In October 2021, the Attorney-General’s Department released the Privacy Act 1988 Discussion Paper (Discussion Paper) to accompany the exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Online Privacy Bill).
The proposed reforms form a part of the broader response to the Australian Competition and Consumer Commission’s Digital Platforms Inquiry Final Report (2019).
Major privacy changes have been called for by the Australian Law Reform Commission since 2008. These changes will bring Australia’s privacy regime into the digital age and strengthen privacy protection for all Australians. The changes will also make Australia’s privacy law more consistent with international privacy laws.
While we do not expect all the proposed reforms to be passed, the Discussion Paper reports stakeholder feedback on issues like expanding the Privacy Act and we believe it gives a good indication of reforms business can expect.
Some of the proposed amendments include:
- Broadening the scope of the Act and the definition of ‘personal information’;
- Expressly requiring that privacy notices are clear, current and understandable;
- Notifying individuals of when businesses may use or disclose personal information for secondary purposes;
- Unbundling consent and having pro-consumer default settings;
- Greater powers for the OAIC; and
- Strengthening the Notifiable Data Breach Scheme
Proposed amendments and some implications for your business
The Discussion Paper received considerable support for clarifying the scope and application of the Privacy Act and increasing transparency as a component of privacy protection. The definition of ‘personal information’ is likely to be amended to include technical data and online identifiers.
By broadening the definition, business will have to be conscious of what data they are collecting, both directly and indirectly. Business may also have to increase the security of personal information by improving their technical and organisational measures to better protect the personal information they hold.
The way you collect consent is going to change
Consent for the collection of personal information was a key consideration of the Privacy reforms. Currently, the APP guidance advises against using bundled consents (e.g. consents which cover more than one purpose for which information can be used) however many businesses still use bundled consents when collecting information.
The reforms, if passed, will make:
- privacy consent more prescriptive;
- give more freedom to individuals to object and protect their data; and
- allow individuals to ask business to tell them the personal information they have collected about them indirectly unless this would be disproportionally burdensome.
What you can do now
Your business may decide to take these steps now to get ahead of the changes:
- review current consents;
- implement pro-consumer defaults; and
- ensure that consents are clear and unbundled.
There was also support for formalising the option for individuals to withdraw consent. So moving forward, individuals may be able to ask an organisation to stop collecting, using, or disclosing their personal information.
The OAIC is going to have more teeth
The Discussion Paper gave support for:
- more powers for the OAIC;
- access to an industry funding model similar to ASIC which to fund OAIC guidance, advice, assessments, investigation and prosecution of entities; and
- more resources for the Information Commissioner to appropriately match the matters with which the OAIC deals.
This will allow the OAIC to take a more proactive approach to enforcement, and handle complaints more efficiently. This support has been reflected in the Online Privacy Bill which increases penalties and enhances enforcement mechanisms.
Under the Bill, the maximum penalty of $2.1 million for serious or repeated breaches of privacy will increase to the greater of:
- the greater of $10 million; or
- three times the value of any benefit obtained through the misuse of information; or
- 10 per cent of the entity’s annual Australian turnover.
These changes bring the penalties into line with those under the Australian Consumer Law.
What should your business do to prepare?
It’s time to review your privacy compliance frameworks and ensure your business practices, especially consents, are up to date. If you are a small business that handles any form of personal information, it is best practice to respect an individual’s privacy even if the Privacy Act does not apply to you.
The OAIC is stepping up its enforcement efforts and will not allow privacy to be treated as a secondary consideration.
If you need help understanding your privacy obligations, please contact us.