TIL

The Attorney General’s Department has just released a discussion paper on privacy law reforms. Some of it picks up recommendations made by the ACCC’s Digital Platform Inquiry.  Submissions are invited on the discussion paper by 10 January 2022. This presents a challenge regarding whether there will be enough time before the next federal election to pass any amendments. Should you have any questions regarding these proposals feel free to contact us.

User-friendly

The Australian Privacy Principles (APPs) sometimes present some ambiguities. Whilst the Office of the Australian Information Commissioner (OAIC) provides helpful guidance, consideration has been given to make the APPs even clearer and simpler. This includes refining the definition of ‘personal information’ (which includes names, addresses, birthdays, phone numbers) to provide more guidance, and expanding the definition of ‘sensitive information’ to potentially include location data, as well as financial/ transactional data (as transactions can reveal things already classified as sensitive, like health information and political opinions).

There is also consideration being given to standardising some aspects – including privacy policies, or parts of them, privacy notices issued to individuals regarding collection that has occurred, and even contract clauses regarding cross border disclosures. This is because some privacy policies and contract clauses are becoming long and convoluted, and invariably differ between different businesses. The strategy is, where possible, to simplify and use familiar, consistent language.

On the topic of collection, consideration is being given to adopting legislated factors, relevant to whether a collection, use or disclosure of personal information is fair and reasonable in the circumstances.

The public’s domain

With certain exceptions, entities that are bound by the APPs are those with an annual turnover of over $3 million. But how is an individual expected to know the turnover of, say, the company or partnership they are transacting with? Further, some places (including the EU) view our privacy laws as inadequate because of this high threshold. On the other hand, governments often don’t want to unnecessarily burden businesses with regulation where it can be avoided. Submissions have been invited on either reducing or increasing this threshold.

Authentication required

The issue of consent with respect to the use, collection and disclosure of personal information and, in particular, sensitive information is not always simple. Individuals may consent to, and anticipate, particular limited uses of their information. However, individuals may not expect, for example, for their information to be disclosed to third parties for commercial exploitation. Such permissions are often vague, and buried in privacy policies and terms and conditions. Indeed, in relation to issues of use and disclosure it is proposed that definitions be adopted for ‘primary purpose’ as the purpose for the original collection, as notified to the individual, and that a ‘secondary purpose’ as a purpose that is directly related to, and reasonably necessary to support the primary purpose.

There are a number of proposals regarding the issue of consent. These include strengthening what is required to demonstrate consent to mean a clear affirmative act, that is voluntary, informed, unambiguous, specific and current.

There are also a number of ‘pro-privacy’ proposals including opt out rights, pro-privacy default settings and making accessible the most restrictive settings especially where it involves geolocation or when the information relates to children. These proposals, which are consistent with some overseas regimes, extend to a right to object at any time to collection, use or disclosure, an unqualified right to object to any collection, use or disclosure of personal information by an organisation for the purpose of direct marketing and the right to object in relation to each marketing product provided.

It is anticipated that some technology companies will oppose such measures, on the basis that they cannot provide an effective service without having the ability to collect and disclose particular information. There is some truth in that argument, outside of what is usually the main purpose for collection and disclosure - being able to better target advertising to individuals and modify their behaviours.

On that point, it is proposed that an APP entity will have to notify individuals whether the entity:

• Uses third parties in the provision of online marketing materials and if so, the details of those parties and information regarding the appropriate method of opting-out of those materials;
• Is likely to use personal information, alone or in combination with any other information, for the purpose of influencing an individual’s behaviour or decisions and if so, the types of information that will be used, generated or inferred to influence the individual.

In relation to overseas disclosures, there is a proposal to strengthen the transparency requirements to include the countries that personal information may be disclosed to, as well as the specific personal information that may be disclosed overseas in entity’s privacy policy. This is a best practice that many APP entities have already adopted.

Click and Collect

Some privacy policies and terms and conditions seek to limit definitions and obligations relating to the collection of personal information. APP entities are sometimes able to collect information from third parties, and collect automatically or algorithmically generated information relating to an individual. Accordingly, it is proposed that the definition of collection be amended to include information obtained from any source and by any means, including inferred or generated information.

Two options are also proposed with respect to APP entities that engage in restricted and prohibited acts and practices. One option is that APP entities take reasonable steps to identify privacy risks and implement measures to mitigate those risks where they engage in large scale collection, use or disclosure of information including sensitive information, children’s personal information, location data, biometric or genetic data, and where it involves direct marketing, sale of information, and influencing individuals’ behaviour or decisions on a large scale. Otherwise, it is proposed that in relation to such practices, an individual’s capacity to self-manage their privacy in relation to such practices is increased, say, by providing for opt-out rights.

Random-access remedy

Other regulators, like the ACCC and ASIC, have a range of enforcement mechanisms available to them with respect to breaches of legislation in their respective portfolios. However, the OAIC has limited options available to it. At present, there is a threshold of ‘serious and repeated infringements’ in order to enliven court enforcement. 

It is proposed that tiers of civil penalty provisions be created to give the OAIC more options so they can better target regulatory responses. That is, consideration is being given to introducing lower tiers for less serious offences, including infringement notices, and giving the Federal Court the power to make any order it sees fit after a breach has been established (as it has with respect to breaches of competition, consumer and financial services laws).

Share permissions

At the moment, when serious or repeated breaches of APPs occur, only the OAIC can initiate proceedings. Even in instances where individuals are notified of a data breach of their own personal information, they have limited options available to them.

It is proposed that a direct right of action be established, available to any individual or group of individuals whose privacy has been interfered with by an APP entity. A pre-condition to initiating proceedings will be that a complaint to the OAIC is made first and remains unresolved, and then leave obtained from either the Federal Court or the Federal Circuit Court. Flexible remedies would then be available as the court sees fit, including damages. This proposal opens an opportunity to class actions for data breaches.

System reconfiguration

There are few options available to Australians for breaches of their privacy. This includes with respect to unauthorised access to, or misuse of, personal information (including by non-APP entities), unwarranted surveillance, breaches of the Privacy Act. These issues come up not only in commercial contexts but also in domestic settings (say, with respect to intimate images and videos).

Consideration is being given to introducing a statutory tort for invasion of privacy. This action would involve an intrusion upon seclusion, and a misuse of private information, with the claimant needing to prove that:

• the public interest in privacy outweighed any countervailing public interest
• the breach of privacy satisfied a seriousness threshold, and
• they had a reasonable expectation of privacy in all the circumstances

The South Australian Government has recently issued a draft bill for consultation that adopts this proposal.

Otherwise, consideration could be given to the introduction of a minimalist statutory tort of invasion of privacy, which recognises the existence of the cause of action but leaves the scope and application of the action to be developed by the courts.

Suspend()

Proposals to amend Australia’s privacy laws present an opportunity to implement privacy by design and by default. Both governments and companies increasingly rely heavily on the free flow of data and interoperability in the provision of their services. Indeed, in this era of surveillance capitalism, in many instances private sector services simply wouldn’t exist without the ability to use and sell personal information – exploitation by design. 

In addition, proposals to introduce direct rights of action and statutory actions for privacy breaches are long overdue. They would empower individuals with respect to serious issues that aren’t easily accommodated by other areas of law. Whether the proposals will result in more control being given to individuals and a more appropriately balanced privacy trade-off being achieved remains to be seen.

Submissions are invited on the discussion paper by 10 January 2022.

Further information / assistance regarding the issues raised in this article is available from the author Bill Fragos, Special Counsel or your usual contact at Moray & Agnew.