The government’s planned upgrade of Australia’s privacy law has been backed by the national regulator and cautiously welcomed by advocates and the tech sector after years of debate.
The government has agreed, at least in principle, to introduce new stricter requirements for handling personal information backed by new penalties and to end an exemption from the law for small businesses.
But some issues loom as divisive, with more consultation to come before legislation is revealed in this term of government.
Australian Information and Privacy Commissioner Angelene Falk called the introduction of a new ‘fair and reasonable’ obligation for collecting, using and disclosing personal information as “the most significant change to the Privacy Act in decades”.
“[It] will require organisations to ensure that their practices are fair and reasonable in the first place,” she said.
“This will provide confidence to the Australian community that like a safety standard, privacy must be built into products and services from start.”
Ms Falk also backed other key changes like the enabling individuals to exercise new privacy rights and take direct action in the courts if their privacy is breached through a new tort and the end to an exemption for small businesses with turnover under $3 million.
The watchdog, whose privacy surveys have repeatedly shown the Australian public is unsatisfied with rampant data collection and the current framework of protection, called for a speedy introduction after years of consultation.
“With increasing use of high impact technologies, it is critical that these reforms proceed as a priority alongside other key initiatives that rely on a strong privacy foundation such as the Australian Cyber Security Strategy and Digital ID framework,” she said.
The Tech Council of Australia also welcomed the changes but flagged it will need more details on some government backed proposals like the new right to erasure, more transparency in algorithms, changes to privacy policies and big changes to online advertising.
“We see privacy reform as a key pillar of a credible response to improve Australia’s ability to safely and responsibly develop and adopt AI, to improve cyber security resilience and to enable the continued growth of the tech sector,” the group’s chief executive Kate Pounder said.
The Council is also expected to use its own privacy working group to debate its response to the proposals for a direct right of privacy and statutory tort of privacy, which it argues should only be introduced as a last resort.
The Australian Information Industry Association said it strongly backed the introduction of concepts like distinct data “controllers” and “processors” clarity as to where privacy obligations sit in the digital ecosystem, and the removal of the small business exemption.
“Australian businesses big and small hold a great deal of data, it is right that they all are covered under the Privacy Act. Government now needs to provide appropriate support, training and a fair lead time to achieve the required capabilities for SMEs to ensure they comply with the obligations of the Act,” AIIA chief Simon Bush said.
“This will provide a significant lift in Australia’s overall cyber security baseline and improve privacy outcomes for Australian businesses and their customers.”
Independent Senator David Pocock said the move to introduce better children’s privacy protections is overdue.
“Children and young people are not products and their data should not be treated as a commodity by advertisers or platforms as currently happens,” Senator Pocock said.
“It is estimated that around 72 million data points will have been collected on a young person by age 13, which is an extremely detailed picture of a young person and their interests.”
Digital rights group Reset.Tech Australia welcomed the government’s commitment to clarifying the act expanding the definition of data to capture more information and the introduction of a new Children’s Privacy Code.
But the government’s decision to only “note” a proposal to give Australians the right to opt out of targeted advertising was “deeply concerning” and not in step with community attitudes.
“While this is a welcome throwing-down of the gauntlet, there’s more to be done,” Reset.Tech executive director Alice Dawkins said.
“It’s a pity the government are cowering to big business pressure to park proposals to give Australians the right to opt-out of targeted advertising. Currently, all Europeans and 20 percent of Americans can opt-out of targeted advertising – and the sky didn’t fall in.”
The Human Technology Institute backed the introduction of privacy impact assessments for non-government entities engaging in high-risk activities like facial recognition, as the group is proposing in its model law for the technology.
HTI fellow Dr Kate Bower said the government’s response showed a strong commitment to addressing data breaches and invasive data collection, and urged quick action on the now government backed proposals.
“Each day we delay is another day that Australians are vulnerable to privacy harm from high-risk technologies, such as facial recognition and artificial intelligence,” Dr Bower said.
Do you know more? Contact James Riley via Email.