This year is set to be one of activity for Australian privacy law. The federal government has announced it is planning to make various amendments to Privacy Act 1988 and will release a binding privacy code. The long-awaited Consumer Data Right is expected to go into effect in the banking sector in July, and the mandatory credit comprehensive reporting scheme is before the Senate, after having been reintroduced to the House of Representatives in late 2019. A Data Availability and Transparency Bill is also underway and is aimed at making it easier for federal government departments and agencies to share information.
Elsewhere in privacy news — based on recent actions by the regulator — we can expect increased enforcement of the Spam Act 2003, while laws relating to police and national security use of facial recognition are being debated, and reviews to existing laws on encryption backdoors and metadata retention are under parliamentary review.
Amendments to the Privacy Act and a new privacy code
It is expected the Privacy Act will be amended to increase penalties for data breaches. The government intends to introduce civil penalty provisions for violations of the Privacy Act that would see the maximum penalty for serious or repeated breaches increase from $2.1 million to the greater of $10 million, three times the value of any benefit/detriment caused by the breach or 10% of the entity’s annual turnover, up to $525 million.
Read more about anticipated privacy trends around the world in the "2020 Global Legislative Predictions" white paper edited by IAPP Managing Editor Michelle Clarke
The government has also affirmed its commitment to implementing a binding privacy code in 2020 that will apply to the collection and processing of personal information by social media platforms and other digital platforms. The draft legislation is expected in the coming months ahead of a public consultation period. This is to address concerns about the lack of transparency and consumers’ specific consent to data collection, use and disclosure by social media platforms.
A broader review of the Privacy Act will also be undertaken this year to assess whether the act sufficiently empowers consumers and provides for adequate protection of consumer data. This review is in response to recommendations made by the Australian Competition and Consumer Commission in its 2019 Digital Platforms Inquiry.
Consumer Data Right
The open banking Consumer Data Right will go into effect July 1. At that time, the four major banks will begin to share consumer data relating to debit and credit cards, as well as deposit and transaction accounts. Smaller banks have until July 1, 2021, to enter the CDR.
A review of the CDR Rules is also underway with recent submissions on the role of intermediaries under the CDR set to inform the second iteration of the rules, with financial technology being particularly critical.
The CDR is expected to be expanded to new sectors in which data portability is likely to improve efficiency, for example, the insurance and energy sectors.
Mandatory credit reporting
The National Consumer Credit Protection Amendment (Mandatory Credit Reporting and Other Measures) Bill 2019 is now before the Senate, having passed the House of Representatives Feb. 5. The bill establishes a mandatory comprehensive credit-reporting scheme under which credit providers would have to provide positive credit information, such as a consumer’s loan repayment history. The scheme is expected to provide significant benefits for the fintech sector.
The federal Opposition has indicated they will seek to amend the bill in the Senate by imposing requirements on banks to provide consumers with "frequent and detailed" access to their credit information, including credit scores.
Increased enforcement of the Spam Act
The chair of the Australian Communications and Media Authority has announced it is “actively cracking down” on breaches of the Spam Act. This comes after telecommunications company Optus received a record fine of $504,000 for continuing to send electronic commercial messages to customers who had withdrawn their consent to receive such messages by “unsubscribing” from the mailing list — a breach of the Spam Act.