On 28 September 2023, the Australian Government released its response (“Response”) to the Privacy Act Review Report published on 16 February 2023. The Response “agrees”, or “agrees in principle”, with most of the 116 proposals made in the Report.
In the Response, the Government commits to progressing work to enhance the privacy protections provided to individuals and ensure Australian businesses have clarity about what information is covered by the Privacy Act 1988 (Cth) (“Privacy Act”) and how to best protect this information.
The Response is a clear direction to businesses that substantial changes to privacy laws will soon be made. Businesses should start preparing for these changes now to avoid getting caught out when the relevant legislation is passed.
Key reforms that have been “agreed” to by the Government include:
- amending Australian Privacy Principle (“APP”) 11.1 to clarify that “reasonable steps” (to protect information from misuse, interference and loss, as well as unauthorised access, modification or disclosure) includes technical and organisational measures;
- requiring privacy policies to set out the types of personal information that will be used in substantially automated decisions which have a legal or similarly significant effect on an individual’s rights e.g. decisions on denial of consequential services or support, such as financial and lending services, housing, insurance, education enrolment, criminal justice, employment opportunities and health care services, or access to basic necessities such as food and water;
- developing and introducing a Children’s Online Privacy Code that applies to online services that are “likely to be accessed by children”;
- defining “child” in the Privacy Act as an individual who has not reached 18 years of age;
- creating tiers of civil penalty provisions, including a new mid-tier civil penalty provision to cover interferences with privacy without a “serious” element, and a new low-level civil penalty provision for specific administrative breaches; and
- allowing the Commissioner to make a declaration requiring an organisation to identify, mitigate, and redress actual or reasonably foreseeable loss suffered by complainants / individuals.
Key reforms that have been “agreed in-principle” by the Government, but await further discussion, include:
- extending and refining the definition of personal information (including a non-exhaustive list of information which may be personal information);
- removing the small business exemption (most small businesses with an annual turnover of $3M or less are currently exempted from the Privacy Act);
- extending privacy protections to cover private sector employees (a private sector employer is currently exempt from having to comply with many of the APPs when dealing with their current and former employees’ personal information);
- amending the definition of consent to provide that it must be voluntary, informed, current, specific and unambiguous; and
- amending the Privacy Act to require that the collection, use and disclosure of personal information must be fair and reasonable in the circumstances (regardless of whether consent has been obtained).
The Government has also signalled that there will be changes to the notifiable data breaches scheme.
The Government has indicated it intends to introduce legislation in 2024. Before this occurs, there will be further stakeholder engagement to ensure that the benefits and economic costs of the reforms to privacy laws are fully understood. We expect that the proposal to remove the small business exemption will generate particular attention given its potentially vast impact.
Understanding privacy documentation (both external policies and other documents, and internal policies, manuals and guidelines) and confirming that they are consistent with the actual information handling practices of a business (and its staff) will be critical to managing the proposed reforms. This includes ensuring businesses identify and understand the personal information they are collecting (and the reasons for this collection), and the representations they are making to individuals concerning this information.
If you would like to talk about how your business might be impacted by the proposed changes to privacy laws, or the impact of privacy laws on your business more generally, please contact our Ben McPherson.
This post has been prepared as a general summary only. It is not, and is not intended to be, legal advice with respect to any particular matter. This post should not be relied on with respect to any particular matter without taking legal advice. Stork Davies Legal Advisors disclaims liability to any person who relies on this post without taking legal advice from the firm.