The 28th of September marked a major milestone in the government's commitment to overhaul the Australian Privacy Act. In February 2023, the final recommendations paper was tabled outlining 116 proposed changes, and in late September we finally have some clear direction around which proposed changes will form part of the Privacy Act overhaul as recommended or have been agreed to.
Of the 116 proposals tabled, 38 have been agreed to, whilst a further 68 have been agreed to “in principle”, which means they require further consultation before a final decision is made.
Tell me what I can stop worrying about
>> Opt-outs for targeted advertising
One of the big controversial changes proposed in the act was to provide consumers with the right and ability to opt-out of targeted advertising. Brands can breathe a sigh of relief on this front, as this is one of the 10 proposals that at this stage have not been agreed to, or agreed to in principle.
What has been accepted
For the 38 proposals that have been accepted, development of legislative proposals will follow, but this will also include further targeted consultation. But what has been agreed to?
>> Automated Decision Making
With government seeking to regulate AI on many fronts, it comes at little surprise that one of the 38 accepted recommendations relates to automated decision making. An organisation’s privacy policy will need to set out the types of personal information used in substantially automated decisions (e.g online credit applications) that have a legal or similarly significant effect on an individual’s rights. The Office of the Australian Information Commissioner (OAIC) will provide guidance on the types of automated decisioning that would be covered by this requirement.
>> Child privacy
Whilst some recommendations related to child privacy have been flagged as agreed to in principle, it is clear that child privacy is one of the burning platforms the government will address, as it has agreed to a series of recommendations also. These include;
A child should be defined in the Act as an individual who has not reached 18 years of age (proposal 16.1).
The government also agreed to recommendations to develop a children’s privacy code similar to the one adopted in the UK. This code would help to clarify how the best interests of the child should be upheld in the design of online services, and provide further guidance on how entities are expected to meet requirements regarding targeting, direct marketing and trading.
>> Overseas data flow
In the world of General Data Protection Regulation (GDPR), restrictions are in place with respect to the transfer of data outside of the European Economic Area (EEA) to non EEA countries or international organisations. This ensures the same level of protection of individuals granted by GDPR. It is these rules that have made solutions like Google Analytics 4 non-compliant with GDPR legislation.
With similar recommendations made here, the government has sought to provide a level of protection to Australian citizens. To support the free flow of information with appropriate protections, the Government agrees a mechanism should be introduced to prescribe countries with substantially similar privacy laws. This will allow businesses to disclose personal information to recipients in prescribed countries without the need for contractual provisions or other measures.
>> Clamping down on offenders
One thing that is clear from the government's initial agreed recommendations is that greater enforcement of the act will apply. This heightens the importance of taking compliance seriously for brands of all sizes.
The government agrees that regulators should continue to foster regulatory cooperation in enforcing matters involving mishandling of personal information.
To ensure the OAIC can take appropriate action for interferences with privacy, the government agrees section 13G of the Privacy Act (which deals with ‘serious or repeated’ breaches of privacy) should be amended to remove the word ‘repeated’ and clarify that a ‘serious’ inference can include repeated interferences with privacy (proposal 25.2). This allows penalties to now apply for serious offences even if they are not repeated.
The government agrees a new mid-tier civil penalty provision should be introduced to cover interferences with privacy which do not meet the threshold of being ‘serious’. It also agrees that a new low-level civil penalty provision for specific administrative breaches of the Act and Australian Privacy Principles should be introduced, including attached infringement notice powers for the Information Commissioner, with set penalties (proposal 25.1). This change essentially enables the OAIC to pursue more brands for less serious offences in the privacy space.
The government also agrees that The Federal Court, The Federal Circuit and Family Court of Australia should be given the power to make any order they see fit after a civil penalty relating to an interference with privacy has been established (proposal 25.6). The Government agrees entities should be required to identify, mitigate and redress actual or foreseeable loss suffered by an individual (proposal 25.5). This comes as little surprise as both the Medibank & Optus sagas demonstrated the lack of power consumers had to seek support to cover costs associated with the breach (e.g: re-issuance costs of licenses and passports etc).
Again it has been recommended here that the OAIC should publish guidance on how entities can achieve this.
What is still being given more thought?
With 68 proposals agreed to "in principle", there is still much that needs to be worked through. Proposals agreed to "in principle" will go through a process to explore whether and how they could be implemented to balance privacy safeguards with potential other consequences and additional regulatory burden. So, what are some of the key ones...?
