The federal government will consider introducing a direct right of action to enforce privacy obligations, a right to erasure and a statutory tort of privacy as part of a significant review of existing privacy laws.
The Australian Competition and Consumer Commission (ACCC) made a series of recommendations for reforms to the Privacy Act as part of its digital platforms inquiry. The government agreed in principle to many of these, but said it would undertake further consultation before introducing any legislation.
The Attorney-General’s Department has now begun this process, releasing an issues paper and calling for submissions on this across this month. It is likely to be a long process before any legislation is introduced to Parliament, with a more detailed discussion paper expected next year with further consultation to follow.
The near-90-page issues paper outlines the broad range of the Privacy Act review and a list of potential reforms, along with a series of questions for stakeholders to respond to.
Significant issues that will be canvassed include a new definition of “personal information” to include technical data such as location information, a right to be erased, better abilities for individuals to litigate a claim over a privacy breach and the introduction of a statutory tort of privacy.
Australian Information Commissioner Angelene Falk welcomed the launch of the review and said it presents a “landmark opportunity” to ensure Australia’s privacy framework can respond to increasing challenges now and in the future.
“Australia has the opportunity to be at the forefront of privacy and data protection, with laws and practices that increase consumer trust and confidence in the protection of personal information and underpin innovation and economic growth,” Ms Falk said.
“The review of the Privacy Act will help ensure that our regulatory framework can protect personal information into the future and hold organisations to account. Issues such as consent requirements, additional privacy rights, accountability measures and the Privacy Act’s coverage are fundamental to how we address the privacy challenges of the future.”
The current definition of “personal information” in the Privacy Act is expansive, and is about “information or an opinion about an identified individual, or individual who is reasonably identifiable”, whether the information is true or not or recorded in material form or not.
In its digital platforms report, the ACCC recommended that this be changed in order to address ongoing uncertainty over whether the technical data collected in relation to an individual is included in this definition, such as IP addresses, device identifiers and location data. The government review will be considering this after it supported the recommendation in principle.
The competition watchdog also called for individuals to have a right to require companies to “erase the personal information of a consumer without undue delay on receiving a request”, unless it is required to keep the data by a contract, under law or another public interest reason.
“It is considered that a right of erasure is a critical complement to strengthened consent requirements by providing consumers with a mechanism for withdrawing their consent if they are no longer comfortable with an Australian Privacy Principles entity collecting, using or sharing their personal information,” the ACCC said.
The government has asked stakeholders to respond to this recommendation and will be consulting further on it before potentially introducing a right to data erasure.
The review will also look at whether individuals should be given a direct right of action to bring actions and class actions against companies for breaches of the Privacy Act. This would allow them to seek compensatory damages as well as aggravated and exemplary damages for the harm caused by an interference with their privacy.
This recommendation by the ACCC was also supported in principle by the government.
Stakeholders will also be asked to provide feedback on the potential introduction of a statutory cause of action for serious invasions of privacy, to protect from invasions of privacy that may not be subject to the Privacy Act. In responding to the ACCC’s inquiry, the government merely noted this recommendation.
Submissions to the issues paper are due by 29 November, with a discussions paper expected at some point next year.