The federal government has unveiled “landmark privacy legislation” which will increase penalties for breaches of privacy by social media firms and require a wide range of tech firms to verify the age of their users and obtain parental consent for users aged under 16.
Many elements of the draft legislation, unveiled by Attorney-General Michaelia Cash on Monday morning, were first announced by the federal government nearly three years ago.
The draft Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) bill, increases the maximum penalty for a data breach significantly and also gives the Office of the Australian Information Commissioner (OAIC) further enforcement powers.
The bill also lays the groundwork for a binding Online Privacy code, to be developed by industry and apply to a wide swathe of tech firms, including the likes of Facebook, Google, Reddit, Bumble and OnlyFans.
This code includes new privacy protections for children and will likely require tech firms to take “reasonable” steps to verify the age of their users, and obtain parental consent for users under the age of 16.
Attorney-General Michaelia Cash said the reforms would ensure “Australia’s privacy laws remain fit for purpose in the digital age”.
“We know that Australians are wary about what personal information they give over to large tech companies,” Senator Cash said.
“We are ensuring their data and privacy will be protected and handled with care. Our draft legislation means that these companies will be punished heavily if they don’t meet that standard.”
The government committed to introduce the new code and tougher penalties for data breaches back in 2018 following the Facebook Cambridge Analytica scandal, and had originally planned to release draft legislation in the second half of 2019, and later by May.
The Online Privacy code addresses the “particular privacy challenges” posed by social media and other online platforms that hoover up significant amounts of personal information, and applies to social media firms, data brokerage services and large online platforms such as Apple, Amazon and Google.
The Code reinforces existing requirements under the Australian Privacy Principles, and introduces new requirements such as allowing users to request that a company take reasonable steps to not use or disclose, or to not further use or disclose, that individual’s personal information.
This could be a request by a user to not have their data used for direct marketing, the explanatory memorandum says.
“The new requirement recognises that, in some cases, it will be reasonable to take no steps to cease using or disclosing personal information following a request as it might not be practical to cease the use or disclosure,” it said.
In terms of children using these online services, the companies will have to take “all reasonable steps” to verify the age of individuals on their platforms, and ensure that the collection of personal information is “fair and reasonable” in each circumstance and is in the best interest of the children.
The wide range of tech firms will also be required to obtain parental express consent before collecting any information on users aged 16 or under.
The exact definitions of these terms – crucially what determines taking “all reasonable steps” to verify ages – will be determined as part of drafting the actual code and won’t be included in the legislation.
These age verification requirements have already drawn the ire of privacy advocates, who say that it will mean that tech giants obtain even more personal information on their users.
“Practically all implementation approaches to age verification require the provision of additional personal information. Given the value of identity documentation, this may create significant privacy and security risks,” Digital Rights Watch program lead Samantha Floreani told InnovationAus.
“There is no doubt that we need stronger privacy protections that are fit-for-purpose, and that privacy harms to children are particularly concerning. But we need to be careful that in an attempt to protect children online, we don’t end up introducing measures that actually undermine privacy for everyone.”
Electronic Frontiers Australia board member Justin Warren also questioned the age verification requirements, and that overall approach of the bill.
“That is the complete opposite of privacy,” Mr Warren told InnovationAus.
“The rest of the bill creates a bureaucratic paper maze and hands more power to the eSafety Commissioner to use however they like instead of involving the existing legal system – too much power for one person to wield.”
The OAIC will be tasked with enforcing compliance with the Online Privacy code, which will be in place within 12 months of the legislation receiving royal assent.
Ms Floreani also questioned the use of delegated legislation, with the details of most of the new reforms left to be designed after the legislation has passed in consultation with industry.
“This means the actual details will be hashed out later in consultation with industry. The trouble with this is that it creates quite a lot of ministerial power and discretion, without the same level of oversight and accountability as primarily legislation,” she said.
The other element of the draft legislation serves to increase the OAIC’s enforcement powers and scope.
Under the reforms, the maximum civil penalty for a data breach will be increased to $10 million, three times the value of the benefit obtained by the conduct or 10 per cent of the company’s annual domestic turnover, whichever is more.
The OAIC will also be given the power to issue new infringement notices for companies which fail to provide information as part of an investigation, with a $13,320 fine for non-compliance.
The Commissioner will also be able to require a tech company to engage an independent adviser to assist with a determination and to review relevant business practices and processes, and assess a company’s compliance with the Mandatory Notifiable Data Breach scheme.
The legislation paves the way for the OAIC to share information it has gathered during the course of an investigation with a law enforcement body, a different complaints body such as the eSafety Commissioner or state and territory governments.
These new powers ensure there is an “appropriate regulatory and enforcement toolkit to ensure the privacy regulator can resolve matters more efficiently and effectively”, the government said.
Do you know more? Contact James Riley via Email.