The government has delivered the next step in the ongoing Privacy Act Review by releasing the exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 and Privacy Review Discussion Paper.
- The draft bill delivers parts of the proposed privacy reforms that the government considers needed in the short term, including heightened civil penalties, expanded enforcement powers for the Information Commissioner, and the framework to develop and register the Online Privacy Code.
- The Online Privacy Code will regulate how a broad range of online service providers, such as social media providers, data brokerage services, and large platform providers, comply with the Australian Privacy Principles, with a particular view to increasing consumer control over their data, and protection for children and other vulnerable groups.
- The Discussion Paper sets out numerous proposals for broader reform of the Privacy Act, in many cases, aligned to leading international privacy frameworks such as the GDPR and Californian Consumer Protection Act, including an expanded scope of “personal information”, greater consumer rights to control how their information is processed, heightened consent requirements, and numerous measures to improve transparency of data handling practices.
- The government is inviting public submissions on the draft bill (closing 6 December 2021) and Discussion Paper (closing 10 January 2022).
On 25 October 2021, the Attorney-General’s Department released the exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Draft Bill) as well as the long awaited Privacy Act Review Discussion Paper (Discussion Paper) for broader review of the Privacy Act 1998 (Cth) (Privacy Act).
The release of the Draft Bill and Discussion Paper marks another step towards broad-ranging reforms to Australian data protection laws following:
- the announcement in March 2019 of reforms to increase the civil penalties under the Privacy Act and introduce a binding privacy code to apply to social media platforms and other online platforms that trade in personal information;
- the ACCC’s Digital Platforms Inquiry and Final Report in 2019 (DPI Report), which made numerous recommendations for privacy reforms to strengthen consumer privacy rights;
- the Attorney-General’s Department release of the Privacy Review Issues Paper in October 2020 (Issues Paper); and
- the separate, but parallel “Consumer Data Right” reforms that have been implemented under the Competition and Consumer Act 2010 (Cth), which came into effect for the banking sector in 2020 and will be rolled out to other sectors over time.
Reforms to Australian data protection laws are following global trends towards heightening consumer control over their personal information, and as a necessary consequence, a change in mindset regarding corporate “ownership” of data sets containing personal information.
The reforms, if implemented, will require a major upheaval of privacy compliance programs across the economy, including a rethink of data flows, technology systems and contractual arrangements. Australian organisations with global operations governed by foreign regimes such as the GDPR or California Consumer Protection Act, or that comply with (or are preparing to comply with) the Consumer Data Right, are likely to be familiar with and better placed to adapt to the proposed reforms, which propose the adoption of key aspects of these regimes such as more onerous consent requirements, individual rights to withdraw consent and erasure.
In any event, as Australian data protection laws reach to touch the high water mark set by foreign regimes like the GDPR, data governance and strategy will be pushed closer to the top of the agenda for all organisations that process personal information.
A. Online Privacy Bill
The Draft Bill intersects with matters that form part of the broader privacy reforms, but which are perceived by the government as of pressing need of implementation in advance of the reforms proposed by the Discussion Paper.
The Draft Bill proposes some amendments to the Privacy Act including to:
- give the Commissioner the power to make a third binding code, the Online Privacy Code (OP Code);
- raise the maximum civil penalties under the Privacy Act, and introduce additional enforcement powers; and
- broaden the extra-territorial application of the Privacy Act to clarify its application to foreign companies carrying on business in Australia, but which may not “collect or hold” personal information within Australia.
The OP Code
The proposed OP Code will apply to specific types of online service providers (OP Organisations) that provide:
- Social media platforms, defined as an electronic service whose primary purpose is to enable online social interaction between two or more end-users, and allows end-users to post material on the service. The “primary purpose” qualification is intended to operate to exclude services that use online communication as an additional feature (e.g. an online feedback functionality in respect of another service);
- Data brokerage services, which is a service involving the collection of personal information directly or indirectly via an electronic service for the sole or primary purpose of disclosing that information (or information derived from such information) as a service. Data brokerage services are intended to capture organisations whose business model is based on trading in personal information or insights collected online, such as the sale of data derived from customer loyalty or frequent flyer programs; and
- Large online platforms, which collect ‘high volumes’ of personal information in excess of 2.5 million end-users in Australia. Large online platforms will capture a range of online platforms with a significant presence in Australia, such as search engines, global technology companies and media sharing platforms.
