After a slew of privacy breaches by major brands in 2022, the government made it clear coming into Christmas that sweeping privacy changes were imminent. And it seems the Attorney General has wasted no time in seizing the moment – releasing its latest report which outlined proposals to ensure that Australians' privacy is better protected in the digital age and that consumers have greater control over their data. This final recommendation report has been 3 years in the making, with both an issues paper and discussion paper released in 2020 and 2021 respectively. What is important to note is that further consultation is still to come – which is, I’d say, a good measure. With the size and scale of change being proposed, brands and small businesses will potentially buckle under the demands of the legislation, as consumer rights and control are put at the heart of the change being proposed.
One little word has significant ramifications for what is defined as 'personal information'
The term ‘personal information’ is set to undergo a broadening in definition. Under the Act, information or an opinion ‘about’ an individual who is identified or reasonably identifiable, is considered personal information. However, that doesn’t cut the mustard in a world where brands are using a number of identifiers to recognise an individual. The report recommends replacing the word ‘about’ with the phrase ‘relates to’ to clarify what is considered personal information. Whilst the change appears subtle, it is significant. Such a change will see technical information (e.g. IP addresses and location data) and inferred information (e.g. predictions of behaviour or preferences) considered as personal information.
The Report also proposes that any inferred or generated information will be deemed to have been ‘collected’ within the meaning of the Privacy Act. This will help resolve uncertainty which had existed over the treatment of certain categories of data under the Act.
Both of these parts are significant. When combined with a consumer's ability to request an erase of all data, it creates a bit of a minefield for brands to manage.
AI may make smarter decisions but brands will now need to explain them
The report proposes more transparency around personal information used in “substantially” automated decisions which have a legal or significantly similar effect on an individual’s rights. Where personal information is used for this kind of automated decision making, this will need to be called out in a privacy policy, as well as the types of personal information used. The proposal doesn’t stop there, however – it is also proposed that individuals will have the right to request information about how automated decisions using their personal information are made. These proposals go further than GDPR (General Data Protection Regulation) and apply to a wider range of automated decisions - making it unchartered territory for brands.
Targeted ads have been well ...targeted
It was clear early on that digital advertising was to come under the Privacy Act, given the focus on regulating digital platforms in market and the lack of transparency around what data is being used to target consumers.
The report proposes to give greater power and transparency to consumers, providing individuals with the right to opt-out of receiving targeted advertising and content. It also ensures that targeting must be ‘fair and reasonable’, coming with transparency requirements about the use of algorithms and profiling to recommend content to individuals. And it isn’t just identifiable data that is within their sights. Targeted advertising, using personal information, de-identified information, and unidentified information are all within the scope of the Act.
The balance of power has finally tipped towards the consumer
In recent years, consumer sentiment around rights to erase their data has risen. The privacy index report by Deloitte in 2021 found that 79% of Australian consumers want the right to erase their data. To align with changing community expectations around both transparency and control over their personal information, the Report proposes a number of new rights for individuals in relation to their personal information.
These include:
an expanded right to access personal information that relates to them and to receive an explanation of how the business collected that information and what it is used for;
a right to object to the collection, use and disclosure of their personal information;
a right to have their personal information erased by a business that holds it;
a right to have internet search results about them de-indexed and to correct personal information published in online publications. The last of which will create new complexities for platforms like Google operating within Australia.
Data retention now getting its time in the sun
When the Optus breach emerged, it laid bare the data goldmine it had amassed on consumers dating back years. When the Medibank hack followed, the data retention issue was well and truly clear – brands were hoarding data well beyond its expiry date. The report proposes changes to data retention requirements, aimed at creating a culture of deleting personal information when it is no longer required. There is a new requirement for entities to establish minimum and maximum data retention periods, and to include these periods in privacy policies.
A pathway of direct action for consumers could leave brands to deal with an onslaught of complaints and requests for compensation
Individuals who have suffered loss or damage as a result of privacy interference by an APP entity are to be afforded a path forward for recourse. Remedies available to complainants are not proposed to be restricted and could include damages for hurt feelings and humiliation. OH MY, the flood gates will open!
The report attempts to temper the potential influx of claims, by requiring a complainant to make a complaint to the OAIC (Office of the Australian Information Commissioner) prior to filing proceedings, in order to ensure there is rationale to bring about the claim. This indicates that the OAIC will still have a key role in the initial resolution or at least the ‘triage’ of complaints.
No more exemptions for small businesses within the Act
Historically, organisations with fewer than $3m in annual revenue were exempt from the Act, but the new recommendations are moving towards removing these exemptions for small business. The report flags that consultation with small business will be important to determine what help they will need to adopt to comply with the Act.