For collabs and confabs, three events occurred simultaneously in Melbourne 25-29 Nov., where — as the stormy weather would have it — folks were happy to be indoors and focused on big things in privacy.
Top of the agenda was the IAPP ANZ Summit 2024, the premier event for privacy professionals in this region — but also, increasingly, the place to be for those focused on artificial intelligence governance, information security, marketing and community outcomes-focused public policy. Summit was followed by a successful day of in-person Certified AI Governance Professional training.
Also on offer were the privacy, governance and data-enablement tracks at the Australian Cyber Conference 2024 and the Australian Smart Communities Summit — a testament to the interconnectedness of disciplines involved with personal information management and the ever-expanding role of the privacy professional.
Fitting, then, that it was also a big week for Australian lawmaking. On 28 Nov., many were glued to the Senate live-feed — where we witnessed a pre-Christmas bills blitz, which felt rather unceremonious after the long and hopeful build for our federal privacy reforms, but I digress — where the late evening rewards included agreement on the first tranche of privacy reforms, as well as the social media ban for young Australian people.
Privacy reform: Organizations that do not already have their privacy houses in order will be breaking into a sweat
The Privacy and Other Legislation Amendment Bill 2024 — the first tranche of reforms, plus some agreed upon amendments proposed by the Senate Legal and Constitutional Affairs Legislation Committee — passed into law 29 Nov. The immediate impact of this first tranche of reforms — which includes amendments to the Privacy Act 1988, a new statutory tort for serious invasions of privacy and the criminalization of doxxing — shouldn't be understated.
Most of the Privacy Act amendments commence immediately on royal assent, which means there is no grace period for compliance. If we consider the privacy commissioner can now issue infringement notices for certain breaches of the Australian Privacy Principles or the Notifiable Data Breaches scheme, organizations should not delay reviewing their privacy posture.
Some low-hanging fruit we may see on the enforcement agenda: Not having a clear, up-to-date, easily accessible privacy policy; providing poorly drafted notices to individuals about a notifiable data breach; not having a simple mechanism by which people can opt-out of receiving direct marketing; and failing to deal with a person's access or correction request within 30 days.
Organizations that have been risk-managing (particularly related to the security of personal information), resting on their accountability laurels or otherwise deprioritizing privacy investment to date should consider themselves on notice.
Also of significance is the unique and fast-following — in terms of global privacy leadership — amendment to introduce a Children's Online Privacy Code, with the Office of the Australian Information Commissioner to take carriage of its drafting in consultation with stakeholders. This brings Australia into step with leading jurisdictions and offers a place for critical privacy issues for children in online spaces to be sensibly canvassed.
Kids banned from social media
The amendments to the Privacy Act, including to strengthen privacy protections for kids, came as the government agreed on potentially privacy-eroding legislation. The Online Safety Amendment (Social Media Minimum Age) Bill 2024 amends the Online Safety Act 2021 to provide a minimum age for use of social media platforms and requires platforms to take reasonable steps to check the age of users.
While concepts such as privacy, security and safety should not operate to the exclusion of each other — indeed, they often need to be taken together for best outcomes — the question of a social media ban for young people under age 16 has been polarizing for academics, civil society, privacy professionals, safety advocates, politicians and others. Quite apart from its efficacy in terms of public policy, many are questioning how it can be implemented within the guardrails of the Privacy Act.
My own under-16 young person at home referred to this as a "moment," which, depending on your views, may either mean a seminal event or irony in lawmaking. Irrespective of which camp you fall in — #BanYay or #BanNay — it's clear there is work to do to ensure that age verification and other activities involving personal information associated with implementing the social media ban are done in accordance with privacy law and community expectations.
For instance, there is a "surveil the many to catch the few" element to the social media ban that speaks directly to privacy risk: that is, the ages of all social media users will need to be verified to ensure those under 16 are not among those getting past the gate. Given the race to get the ban through Parliament in mere weeks, how this macro privacy risk to the community will be managed has not been well canvassed.
Likewise, there is a need to understand the available age verification technologies and the privacy rigor associated with their development and deployment — not least including whether privacy impact assessments will be required to be completed by the relevant social media platforms to ensure privacy risks through the information life cycle are adequately assessed and addressed.
The November 2024 Joint Select Committee on Social Media and Australian Society final report entitled "Social media: the good, the bad and the ugly" stopped short of recommending a social media ban and, instead, supported an "overarching statutory duty of care." Indeed, a duty of care, owed by social media platforms to children, appears to be the most proactive starting point for good public policy. It demands accountability.
Conversely, banning young people from social media to protect them, while well-intentioned — and, by several accounts, largely supported among Australia's population — raises questions about the ban's implementation and enforcement and the ensuing privacy risks to both children and adults.
So, are we at loggerheads in Australia? Maybe. However, advancing arguments for and against the social media ban, and matters around how it will be implemented, exacerbate a perceived tension between privacy and eSafety, in many ways taking the focus away from the problems the ban seeks to solve. As eSafety Commissioner Julie Inman Grant shared in her keynote address at the IAPP ANZ Summit 2024, privacy and eSafety are not mutually exclusive and, indeed, together form part of the essential foundation upon which the online experiences of our children are shaped.
Framing the discussion further, and focusing on achieving meaningful outcomes here in Australia using our legislative scaffolding, Privacy Commissioner Carly Kind said over the weekend the Privacy Act amendments can be a vehicle for change and that "(r)ather than accepting that social media is so bad that it needs to be banned for the most vulnerable, we could actively try to make it a better place."
Kind's approach sits well with Australia's track record for leading difficult discussions and designing for a better world. We are already a leader globally in respect of eSafety, including our world-first Office of the eSafety Commissioner. It makes sense that, as part of a multi-pronged approach to protecting the community from abuses in online spaces, including potential abuses of their privacy rights, the first tranche of Privacy Act amendments would include specific provisions in respect of children's privacy.
While we don't yet know what our Children's Online Privacy Code will look like, it will most certainly have regard to what has been established in other jurisdictions as well as the broader public policy environment relevant here at home, such as, but not limited to, the interaction with the social media ban. Most importantly, the privacy commissioner has signaled an intent to use the Privacy Act and its children's privacy provisions proactively and collaboratively to help architect a better privacy future for Australians in online spaces.
Western Australia passes its first ever privacy law
Perhaps quietly outdoing all efforts at the national level was the passage of Western Australia's Privacy and Responsible Information Sharing Bill 2024 — the state's first ever privacy law. As part of this reform a chief data officer will be established to lead and develop public sector capability for responsible information sharing. What's more, the reform offers a level of comprehensiveness that we don't expect to see federally for some time yet, including the introduction of a "fair and reasonable test" to support decision-making in the Western Australian government. This is great to see.
South Australia is now in the hot seat as the only Australian jurisdiction without a legislated privacy regime.
Nicole Stephensen is a member of the IAPP ANZ Advisory Board and the director of Ground Up Consulting.
