A significant review of the Privacy Act has been delayed, with a discussion paper still yet to be released 18 months after it was launched, while draft legislation introducing a new penalty scheme for data breaches announced well over two years ago still hasn’t been produced.
In response to the Australian Competition and Consumer Commission’s (ACCC) inquiry into digital platforms, the federal government agreed in principle to a number of recommendations for changes to the Privacy Act, but opted to launch a new review before going ahead with them.
The review was announced in December 2019, but an issues paper was not released until October last year. Submissions were open on that paper until late 2020, with a discussion paper expected to follow. That discussion paper has still not been produced.
The process has now been delayed, with the Attorney-General’s Department confirming that this discussion paper is still being finalised, and will be released for further consultation “shortly”.
“The timeframe for release of the discussion paper has been extended to enable more comprehensive consultation with stakeholders,” a spokesperson for the Attorney-General’s Department told InnovationAus.
The discussion paper has still not been released despite the inquiry being announced more than 18 months ago, and the issues paper being unveiled more than eight months ago.
It also means it’s unlikely that any legislative reforms will be unveiled and introduced to Parliament before the upcoming federal election, expected in early 2022. The department has previously said that the final report from the Privacy Act review was expected to be handed to the government in October this year, but this now appears highly unlikely.
Electronic Frontiers Australia board member Justin Warren said the delays are disappointing but he hopes the government is using the extra time to get it right.
“We’re disappointed when the government rushes through poorly drafted law, like the Online Safety Bill, so if the government is using this time to draft better law, that’s to be commended,” Mr Warren told InnovationAus.
“However, it’s frustrating when we see how quickly the government can move when it wants to. These are not new issues, but it seems the government has other priorities than protecting Australians’ privacy. We’d quite like a government that can do more than one thing at once, and do them all equally well.”
The government announced the review of the Privacy Act in late 2019 to ensure Australia’s privacy settings empower consumers, protect their data and best serve the Australian economy.
It is looking at whether the current laws effectively protect personal information, whether individuals should have direct rights of action to enforce their privacy protections, whether a statutory tort for serious invasions of privacy is needed and the effectiveness of enforcement powers and feasibility of an independent certification scheme to monitor compliance with privacy laws.
The long-running and delayed review comes despite the ACCC already telling the government what it thought was needed in terms of reform following its own 18-month inquiry.
The competition watchdog recommended legislative changes around the definition of “personal information”, the strengthening of notification and consent requirements, allowing for the erasure of personal information and direct legal rights for individuals.
The federal government opted to launch the wider review of the Privacy Act instead of moving ahead with these recommendations.
A number of submissions to the issues paper for the Privacy Act review called for the Office of the Australian Information Commissioner (OAIC) to be provided with more funding, resources and powers, and there is unlikely to be any movement on this until the review is completed.
Mr Warren said he hopes the review will conclude that significant changes to the Privacy Act are required, including the removal of the exemptions for political parties and SMEs, the introduction of a tort of serious interference with privacy, a ban on the use of facial recognition matched with databases and “no-go zones’ where data collection practices are strictly outlawed.
The Coalition has also long been promising to introduce tougher penalties for data breaches under the Privacy Act. The reforms were first announced well over two years ago following the Facebook Cambridge Analytica scandal, but there has been little movement since.
After already being significantly delayed, the Attorney-General’s Department promised the draft legislation would be released in May this year, after it was first expected in the second half of 2019.
Representatives from the Department told a recent Senate Estimates hearing that the legislation had been “substantially drafted” and the delay was due to a focus on COVIDSafe and other priorities.
But this draft legislation has still not been released, more than a month after the May deadline.
The government has promised to increase the current maximum penalty for a data breach from $2.1 million to $10 million or 10 per cent of a company’s annual domestic turnover.
Do you know more? Contact James Riley via Email.