Australia's blueprint for privacy reform–what you need to do today
01 November 2023
01 November 2023
Watch the webinar: Our panel of legal and risk experts examined the Government's response to the Privacy Act Review Report, and what organisations can do to now prepare. A recording of the webinar is available here.
The Australian Government has released its eagerly anticipated Response to the Privacy Act Review Report, looking to make Australia's privacy laws fit for purpose in the digital age.
The Government has agreed or agreed in-principle with the vast majority of the Privacy Act Review Report's 116 recommendations – read more about the report and recommendations in our previous article. While the proposals have already been the subject of extensive consultation, the Government's response makes it clear that there is still significant scope for most proposals to be shaped and refined through further consultation – be prepared for quick and targeted engagement, however, as legislation is expected to be introduced in 2024.
Reforms in the pipeline require much greater transparency, traceability and risk management. Organisations will need to understand more about their operations and data, and be able to explain it to customers and regulators. And they will need the technology and governance in place to make it happen.
Proposed reforms, together with last year's privacy reforms, which increased the maximum penalties under the Privacy Act, bring a much more empowered and capable Office of the Australian Information Commissioner (OAIC), with a much more flexible investigation and enforcement toolkit. A promised strategic review may bring new resourcing, an industry funding model, contingency funds for litigation costs orders and an enforcement special account to fund high cost litigation. Organisations will be under pressure to demonstrate compliance with existing obligations while building capacity to comply with new obligations in the pipeline.
And more regulators are weighing in on cyber and privacy risks – from the Australian Securities and Investments Commission (ASIC) targeting directors managing cyber risks and continuous disclosure during a cyber attack, to the Australian Prudential Regulation Authority using the new operational risk management standard CPS 230 to "light a fire" under regulated entities, to an increasing Australian Competition and Consumer Commission (ACCC) focus on privacy as a consumer protection issue.
This may place organisations at the centre of a change management storm, balancing evolving customer expectations, an activist and enabled regulatory enforcement environment, competing demands and a rapidly tightening market for data, privacy and security talent. The talent squeeze will become more acute as the reforms progress – organisations across Australia will be looking to do the same work in the same timeframes, with the same labour and service provider pool.
While there is a temptation to wait for draft legislation before taking action, it is clear that reform proposals are built on the assumption that processes, procedures and systems are already in place to support current compliance.
Organisations that do not have this foundation in place prior to the reforms being enacted will struggle to demonstrate compliance with existing obligations, let alone meet new ones.
The work programs required to uplift visibility, control and governance of data practices will for many organisations involve multi-year modernisation programs with significant technology and business impacts – the changes will mean doing business differently, not just doing compliance differently.
See below for practical steps to take to get ready for the reforms, followed by a deep-dive into some of the key areas.
The first step is to baseline today's organisational capabilities. This means asking the right questions to identify gaps and capability uplift opportunities, and to understand which of those capabilities matter the most.
There are five critical questions you should be asking today.
An operational privacy risk management framework is essential for larger organisations. Hallmarks of an adequate framework include:
Privacy cross-collaboration is critical in bolstering strategic alignment and in operationalising a privacy risk management framework. This can be achieved through cross-collaboration forums and dedicated Management Committees. Such initiatives will enhance strategic alignment and coordinated privacy risk management efforts when chaired by cross-disciplinary stakeholders (including your CISO, CRO, GC, and Head of Privacy).
Make sure that specific milestones or points within the project management lifecycle are designated for assessing risk and integrating Privacy by Design advice – don't assume it will just happen. This ensures that privacy is a core aspect of project development and execution, and reduces the risk of costly remediation.
Similarly, it’s crucial to verify whether this approach is consistently applied in areas such as Privacy Impact Assessment (PIA), Cyber Security, and Third-Party Risk Assessment, ensuring a comprehensive and integrated risk management strategy across all organisational projects and initiatives.
