The federal government has agreed to most of the recommendations in a landmark review of Australia’s privacy law to bring it into the digital age, including a right to erasure and removing current exemptions for small businesses.
Privacy policies and data collection notices look set to be cleared up and made more concise, while the definition of consent will be clarified to be voluntary, informed, current, specific, and unambiguous.
The government has also agreed in principle to a new statutory tort for serious invasions of privacy, while new tiers of civil penalties could also make enforcement more common for less serious breaches.
But the Albanese government won’t commit to removing carve outs for political parties or bringing in more protections for the sharing of de-identified data.
After almost three years of consultations, the government was in February handed 116 recommendations aimed at improving and aligning privacy protections with global standards.
On Thursday, Attorney General Mark Dreyfus announced the Albanese government had agreed or agreed in principle to most of them in an official response.
Legislation will be developed in this term of government, but more consultation, an impact analysis for some changes and “appropriate transition periods” will add to the already years-long reform saga of reforming Australia’s Privacy Act.
New tort gives individuals the right to sue
In a significant change, the government has agreed in principle to introduce a statutory tort for serious invasions of privacy. At present, there is no recourse for Australians whose privacy is invaded in circumstances which fall outside the scope of the Act.
The government’s response top the review of the privacy act lists being filmed in a public bathroom or workers misusing information obtained from a co-worker’s record as possible examples of when the tort could apply.
The right to be deleted
The government has also given principle agreement to a new right to erasure — extending to third parties in some cases — that would cover any of an individuals’ personal information. It would require an entity to delete or deidentify the information.
There will be exceptions to the new right to erasure for law enforcement and national security, and for information collected by media organisations through the planned exemptions for journalists.
New test for information handling
The government also agreed in principle to a “fair and reasonable” test of information handling. It would require the collection, use and disclosure of personal information to be fair and reasonable in the circumstances, determined by the perspective of a reasonable person.
Currently an entity can rely on a legitimate business interest and reasonable protections in justifying the collection, use and disclosure of personal information.
The new fair and reasonable test would apply irrespective of whether consent is obtained and has been labelled by Australia’s privacy watchdog as “the most significant change to the Privacy Act in decades”.
Baseline obligations on the way
The government also backed enhancing the security obligations under the law so entities will be required to take technical and organisational measures to protect personal information, while a set of baseline principles will likely be developed in conjunction with the upcoming national cyber strategy, the government response said.
While there won’t be any new mandated limits on data retention, the government has given principle agreement to requiring entities to establish their own minimum and maximum retention periods, that will need to be specified in privacy policies.
Consent gets real
The government has also given in principle agreement to beefing up the definition of consent to be “voluntary, informed, current, specific and unambiguous”. Currently entities can rely on implied consent to collect personal information in some situations.
The Government also agrees in-principle that the Privacy Act should expressly recognise the ability for individuals to withdraw consent in an “easily accessible manner”.
Small businesses lose carve out
The tough new privacy rules will now also be applied to small businesses, with the government agreeing in principle to removing the current exemption from the Privacy Act for most small businesses with a turnover of less than $3 million.
The government response said there was strong community support for the move and it must be made “in light of the privacy risks applicable in the digital environment”.
The change won’t happen soon, with more consultation flagged to identify potential modifications to privacy obligations for small businesses, which will likely oppose the changes.
But small businesses in high-risk areas like biometrics and facial recognition look set to lose the exemption sooner, according to the government response, which does not indicate specific timelines.
Politicians don’t remove carve out for politicians
The current controversial exemption for political parties and representatives looks set to remain, with the government only noting the recommendation to remove it.
Critics say the exemption needs to go after repeated instances of mass unsolicited spam texts and other attempts to spread misinformation, including last year’s federal election.
De-identified and re-identified data
The government also only noted a proposal for entities to be prohibited from re-identifying de-identified information obtained from anyone but the individual the information relates to.
But a proposal to consult on introducing a criminal offence for “malicious re-identification” of de-identified information was backed by government in the response. The offence would only apply where there is “an intention to harm another or obtain an illegitimate benefit, with appropriate exceptions”.
Labor opposed a bill from 2016 that would have criminalised re-identification more generally. The proposal for a blanket ban on re-identification has also drawn strong criticism from researchers who have publicly demonstrated de-identified government data could be reidentified.
However, the government only noted recommendations to better protect de-identified data generally, including when it is shared with foreign entities or used for targeted advertising.
The government also only noted a recommendation to stop entities from re-identifying de-identified information obtained from a source other than the individual to whom the information relates.
Location, location, location
Principle agreement was also given to recognising the collection, use, disclosure and storage of precise geolocation tracking data as a practice which requires consent.
Google lost a federal court case in 2021 after the tech giant was found to have misled Australian consumers by tracking their location even after users opted out of location data. Google was ordered to pay $60 million in fines and settled the case.
More protection for children’s privacy
In a boost for children’s safety online the government agreed in full to defining a child in the act as anyone under 18. Some platforms have skirted privacy requirements in the past by not considering 16- and 17-year-old users as children.
After the Act is reformed, the government will also develop a Children’s Online Privacy code that clarifies how the best interests of the child should be upheld in the design of online services, similar to a move in the UK that advocates have argued for in Australia.
A new suite of privacy protections for children like banning targeted ads to them unless it is in the best interest of the child was also backed in principle, as was a ban on trading children’s data or direct marketing unless the child directly provides the information.
Online ads shakeup
In a potentially significant shake up to online advertising the government has backed official definitions for types of online advertising and prohibiting targeted advertising that is based on sensitive information.
Targeted advertising in general will also need to be “fair and reasonable in the circumstances” and entities will need to explain the their systems including information on algorithms.
But a proposal to establish an unqualified right to opt out of targeted ads has not been supported by the government.
Contextual targeted advertising is the focus of the reforms, which will look to continue allowing socially beneficial advertising like health campaigns can continue.
The Attorney General has committed to having legislation that brings in the changes in this term of government. But likely opposition from various groups and more rounds of consultation means Australia’s privacy law reform saga could drag on for years more.
Do you know more? Contact James Riley via Email.