Australian government releases a long-awaited report on review of the Privacy Act, proposing wholesale amendments to Australia’s flagship privacy legislation.
In brief
The Commonwealth Attorney-General’s Department has released its long-awaited report (the “Report”) on its review of the Privacy Act 1988 (Cth) (“Privacy Act”), which proposes widespread amendments to Australia’s flagship privacy legislation. Stakeholders have until 31 March 2023 to provide feedback to the government on the proposals.
The Report proposes amendments across three areas:
- Scope and application of the Privacy Act – while the principles-based approach to regulation would be retained, some revisions would be made to clarify and broaden the scope and application of the Privacy Act. Most notably, definitions would be added and amended to provide clarity (for example, to confirm that technical and inferred information is captured), geo-location tracking data would be subject to consent requirements, de-identified information would be regulated to a certain extent, and certain exemptions – including the employee records exemption – would be narrowed or removed completely.
- Protections – personal information would be subject to enhanced protections, including through the introduction of new EU-inspired rights for individuals and an overarching requirement that collection and handling of personal information must be objectively “fair and reasonable”. Collection notices and consent requirements would be enhanced and might ultimately be standardized. Records would need to be kept regarding purposes of processing and entities would be expected to appoint a privacy officer. Additional transparency would be mandated for certain automated decision making. Privacy impact assessments would be compulsory prior to undertaking high privacy risk activities, and special requirements would apply in respect of vulnerable people’s and children’s personal information. Direct marketing, targeting and trading in personal information would be more heavily regulated, with individuals having clear rights to opt out. Other key proposals include: revisions to security, retention and destruction obligations; adoption of a limited controller-processor distinction; and changes in respect of overseas data flows and extraterritorial application of the Privacy Act.
- Regulation and enforcement – the range of available penalties for non-compliance would be expanded to cover a clarified and expanded range of conduct. Australia’s privacy regulator, the Office of the Australian Information Commissioner (“OAIC”), would enjoy expanded powers including the right to require entities to identify and mitigate loss and damage that could result from their privacy failings. Other notable changes include: allowing individuals a direct right of action to seek relief for interferences with their privacy; a statutory tort for serious invasions of privacy; and changes to the notifiable data breach scheme, including a 72-hour notification deadline.