The Draft Bill proposes that the OP Code:
- set out how OP Organisations comply with the certain existing Australian Privacy Principles, such as periodic consent renewals where processing sensitive information and additional requirements for collection notices;
- require OP Organisations to take reasonable steps to stop using and disclosing personal information at the request of the individual; and
- introduce a framework applicable to all OP Organisations designed to heighten protection of minors and vulnerable persons, which will impose specific requirements for social media platform providers including a requirement to take reasonable steps to verify age, and stricter requirements for consent (including parental consent for under 16s) and processing of personal information of minors.
The Commissioner will have the power to investigate potential breaches of the OP Code, either in response to a complaint or of its own initiative, and will have the full range of powers under the Privacy Act to enforce breaches of the OP Code.
Civil penalties and enforcement
The Draft Bill increases the maximum civil penalty for serious and/or repeated interference by a corporation with privacy of an individual to the greater of:
- $10 million; or
- three times the value of the benefit obtained by the organisation from the infringing conduct; or
- 10% of their annual domestic turnover (if the benefit cannot be determined).
The Commissioner is also granted additional enforcement powers, including by:
- expanding the types of declarations that the Commissioner can make in a determination at the conclusion of an investigation;
- introducing new information gathering powers to enable the Commissioner to conduct assessments in its enforcement activities;
- granting the Commissioner powers to issue infringement notices where organisations fail to provide information requested by the Commissioner as part of an investigation; and
- allowing the Commissioner to share information or documents with other law enforcement bodies, domestic and foreign regulators and alternative complaint bodies.
The Draft Bill expands the extra-territorial application of the Privacy Act by removing the requirement that a foreign organisation that carries on business in Australia “collect or hold” information within Australia prior to or at the time of an act or practice. This amendment is designed to remove uncertainty in the existing regime as to whether foreign organisations have collected or held personal information in Australia – for instance, in circumstances where the information was collected online by servers outside of Australia.
Submissions on the Draft Bill are now open and will close on 6 December 2021. The Government will consider submissions and prepare a final draft bill to present before Parliament. If the bill receives Royal Assent, the OP Code will be developed in accordance with the existing APP code development process under Privacy Act (with industry having the first opportunity to develop the OP Code), and registered within 12 months.
B. Privacy Act Review Discussion Paper
Following the Issues Paper, which received extensive public submissions, the Discussion Paper makes a number of proposals for privacy reform, and sets out numerous issues requiring further consideration and consultation in order for the government to develop and finalise its proposals, which will be contained in its final report.
Key proposals made by the Discussion Paper include:
|Scope of personal information|
Technical information: Address uncertainty as to whether certain technical information (such as online identifiers, location data, IP addresses) constitute personal information by amending the definition of personal information:
Reasonably identifiable: Provide greater clarity on assessing whether an individual is reasonably identifiable (and as a corollary, when information is anonymised and not subject to the Privacy Act) by:
Inferred information: Provide greater clarity on whether “inferred” information (such as inferences as to a person’s preferences, habits, or persuasions, put together from a range of personal and other information) constitutes personal information by amending the definition of ‘collection’ to include information obtained from any source and by any means, including inferred or generated information.
|De-identified information vs Anonymous information|
Anonymous information: Increase the standard required in order for personal information to no longer be subject to the APPs by:
amending APP 11.2 to require organisations to take all reasonable steps to destroy the information or ensure that the information is anonymised.
Collection notices: Increase transparency for consumers at the time of collection regarding the intended processing of personal information by:
Collection from third parties: Heighten obligations on organisations receiving personal information from third parties so as to address the risk that the personal information was originally collected by unfair or unlawful means. Specifically, by amending APP 3.6 to require organisations to take reasonable steps to satisfy itself that the information was originally collected from the individual in accordance with APP 3.
