Preparing for the privacy reforms – heightening individual protections
Privacy concerns remain at the forefront of public policy following recent highly publicised cyber security breaches. Criticism of institutional responses to these events simply highlights expectations that Australia’s privacy laws keep pace with digital innovations such as artificial intelligence.
In the May 2024 edition of Government Connect, we explained amendments to the Privacy and Personal Information Protection Act 1998 (NSW) aimed at public entities including NSW government agencies, universities and NSW local councils.
This article addresses the proposed reforms to the Privacy Act 1988 (Cth) designed to increase individual privacy protections and modernise Australia’s privacy laws in light of growing concerns around data security. We also look at how NSW government agencies can best prepare for the proposed reforms.
Timeline for Reforms
Almost a decade since the last major review of Australia’s privacy legislation, the Privacy and Other Legislation Amendment Bill 2024 (Bill) was introduced to parliament this September. The Bill comes after:
-
recommendations made in the Australian Competition and Consumer Commission’s 2019 Digital Platforms Inquiry Report
-
a consultation period (including an Issues Paper and Discussion Paper) between October 2020 and January 2022
-
the Attorney-General’s Privacy Act Review Report, released in February 2023
-
the Government’s response to that report, released in September 2023.
The Bill is the first of two proposed tranches of reforms to the Privacy Act, meaning the changes will be ongoing and are envisaged to provide greater enforcement powers to the regulator, the Office of the Australian Information Commissioner (OAIC).
Proposed Reforms
The most significant of the proposed reforms to the Privacy Act (many of which will be implemented by reference to the Australian Privacy Principles under the Act) include:
| Issue | Reform |
|
Children’s Online Privacy Code |
This seeks to codify previously non-binding privacy principles concerning children’s privacy in the use of social media and online platforms. It will require organisations to implement policies and procedures concerning the best interests of the child and will likely be implemented in conjunction with related legislative reforms (for example, age restrictions for social media usage). |
|
Individual Rights |
Heightened individual protections will include the ability to request the erasure (withdrawal of consent) of personal data and the right to data portability. Additionally, a new cause of action for serious privacy breaches will allow individuals to seek redress more easily and subject organisations to civil contravention penalties. |
|
Cross-border data flows |
A mechanism to streamline data flows between countries. Schemes similar to Australia’s privacy principles will encourage cross-border commerce and data sharing while protecting individual privacy. |
|
Consent & Notice Requirements |
The reforms propose stricter requirements for obtaining consent and aim to ensure consent is both informed and freely given. There will also be expanded notification requirements for certain use and disclosure events (including notification of breaches to the OAIC) triggering the individual right to withdraw consent. |
|
Increased Penalties / Enforcement Powers |
Greater flexibility and discretion for the regulator to enforce privacy laws are offered in the Bill. This includes the power for the OAIC to conduct public inquiries and a new determination power to provide support after breach events. These aspects of the reforms, which are presented in the form of a tiered enforcement regime, respond to challenges faced by the OAIC in imposing civil penalties for data and privacy breaches and will facilitate a more case-specific response (including in the case of emergencies with temporary declaratory powers). |
The Privacy Act (and the proposed reforms) applies to “organisations” including small businesses with annual turnover of $3 million or more (except where they trade in personal information or are health service providers) and state and territory government agencies prescribed by regulation 8 of the Privacy Regulations 2013 (Essential Energy, Ausgrid and Endeavour Energy).
Arguably the most hotly anticipated reform is a new statutory tort for serious privacy invasions (with exceptions including journalists and enforcement bodies) – a significant development where there was previously no express right to individual privacy in Australia. Additionally, the Bill proposes to criminalise the menacing or harassing misuse of personal data (for example, by doxxing).
The reforms seek to address the following public policy concerns regarding privacy and data regulation:
-
the requirement to keep pace with the rapid advancement of digital innovation – especially artificial intelligence
-
increased public concern for tighter privacy regulation following high-profile data breaches
-
modernising Australia’s privacy law regime to align with international standards and maximise Australia’s competitive participation in global commerce
-
growing demands for greater individual visibility and control over the use, storage and collection of personal data
-
ensuring public and private organisations respond to individual consumer demands by holding them to greater account through stricter regulations and heightened penalties for breaches.
However, not all of the recommendations agreed to (either wholly or in-principle) by the government in its response to the Privacy Act Review Report are included in the Bill. It is likely that further consultation and future reform will occur with respect to matters including:
-
expanding the definition of “personal information”
-
organisational accountability and applicable exemptions for small business and employee records handling
-
mandatory privacy impact assessments.
Government agencies
The reforms proposed in the Bill will have several benefits for Australian government agencies, namely:
-
greater flexibility in codifying and enforcing Australia’s privacy laws, including through increased enforcement and regulatory powers, and the ability for the Australian Privacy Principles to be amended and expanded
-
maximising the ability to respond to technological advancements
-
enhancing Australia’s competitive role in global trade and commerce by aligning Australia’s privacy laws with international standards.
Conversely, the proposed reforms are not without challenges, specifically:
-
the cost and administrative burden of updating/implementing policies and procedures in light of the reforms
-
greater funding needed for the OAIC to discharge its increased role
-
increased scrutiny and potential delay arising from new rules governing interagency data sharing.
Government Information Public Access (GIPA) Act 2009 (NSW)
Furthermore, government agencies need to be aware of the potential impacts of the Privacy Act reforms on access to government information, specifically in the Government Information Public Access (GIPA) Act 2009 (NSW) (GIPA). Anticipated consequences of the reforms to the GIPA regime include:
-
limiting the information available through GIPA as a result of heightened individual privacy protections
-
higher stakes and greater accountability for government agencies where GIPA disclosures may cause serious harm to individual privacy rights
-
increased cost and administrative burden of responding to GIPA requests due to the need for greater caution and ongoing training.
How should government agencies prepare?
Although the Bill is yet to become law, the reforms are part of an ongoing shift towards heightened individual protection in privacy and data regulation. Therefore, impacted agencies should prepare for the introduction of the reforms, including by:
-
ensuring privacy policies, GIPA policies and related procedures are reviewed and updated to align with the Bill and ongoing privacy reforms
-
invest in systems and technologies which facilitate responsiveness to consent and notification requirements, including withdrawal of consent and erasure of individual data
-
seeking advice and providing training on enforcement and regulatory risks
-
considering resourcing and funding requirements to comply with obligations arising from the reforms.
Authors: Gavin Stuart and David de Mestre