What will Australia’s privacy laws look like after an overhaul?

In an age where smart devices and apps are tracking our every move, privacy is an ever-changing concept. ADMA explains the federal government's privacy law review which may change Australian legislation in 2021.

The desire for smartphone conveniences like maps, search, social media and fitness tracking apps have turned us into data-creation machines and raised the complex issue of what privacy means when we willingly consent to surveillance. 

That’s why Australia’s 1988 Privacy Act is under review, with the aim of giving Australia the opportunity to participate in the international digital economy without putting citizens’ privacy in jeopardy.

As part of the federal government and ACCC Digital Platforms Inquiry, it’s been recommended Australia update its privacy legislation to clarify the murky complexity of data use across international borders and empower citizens to protect - and potentially delete - personal information held by businesses.

The Issues Paper released as part of the review will examine:

• Personal information: what is it and how should it be collected, used and disclosed.

• Good privacy practices: what type of consent, notification and erasure of personal information should be legislated.

• Australian data flowing overseas: how can we protect Australian data from international platforms who are able to use conflicting laws and codes in other countries to their advantage. The review paper mentions it will look into an independent certification scheme to monitor compliance with Australian privacy laws. Equally, a new privacy framework must allow for the free, yet responsible, flow of information.

• Individual rights over information: should people have direct rights of action to enforce obligations under the Privacy Act?

• Stronger statutory torts for serious privacy invasions: do our laws need more teeth?

• The notifiable data breach scheme: how effective is it at meeting its objectives?

This review is not a surprise - but it might surprise business

This review has been expected since the federal government announced in March 2019 to increase penalties under the Privacy Act and develop a binding code for digital platforms trading in personal information.

The Attorney-General’s Department is conducting the review, which is also in line with recommendations from the Digital Platforms Inquiry and the Australian Law Reform Commission (ALRC) reports from 2008 and 2014.

Attorney-General Christian Porter says, “Australians are spending more and more of their time online and more of their personal information is being collected, handled and stored.”

“Technology is also rapidly evolving in areas such as artificial intelligence and data analytics, which is why it is crucial that we have a privacy regime that is fit for purpose, can grow trust, empower consumers and support the growing digital economy.”

The OAIC – whose purpose is to promote and uphold privacy – will be consulted as part of the process and has welcomed the review, stating there are four key elements to privacy regulation, including:

• Global interoperability: Australia needs to remain part of the international digital economy with quality laws that allow innovation and growth to happen hand-in-hand with protection.

• Privacy self-management: Citizens need to have more power, understanding and ability to maintain privacy.

• Organisational accountability: Businesses need to take on more responsibility for privacy and information security

• A contemporary approach: Use modern tools and technology to meet community expectations.

The Issues Paper will take submissions until November 29, 2020, and there are plans to:

1. Release a second Issues paper in 2021 detailing preliminary outcomes and reform options.

2. Liaise with stakeholders face-to-face, subject to COVID-19 restrictions.

What are the likely outcomes, in ADMA’s view?

The Privacy Act currently applies to businesses and not-for-profits turning over more than $3m a year, as well as other small businesses that use sensitive information (for example, health businesses).

It already incorporates 13 Australian Privacy Principles (also called APPs).

ADMA believes it’s likely that this review will result in substantial changes to privacy in Australia. Reforms could include:

• Stricter requirements to obtain consent from citizens.

• Defining ‘personal information’ to include technical data and online identifiers.

• Additional protections for de-identified information.

• Enhancing the OAIC’s enforcement powers and further rights for individuals.

If all potential changes are implemented, many data-driven marketing businesses may have to reconsider the specific privacy frameworks incorporated in their business, including:

• The personal information they want to collect and store.

• How they define personal information and allow consent.

• The notification mechanisms for collecting, using, managing and disclosing personal information.

• Incorporating required technical and infrastructure changes into operations.

ADMA recommends members follow the developments of this legislation closely and prepare to make changes as new laws are introduced. There is no doubt reform is coming and that will mean ensuring your business is ready to implement new requirements.