Demonstrating consent: Heightening the requirements for obtaining an individual’s consent by:
Children: Introduce additional requirements for collection, use and disclosure of personal information of minors, including by either requiring parent or guardian consent in respect of personal information of a child under the age of 16:
only in situations where the Privacy Act currently requires consent (such as in respect of sensitive information).
|Permitted use and disclosure of personal information||Use and disclosure: Place further limitations on the use and disclosure of personal information as currently permitted under APP 3 and APP 6 (by reference to the primary purpose of collection, and related secondary purposes) so as to limit such use and disclosure to reasonable expectations of individuals and the public at large. Specifically, by:|
Primary and secondary purpose: Restrict the use of personal information for secondary purposes by amending APP 6 to:
expressly require APP entities to determine and record, at or prior to using or disclosing personal information for a secondary purpose, each of the secondary purposes for which the information is to be used or disclosed.
Restricted practices: Introduce additional safeguards to identify and mitigate privacy risks for a range of high risk acts and practices, such as large scale: direct marketing, targeted advertising, processing of sensitive information, use of biometrics or facial recognition software, sale of personal information, automated decision making with legal or significant effects, practices that influence individual behaviour. Specifically, by either:
implementing other controls, such as consent requirements and absolute opt-out rights.
|Pro-privacy default settings|
Privacy settings: Introducing new requirements for products or services that contain multiple levels of privacy settings to either:
provide an obvious and clear way for individuals to set all privacy settings to the most restrictive level (e.g. a single-click mechanism).
|New individual rights to object or withdraw consent to processing personal information|
Objecting or withdrawing consent: Introduce an individual right to object or withdraw consent to collection, use and disclosure of their personal information, and obligation on organisations to take reasonable steps to stop collecting, using or disclosing the individual’s personal information and inform the individual of the consequences of the objection.
Right to erasure: Introduce an individual right to erasure of personal information on certain grounds, which include for sensitive information or information relating to a child, where the individual has objected to the processing, or in other situations where the processing is unlawful. The Discussion Paper is seeking further feedback on exceptions to the right to erasure, such as where continued processing is required to perform a contract or under law, or for public interest reasons. Organisations will need to respond by notice to individuals on whether they will erase personal information or object on the grounds of an exception.
|Direct marketing||Right to object: Introduce an unqualified right for individuals to object to collection, use or disclosure of personal information for the purpose of|
direct marketing. Organisations will be required to cease direct marketing and notify the individual of the consequences of the objection.
Marketing communications: Require organisations to notify individuals of their right to object (as noted above) in each marketing communication.
Repeal APP 7: Repeal APP 7 on the basis that the above amendments and existing APPs will adequately address concerns regarding direct marketing.
|Data security||Technical and organisational measures: Clarify that “reasonable steps” to protect personal information under APP 11 requires organisations to implement technical and organisational measures, and to provide a list of factors that will indicate what reasonable steps may be required.|
Certification schemes: Increase certainty regarding the permissibility of cross-border transfers of personal information by amending APP 8.2 to include a mechanism to prescribe countries and certification schemes that offer adequate protection.
Standard contractual clauses: Develop standard contractual clauses that will allow organisations to transfer personal information overseas.
Removal of the consent exception: Remove the ability for organisations to obtain consent from individuals to transfer personal information overseas without taking reasonable steps to ensure the overseas recipient complies with the APPs.
|A direct right of action||Direct right of action: Introduce a direct right for individuals to initiate action in the Federal Court for interference with privacy, with the leave of the court and following a complaint to the OAIC.|
|Statutory tort||Tort of invasion of privacy: Introduce a form of statutory tort of invasion of privacy. The Discussion Paper has proposed numerous options for further consideration, which include a statutory tort for invasion of privacy formulated by the 2014 ALRC report (applying to intrusion upon seclusion, and misuse of private information), and a minimalist statutory tort that recognises the existence of the cause of action but leaves scope and application of the tort to be developed by the courts.|
Other issues for further consideration
The Discussion Paper considers numerous other matters for possible reform, for which further consideration is required in order to develop reform proposals, including the removal of the small business and employee records exemptions to the APPs.
The government is inviting public submissions on the reform proposals in the Discussion Paper, which close on 10 January 2022. The government will also conduct consultation with industry stakeholders during this period. Submissions on the Discussion Paper will be considered by the government prior to issuing a final report on the Privacy Act Review.