two elements that are the cornerstones of privacy regimes around the world and is also what sets the framework of compliance as we know it right now in Australia. Interestingly, many of the 200 submissions sought to have the laws focus more on the collection, use and disclosure of personal information over that of consent and notice. Whatever direction Australia takes, the key will be in the drafting of the reforms and the impact it will have on an APP entity and the way in which it operates.

And this is just the beginning of the changes to come. ADMA will review the Discussion Paper and will keep its Members updated in the coming weeks. There will be discussions with industry and Privacy experts giving you their take on the suggested reforms.

The Government is inviting submissions in response to the proposals and questions in the Discussion Paper by 10 January 2022 via the AGD website or by email to [email protected].

And that’s not all that was released Monday…

To further protect Australians, online, and ensure that Australia’s privacy laws remain fit for purpose in the digital age, the Morrison Government on Monday also announced landmark privacy legislation with the Attorney-General’s Department releasing an exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021.

Essentially this is a Bill for an Act to amend the law in relation to privacy. The Regulation Impact Statement outlines that ‘Government action is needed to ensure the Privacy Act provides adequate protection for Australians using social media platforms and other online platforms that collect a high volume of personal information of trade in personal information’.

"The goal of the Bill is to enhance privacy protections, particularly in the online sphere, without unduly impeding innovation within the digital economy," the Federal Government wrote in the Bill's explanatory paper.

Under current legislation, the Federal Government can only make two kinds of binding privacy codes, which are the Australian Privacy Principle code (APP) and a Credit Reporting Code.

The OP Bill seeks to expand the Privacy Act to allow government to create a third code specifically for regulating the following three classes of organisations (OP Organisations) : Social media platforms, data brokers, and other large online platforms operating in Australia (with more than 2.5 million users).

The key proposal of the OP code is that it seeks to make it mandatory for social media organisations to verify users' age; obtain parental or guardian consent of a child who is under 16 years old before collecting, using, or disclosing personal information of that child; and prioritise acting in the best interests of children in their approach to handling data.

According to the exposure draft of the Bill, social media platforms that would fall within the scope include platforms such as Facebook, dating applications such as Bumble, online content services such as OnlyFans, Online blogging and forum sites such as Reddit, online messaging and video conferencing platforms such as WhatsApp and Zoom and gaming platforms that enable end-users to chat with each other.

The net is wide but is ‘not intended to capture organisations that enable online communications/ interactions/ content sharing ‘as an additional feature’. The OP code will have stricter requirements for how social media platforms handle children's data and the reason these requirements are only for the social media class of OP organisations is that “they pose a greater risk to children are higher than those presented by data brokers or large online platforms”, the government said.

The OP code will also apply to Data brokerage organisations, ie those that collect personal information from an individual via an electronic service other than a social media service or those that collect the personal information for the sole or primary purpose of disclosing the personal information. Examples of businesses that would be included in this category include Quantium, Acxiom, Experian and Nielson Corporation.

The last category that the OP Code will focus on are ‘large online platforms’. This category includes organisations that provide electronic services and have over 2.5 million end-users in Australia. Major tech companies such as Apple, Google and Amazon as well as media sharing platforms like Spotify will be OP entities that are required to follow the new Code.

Interestingly the explanatory paper makes it clear that organisations that collect personal information as part of Customer loyalty schemes are exempt from this last category, as Customer loyalty schemes will be  considered as part of the Privacy Act Review.

The OP Code will address how all ‘OP Organisations’ will apply and comply with certain existing Australian Privacy Principles (APPs) relating to privacy policies, consent and notice requirements.

The OC Code will also include new requirements such as OP Organisations ensuring that they have measures in place that ensure that upon request of the individual, their personal information is not  used or disclosed. The explanatory paper makes it clear that this requirement is not intended to amount to a ‘right to erasure’ of the personal information though.

Part B of the Online Privacy Bill outlines the Government’s intention to implement stronger penalties for organisations that breach user privacy. It is suggested that any breach of the code could potentially result in a fine worth 10% of an organisation's domestic annual turnover, three times the value of the benefit obtained from the conduct or a AU$10 million fine.  This proposed AU$10 million fine would be an increase from the current maximum penalty of AU$2.22 million.

The penalties are reflective of the structure used in the GDPR but takes a more local approach (the GDPR fine is based on ‘global annual turnover’ or up to €10 million – whichever is greater).

The Bill is intended to strengthen the Commissioner’s enforcement functions by (amongst other things) creating a new criminal penalty for multiple instances of non-compliance.

To enable the OAIC to resolve matters more efficiently, an infringement notice provision will be created to supplement a civil penalty provision to provide an alternative means of resolving these matters without needing to resort to the prosecution of a criminal offence or litigation of a civil matter. This should incentivise organisations to co-operate in a more timely manner when responding to a request for more information or the provision of documents that are relevant to an investigation.

The Bill would also provide the Commissioner with the ability to share information with the eSafety Commissioner as the Bill would specify the eSafety Commissioner as an ‘alternative complaint body’. This is necessary to allow information sharing in the event of overlap complaints such as cyber bullying, cyber abuse and image-based abuse complaints.

The Bill would also enhance the Commissioner’s capacity to conduct assessments of regulated entities to ensure they are handling information in accordance with legislation.

In addressing the way in which the Code would operate with other existing legislation, The Bill will also make other amendments to the Privacy Act to support the operation of the OP Code and to ensure it operates in the same general way as APP codes. The Bill will provide that if an entity is subject to both the OP code and an APP Code, the OP Code will prevail to the extent of any inconsistency between the two codes.

However, in the case where an entity is subject to both the OP Code and the Consumer Data Right regime (under the Competition and Consumer Act 2010), the Consumer Data Right rules will prevail to the extent of any inconsistency between the two codes. This provision has been included to ensure that the strict rules specific to the Consumer Data Right regime continue to apply.

The government is inviting submissions on the Online Privacy Bill and consultation Regulation Impact Statement by 6 December 2021.

Submissions and feedback received will be used by the government to shape the development of the Online Privacy Bill before it is introduced to Parliament.

Andrea Martens, CEO ADMA states that, “ADMA will review the documents in these two very important consultations in order to provide a response and will update members in the coming weeks with information sessions, articles and the results of discussions with industry and privacy experts. ADMA looks forward to contributing to these historic consultations as the representative of the data driven marketing and advertising industry."

ADMA is an advocate of responsible, fair and transparent practices in data driven marketing and believes that in this transforming regulatory landscape, this Review of the Privacy Act is the most important opportunity to provide an improved framework that will empower responsible organisations to further build Consumer Trust in the digitally led world we live in. This is key to both the continued success and future proofing of the digital economy. 

"ADMA encourages its members to become involved in the conversation and develop their own submissions where appropriate.” stated Martens.