>> Personal information, consent and opt out
The government agrees in principle that amendments to the Privacy Act are needed to clarify how personal information is an expansive concept which includes technical and inferred information (such as IP addresses and device identifiers), and if this information can be used to identify individuals (proposal 4.1). Such a change will mean all digital data collected for the purposes of mining, personalisation, analysis and more would be subject to the Australian Privacy Act. Additional OAIC guidance will help to clarify when an individual is reasonably identifiable in different contexts and when the connection between information and an individual is too tenuous or remote to be considered personal information.
The government agrees in principle that individuals should have an unqualified right to opt-out of their personal information being used or disclosed for direct marketing purposes (proposal 20.2). This will be subject to refining the definition of direct marketing, so it is broader and relevant for the digital age.
The government also agrees in principle that consent should be required for the collection of precise geolocation tracking data over time, and will consider further whether this should be included as a new sub-category of sensitive information.
>> Fair and reasonable information handling
The current framework requires and places onus on individuals to largely self-manage their privacy. It assumes that individuals engage with and understand the privacy policies and collection notices of entities (which they often don't, as they are written by legal professionals).
The government agrees in principle that this imbalance needs to be addressed through a new requirement that collections, uses and disclosures of personal information are fair and reasonable in the circumstances. An entity will still be permitted to collect personal information, however a fair and reasonable test will apply. This ensures that organisations really consider if the information they are collecting and retaining is required to carry out their core activities and is in the best interest of the public. This will seek to address instances like the Optus breach, where the Telco was found to be holding an array of personal information up to 6+ years after an application for a phone was submitted.
>> The job no one will want...
To improve information management governance processes and systems, the government agrees in principle that entities should be required to appoint or designate a senior employee as having specific responsibility for privacy within the organisation. This would bring the legislation more inline with GDPR.
>> Targeting & trading data will be subject to more compliance
To address particular concerns about harmful targeting, the Government agrees in principle that targeting should be subject to the following:
Targeting individuals should be fair and reasonable in the circumstances.
Targeting individuals based on sensitive information should be prohibited, with an exception for socially beneficial content. These requirements would enable privacy harms associated with targeting to be addressed whilst ensuring targeting for socially beneficial purposes is not prevented.
In addition, further consideration will be given to how to provide individuals with more choice and control in relation to the use of their information for targeted advertising. This includes layered opt-outs and industry codes which could specify how to give individuals more control over how their information is used for online advertising.
Whilst on the data trading front - an individual’s consent should be required in order to trade their personal information.
>> Greater consumer powers to understand what data is held and request erasure
The government has agreed in principle that individuals should have greater transparency and control over their personal information through the creation of new individual rights, which would enable them to be able to do a host of things. At the same time, this will create a host of challenges for brands who don’t have their data centralised and in order. These include;
Request an explanation of what personal information is held and what is being done with it through an enhanced right to access (proposal 18.1).
Challenge the information handling practices of an entity and require the entity to justify how its information handling practices comply with the Act (proposal 18.2).
Require an entity to delete (or deidentify) personal information through a right to erasure, and others.
How to best prepare for the change
Many brands have been awaiting some clearer direction before preparing for the change that is upon us. The government has signalled legislation will be introduced to parliament in 2024 and therefore the time to begin to prepare is now. But where should brands start and what will be no regrets in terms of preparation?
1) Appoint a privacy leader
Whilst this recommendation is agreed in principle, regardless if appointing a senior person to be responsible for privacy becomes part of the act or not, it is good business practice and will ensure that privacy is taken more seriously within the organisation. This will also better enable compliance with the new act.
2) Build awareness of the changes coming and form a governance committee
Privacy cannot be the role and accountability of one person within the organisation. Legal teams, IT, marketing, sales and customer service all play critical roles in ensuring adherence to compliance. It is therefore an opportune time to begin to raise awareness across the organisation and form a working committee, to identify potential impacts and consider how to best approach the change that is upon the industry.
3) Understand the complexities your organisation will face, based on potential new consumer powers with the right to erase and request an explanation on what is held
Auditing your current customer data ecosystem to understand where personal information is held is one of the most critical first steps to understand the complexities you will face to comply with potential new laws. This doesn’t mean at this stage you need to implement the changes, but understanding the size and complexity of change in this space will enable the organisation to best prepare.
4) Learn from those who experienced GDPR
When we speak to anyone who has undergone change to comply with GDPR, we see a deeper appreciation for the importance of privacy and compliance and receive rich insight into those with lived experience in implementation. Identifying those within your network who managed through the change during GDPR can help you to shortcut some of your thinking and learning, to best prepare for the change.