On 25 Oct., the Australian government released a discussion paper crammed full of proposals to amend the national privacy law.
The background
Federal privacy law in Australia dates back to 1988, when the Privacy Act was first introduced to regulate federal public sector agencies. That law was born from a proposal to introduce a national identity card, which was ultimately dropped by the Australian government due to public opposition amidst a growing demand for privacy laws to rein in the powers of bureaucrats.
For the first decade or so, the Privacy Act only regulated government agencies, but it was reformed in 2000 to extend its scope to much of the private sector. (Public sector agencies at the state, territory and local government levels are instead regulated by a patchwork of state and territory privacy laws.) Further updates were made in 2014 and 2018 to streamline the act’s privacy principles and introduce a data breach notification scheme.
However, the explosion of growth in digital technologies, social media platforms and the Internet of Things all pointed to the need for privacy law to keep up with the challenges posed to individual privacy by new technologies. In 2019, the national consumer protection and trade practices regulator, the Australian Competition and Consumer Commission, published the final report from its Digital Platforms Inquiry, which considered the behavior of the major platforms such as Facebook and Google. The ACCC’s report highlighted risks for both consumers and businesses from the business models followed by Big Tech companies, which primarily rely on the collection and analysis of consumer data as the source of their wealth and power. Among their other recommendations, the ACCC suggested the Australian government conduct a review into whether the Privacy Act remains fit for purpose in this digital age. (A separate process is also considering an industry-led code to regulate social media and online platforms.)
In late 2019 the government agreed to review and reform the Privacy Act, which led to an issues paper released in October 2020. That issues paper called for submissions on whether the Privacy Act and its enforcement mechanisms remain fit for purpose.
Twelve months and 200 submissions later, the Attorney General’s Department released a discussion paper containing both specific proposals and less settled options for reform, clustered around 28 topics.
At 217 pages long it’s not a quick read, so here are the highlights.
The proposals in the discussion paper
Not surprisingly, given the European Parliament moving on ad tech, Google phasing out third party cookies and wave after wave of public revelations about the toxic impact of Facebook’s activities, the discussion paper has much to say about digital harms, targeted advertising, personalized content and the role of online identifiers.
First, the discussion paper proposes a re-drafting of the threshold definition of “personal information” so that it explicitly recognizes and includes online identifiers and technical data, and encompasses the use of data with individuated effects. By moving closer to the EU General Data Protection Regulation’s model, which includes online identifiers, indirect identification and the notion of “singling out,” this proposal alone will help strengthen and modernize Australia’s privacy laws.
Second, there is an intention to reduce reliance on the “notice and consent” self-management model of privacy regulation in favor of stricter limits on collection, use and disclosure. With another proposal likely to gain plenty of attention, the discussion paper proposes a “fair and reasonable” test to be applied to collection, use and disclosure, on top of existing rules around collection necessity and purpose limitation.
Third, consent. While moving away from requiring consent for routine activities, consent will remain as an option for authorizing some types of information-handling practices. The discussion paper proposes tightening the legal tests for what constitutes a valid consent by building into the legislation what has, to date, been guidance from the privacy regulator, the Office of the Australian Information Commissioner: Consent must be voluntary, informed, specific and current, and requires an “unambiguous indication through clear action.” Combined with another proposal, which is to require “pro-privacy defaults” when choices are offered to users, these proposals should spell the end of companies using dark patterns to trick people into sharing their personal information and then claiming “consent” as their lawful basis for collection, use or disclosure.
Fourth, the discussion paper proposes to abolish an existing rule about using or disclosing personal information for direct marketing (Australian Privacy Principle 7) in favor of applying the same standards as for other activities. But then direct marketing is mentioned again elsewhere, which leads us to the next significant proposal.
Without yet landing on a firm model, the discussion paper suggests some options for regulating how organizations deal with scenarios that inherently pose a higher privacy risk. The Privacy Act currently sets some slightly tougher tests for handling certain categories of data known as “sensitive information,” such as information about an individual’s health or disability, ethnicity, religion and sexuality. However, the discussion paper seeks to broaden out this idea to a notion of restricted acts, to which higher standards will apply. What is potentially within scope includes not just the handling of sensitive information but also additional types of data, such as location data or information about children, and particular types of practices, such as direct marketing and automated decision-making with legal or significant effects. The discussion paper also asks for further submissions on whether the best way to regulate these types of higher-risk practices is by self-management (i.e. requiring individuals to consent) or by risk management (i.e. requiring organizations to conduct privacy impact assessments or take other steps to identify and mitigate the risks posed by their practices).
GDPR equivalence?
One of the themes running through this review process is the need to ensure the Privacy Act is brought closer in line with the GDPR in the hope that Australia could finally secure an adequacy decision from the European Commission, which would open up more possibilities for trade in personal information. To date, an adequacy ruling has escaped Australia, primarily because of a number of carve-outs from the Privacy Act’s coverage of the private sector, including exemptions for small businesses, employee records, political parties and media organizations. Yet the discussion paper has not directly proposed removing these carve-outs; instead, it raises a number of issues and options, and calls for yet more submissions on the pros and cons of abolishing the four exemptions. So expect to see significant debate, with further pushback from organizations currently benefitting from the exemptions.
Also showing evidence of looking to other jurisdictions for influence and ideas, the discussion paper proposes some GDPR-type individual rights, such as the right to erasure and the right to object. The government has also flagged its intention to significantly increase penalties for breaches of the Privacy Act to levels closer to the GDPR, by moving on penalties ahead of the rest of the review, with a bill out for public consultation.
Finally, the discussion paper has thrown out a few different models to improve access to justice, including consideration of a statutory tort of privacy (though without yet committing to a particular model, if any), and/or a direct right of action for individuals with a complaint about a breach of a privacy principle. At present complainants can only approach the OAIC, whose backlog of complaints creates delays and operates as a barrier to resolution. The ability to take a complaint to a court with the power to order compensation — as happens now under some state privacy laws — could see a meaningful improvement in access to justice for those individuals keen to have their day in court.
Next steps
Submissions on the discussion paper are due in January 2022, and the next step will likely be a reform bill later next year.
2022 will no doubt bring plenty of robust discussion about the shape of privacy regulation in Australia, as we attempt to drag our legislation into a more contemporary shape to reflect the realities of the digital economy.
Photo by Ian Chen on Unsplash
