On 28 September 2023 the Attorney-General announced the Government’s response (Response) to the Privacy Act Review Report of 16 February 2023 (Report). The Report contains 116 proposals for reforms of Australia’s privacy laws. The Response agrees to 38 proposals, agrees in-principle to 68 proposals and notes 10 proposals.

We have previously provided 16 key takeaways in relation to the Report. It seems our key takeaways anticipated the main aspects of the Response. Our revised, more detailed, 25 things you need to know from the Response are as follows:

Application

  • Removal of the $3 million turnover threshold, meaning more (smaller) businesses as well as individuals will be considered ‘APP Entities’ and be required to comply with the Privacy Act and Australian Privacy Principles (APPs). However, the Government will provide a transitional and consultation period to facilitate education and compliance amongst those that will be subject to the Privacy Act for the first time. Sub $3 million turnover entities conducting activities that pose a significant privacy risk will not have the benefit of the transition period and will be expected to comply

Definitions

  • An expansion of what constitutes ‘personal information’ and ‘sensitive information’, including obligations regarding technical and inferred information (such as IP addresses and device identifiers). Sensitive information will include genomic information as well as information inferred from information that is not otherwise sensitive information.
  • Enhanced requirements to obtain consent, meaning a clear affirmative act, that is voluntary, informed, unambiguous, specific and current. Regarding consent, it is proposed that the Privacy Act be amended to expressly recognise the ability for individuals to withdraw consent in an easily accessible manner.
  • That ‘disclosure’ occurs when an entity makes information accessible or visible to others outside the entity and releases the subsequent handling of the personal information from its effective control.
  • That ‘collection’ includes information obtained from any sources and by any means, including inferred or generated information.

Fair and Reasonable Requirement

  • New requirements that, irrespective of whether consent has been obtained by an APP Entity, that the collection, use and disclosure of personal information be fair and reasonable in the circumstances, and legislated factors be implemented relevant to assessing the requirement.

Employee Information

  • Employee records of current or former private sector employees are presently exempt from the Privacy Act. Following consultation, the employee records exemption is to be amended to provide enhanced protections for private sector employees. This means greater obligations on employers as to how employee information is managed.

Accountability

  • An express requirement that APP Entities appoint or designate a senior employee responsible for privacy.
  • A requirement for APP Entities to determine and record the purposes for which they will collect, use and disclose personal information at or before the time they collect it and to record secondary purposes at or before the time of undertaking the secondary use or disclosure.
  • A requirement for APP Entities to undertake Privacy Impact Assessments (PIAs) for activities with high privacy risks, and to provide those PIAs to the Information Commissioner on request.

Security, Destruction and Retention

  • Security obligations being enhanced to specify both technical and organisational measures and compliance with a set of baseline privacy outcomes.
  • APP Entities be required to establish their own maximum and minimum retention periods for personal information they hold and to specify these retention periods in privacy policies (considering the type, sensitivity and purpose of the information being retained as well as the entity’s organisational needs and any legal obligations that apply).

Notifiable Data Breaches

  • Eligible data breaches to be notified to the Information Commissioner as soon as practicable, and not later than 72 hours, after the APP Entity becomes aware that there are reasonable grounds to believe there has been an eligible data breach. However, it is intended that further consultation occur regarding appropriate timeframes for reporting to ensure alignment with other relevant reporting frameworks.
  • Eligible data breaches would also be notified to individuals as soon as practicable, including allowing the provision of information to individuals in phases if it is not practicable to provide the information at the same time.
  • An obligation that APP Entities take reasonable steps to implement practices, procedures, and systems to respond to a data breach, and to set out the steps taken or to be taken in response to a data breach, including steps to reduce any adverse impacts on the individuals to whom the relevant information relates in their statement for an eligible data breach.

Direct Right of Action

  • Creating a direct right of action for privacy breaches. Currently, individuals can complain to an APP Entity or the Information Commissioner regarding privacy breaches. A direct right of action will give individuals the right to commence court proceedings against an APP Entity. This will facilitate class actions against APP Entities, including for widespread data breaches.

Individual Rights

  • Unqualified rights of individuals to opt-out of their personal information being used or disclosed for direct marketing purposes.
  • Enhanced transparency regarding personal information including enhanced rights of access, the ability to require the APP Entity justify how its information handling practices comply with the Privacy Act, to require an APP Entity to delete (or de-identify) personal information through a right to erasure, to request correction of online publications over which an APP Entity has control, and to require search engines to de-index certain online search results.

Cross border disclosures

  • The introduction of a list of prescribed countries with substantially similar privacy laws, allowing APP Entities to disclose personal information to recipients in prescribed countries without the need for contractual provisions or other measures.
  • The introduction and development of voluntary standard contractual clauses for the disclosure of personal information to non-prescribed countries, interoperable with those developed by other jurisdictions where possible.

Standardisation

  • Facilitation of the standardisation of privacy policies (or parts of them) and collection notices. This may include standardised icons, layouts and phrases to better support consumers to make quick and informed decisions. This is a strategy to require the use of familiar, consistent terminology and to create efficiencies.

Enforcement

  • Currently the Information Commissioner can commence proceedings for ‘serious or repeated’ breaches of privacy. The Privacy Act will be amended to remove the word ‘repeated’ and to clarify that a ‘serious’ interference can include repeated interferences with privacy.
  • Broader powers given to the Federal Court and the Federal Circuit and Family Court of Australia to make any order they see fit after a civil penalty relating to an interference with privacy has been established.
  • Similar to the enforcement powers possessed by ACCC and ASIC, the Information Commissioner have available a new mid-tier civil penalty provision to cover interferences with privacy which do not meet the threshold of being ‘serious’, and a new low-level civil penalty provision for specific administrative breaches of the Privacy Act and APPs being introduced to issue infringement notices.

Statutory Tort for Serious Invasions of Privacy

  • The creation of a statutory tort for serious invasions of privacy, covering the misuse of private information, and which is not in the public interest. This is broad, and potentially covers the sharing and publication of intimate images, doxxing, and unwarranted surveillance. It would have general application and would not be limited to APP Entities and would include individuals and their relationships. Media organisations would be impacted as, for example, stories featuring individuals in embarrassing or compromising situations would be impacted.

Conclusion

The Attorney-General’s Department will commence the process of the development of legislative proposals and targeted consultation to explore how reforms may be appropriately implemented. It is intended that legislation be proposed in 2024.

There is an appreciation by the Government that APP Entities will require an opportunity to consider and understand proposals in order comply with any new requirements, including those entities that may be subject to the Privacy Act for the first time. Transition periods will be considered, together with the development of appropriate guidance to assist APP Entities comply with new legislative provisions.

Should you wish to discuss the Response, privacy rights and obligations, please do not hesitate to contact us. We also deliver presentations and training to our clients on privacy laws, data breaches and the implications of privacy law reforms.

Further information / assistance regarding the issues raised in this article is available from the author, Bill Fragos, Special Counsel or your usual contact at Moray & Agnew.

 

The content of this publication is intended to provide a summary and commentary only. It is not intended to be comprehensive nor does it constitute legal advice, and has been prepared based on applicable legislation at the date of publication. You should seek legal advice on specific circumstances before taking any action.

Subscribe to our Publications

 

Other Recent Insights & Events