A “right to erasure” that goes further than the European Union’s data regulations and the introduction of fair and reasonable information handling principles are among the reforms to Commonwealth privacy laws now being considered by the Albanese government.
A two-year review of the Privacy Act by the Department of Attorney-General has made 116 recommendations aimed at improving and aligning privacy protections with global standards.
The report, released on Thursday, comes a full year after the department was originally expected to finish the review, which was instigated by the former Coalition government after its 2019 digital platforms inquiry.
It follows the release of an issues paper in October 2020 and a discussion paper in October 2021 that outlined the potential privacy reforms on the table. Since then, new proposals have been put forward and other have been reworked or dumped altogether.
“Consideration of the benefits and limitations and costs associated with proposals put forward in the discussion paper led to some proposals being reworked, some not being pursued and, in other cases, new proposals being put forward,” the review said.
“As such, some proposals have not had the benefit of stakeholder feedback and will require further consultation prior to implementation.”
“Strong privacy laws are essential to Australians’ trust and confidence in the digital economy and digital services provided by governments and industry,” Attorney General Mark Dreyfus said.
“However, the Privacy Act has not kept pace with the changes in the digital world.”
The 320-page review has recommended introducing a “right to erasure” that allows individuals to request that organisations covered by Privacy Act to delete any information at their request, which is broader than the GDPR-style right that was proposed in the discussion paper.
“An Australian right to erasure should not be limited by reference to specific categories of information. A right to erasure should be able to be exercised in relation to any information,” the review said.
Organisations that have collected information about an individual from a third-party or disclosed information to a third-party would also have to notify the third-party of the erasure request “unless it is impossible or involves disproportionate effort”.
But given the concern from law enforcement agencies about how this work in practice, the review has recommended that “certain limited information should be quarantined rather than erased on request”.
A complementary “right to de-index online search results” containing personal information that is excessively detailed, sensitive, inaccurate, out-of-date, misleading or about a child, and a “right to object to collection, use or disclosure of personal information” has also been proposed.
If the rights were to be adopted, they would also likely cover a wider array of information, with the review recommending the definition of personal information be amended to any information that “relates to” an individual.
Specific information, such as geolocation and genomics data, would also be considered sensitive information.
Another key recommendation in the review is ensuring the collection of, use and disclosure of personal information is fair and reasonable, including whether the “impact on privacy is proportionate to the benefit”.
“The fair and reasonable test would provide a principles-based means of determining whether handling of individuals’ personal information… are permissible,” the review said, adding that the test should be assessed from the perspective of a “reasonable person”.
These practices include creating or sharing detailed profiles on consumers, using machine learning to infer traits about individuals without their consent, using “predicted vulnerabilities” for targeted advertising, using personal information for political microtargeting, and using biometric data.
The review has also proposed “direct right of action” that allows individuals to seek compensation in the Federal Court for a breach of privacy, which privacy advocates have long called for. To access the action, a claimant would first need to make a complaint to the Office of the Australian Information Commissioner (OAIC).
A statutory tort for serious invasions of privacy, as recommended by the Australia Law Reform Commission, is also proposed. The option is one of four that were canvassed in the 2021 discussion paper.
This approach was preferred by the “overwhelming majority” of submitters to the review. Supports included academics, privacy and consumer advocates, the Law Council of Australia and the OAIC.
In response to the significant data breaches experience by Optus and Medibank last year, the review recommends that organisations “determine, and periodically review, the period of time for which they retain personal information”.
The report also proposes that government conducts a “further review of legal provisions outside of the Privacy Act that require certain forms of personal information to be retained” and work to harmonise privacy laws across the federal, state and territory jurisdictions.
The Notifiable Data Breaches (NDB) scheme should also be modified to require that organisations notify the OAIC within 72 hours where there is “reasonable grounds to believe” that a breach has occurred, as is the case in the UK. Organisations currently have 30 days to report.
The review has also proposed removing the small business exemption once an impact analysis has been undertaken, while subjecting registered pollical parties to the Privacy Act for “any purpose in connection with an election, a referendum, or participation in another aspect of the political process”.
Following the Cambridge Analytica scandal in which the data of millions Facebook users was used for political advertising without their consent, the review has also recommended parties “not engage in targeting based on sensitive information or traits which relates to an individual” unless a member.
Individuals would also be able to “opt-out of receiving targeted advertising [from a political entity] and have an unqualified right to opt-out of their personal information being used or disclosed for direct marketing”, if the political recommendations are adopted by government.
Similar changes have also been recommended for direct marketing, with the review recommending that individuals be provided with an “unqualified right to opt-out of their personal information being used or disclosed for direct marketing purposes”.
“The Australian people rightly expect greater protections, transparency and control over their personal information and the release of this report begins the process of delivering on those expectations,” Mr Dreyfus said.
Do you know more? Contact James Riley via Email.