Hello, privacy pros.

Australia has kicked off the long-awaited review of its Privacy Act with the attorney general's department publication of an issues paper setting out the current law, as well as the context and scope of the review. It is seeking comments on the issues paper until 29 Nov., with a discussion paper to follow in 2021. Summaries by ZDNet and iTnews tick through a number of the potential topics where we could see a change in this comprehensive legislative review. Potential changes include expansion of the Office of the Australian Information Commissioner's enforcement powers, specific prohibitions of bundled consent, removal of the employee records exemption, and a host of other significant updates.

We will no doubt have many opportunities to discuss the specific changes being considered, but one of particular note is the small business exemption — a novelty among privacy regimes that allows Australian businesses with an annual turnover of $3 million or less (with some exceptions) to disregard the Privacy Act with impunity. In 2008, the Australian Law Reform Commission recommended the removal of the small business exemption, noting that doing so would improve privacy and that no other comparable jurisdiction (U.K., EU, New Zealand and Canada) has such an exemption. In discussing the future of the small business exemption, the attorney general's issues paper refers to the OAIC's Australian Community Attitudes to Privacy Survey 2020 that revealed 71% of respondents thought small businesses should be required to comply with the Privacy Act. 

Complying with the Privacy Act and protecting personal information could be burdensome on small businesses. The same could be said for many other statutory protections, but we still expect retailers to maintain a safe environment for their staff and the public, we expect cafes to prepare and serve food in a safe and hygienic manner, and we expect all small businesses to account for their earnings and pay their share of taxes. Does it pass the pub test to exempt pubs from the obligation to appropriately collect and protect personal information?

Speaking of pubs, the Guardian reports Uber Eats in the Australian state of Victoria has begun requiring drivers to take pictures of customers' identification to verify age for the delivery of alcohol. Uber has justified the change by explaining that the photos of the identification documents are not retained once they have been verified and their expiry and customers’ birthdate have been recorded. The OAIC is making inquiries with Uber regarding the practice, and Victoria Privacy Commissioner Sven Bluemmel has questioned the necessity for taking the pictures, noting how the collection increases the risks of inappropriate disclosures.

Elsewhere in the world of privacy, the Financial Times reports a coalition of trade groups has raised an antitrust complaint against Apple in response to Apple's plans to implement changes to its mobile platforms requiring apps to specifically ask users if they agree to have their behavior tracked across apps and websites. The suit centers around the argument that by providing people more meaningful choice over the collection and use of their personal information, ad-supported apps will necessarily transition to subscription models under which Apple will take a percentage of subscription revenue with the App Store rules.

I encourage you all to take advantage of the regional events that the IAPP will hold in November. The first is a Virtual KnowledgeNet event 12 Nov. from the Philippines on Employee Surveillance and Contact Tracing (presented in English), with Deputy Privacy Commissioner Leandro Angelo Aguirre.