In evaluating your organisation’s data management, it is essential to determine whether there is a centralised view of the location, volume, and types of personal information held. This overview should encompass visibility of how data is managed across its entire lifecycle, from the point of collection or generation, through to its deletion, enabling you to identify and remediate current risks and track changes in risk over time.
Without visibility of your data estate, it is impossible to govern your data effectively.
Data breach preparation is a key component of a mature privacy risk management framework. Without adequate preparation, an extra layer of complexity is unnecessarily added to the already difficult task of data breach response and recovery.
Key to this preparation is codifying clear roles and responsibilities within a comprehensive data breach response plan. Such a plan should detail processes for each stage of the breach response, including detection and identification, containment, recovery, notification, as well as review and improvement stages.
Practising response processes in crisis simulated crisis scenarios for leadership teams and boards is another critical, yet often overlooked, part of data breach response preparation. Implementing these components in your privacy risk framework ensures a well-orchestrated and robust response to any data breach occurrences.
Knowing how and where automated decision-making is used (and keeping this information current) will be a new challenge for many organisations – requiring strong organisational transparency and traceability in data flows and business processes.
It will be impossible to explain automated decision-making to a customer or regulator unless you have detailed and current knowledge about your data and business operations – adopting a risk-based approach to identifying the areas that matter most.
We take a closer look at the Government's reform agenda below.
Few of the 116 proposals in the Privacy Act Review Report are "off the table" – although the Government has made it clear that there is still significant scope for proposals to be shaped and refined.
Language used in the Government response often differs from the original Privacy Act Review Report. In some cases, this might be simply to make the response easier to read. However, differences may signal how the Government will take proposals forward, explaining why so many proposals are "agreed in-principle" (rather than "agreed").
We explore some key proposals and overall themes we are seeing below.
The Government has agreed to give the regulator more flexibility and a stronger regulatory toolkit – likely to drive more investigation and enforcement action.
As last year's reforms demonstrated, changes to regulatory and enforcement powers can happen quickly, without further consultation or transition periods.
The expanded regulatory toolkit includes a binding codes and standards framework similar to those of the eSafety Commissioner, broader powers around emergency declarations, broader investigative powers, the ability to conduct public inquiries and reviews, and broader information sharing powers following data breaches.
The Government has also agreed broader consequences for non-compliance – including:
We may see an increase in very high value penalties, as well as more capability to pursue a broader range of smaller targets. The OAIC has been challenged recently in Senate budget estimates on whether it will pursue penalties for data breaches. We may also see civil penalties used to drive compliance with the OAIC's investigation and information gathering activities.
Government has agreed to all proposals on substantially automated decision-making (SADM), sending an extremely strong signal that the issue is high on the legislative agenda, and that legislation is likely to closely reflect the Privacy Act Review Report positions.
Automated decision-making in some form is widely used including to bring efficiencies, or to allow personalised or tailored services. Although it is often discussed alongside artificial intelligence, they are not the same: automated decision-making can include business rules or processes used to make decisions, as well as more complex artificial intelligence models.
The reforms will require:
The reforms apply to decisions that are substantially automated, framed this way to prevent entities from simply including a negligible human approval or rubber-stamp in the process to avoid the requirements.
Those decisions must have a legal or similarly significant effect on an individual's rights. The Government has said the new laws could extend to denial of consequential services or support, such as financial and lending services, housing, insurance, education enrolment, criminal justice, employment opportunities and health care services, or access to basic necessities such as food and water. However, in Europe, decisions in ride-sharing apps have been found to meet this threshold – including assigning rides; calculating prices; rating drivers; and calculating fraud probability scores.
The Government has also clarified that information provided to individuals should not reveal commercially sensitive information – a key concern under Europe's current automated decision-making transparency rules and more extensive proposals for the regulation of artificial intelligence.
The SADM proposals do not extend to specific rights to object or request human review of a decision. However, we may see further reforms as part of the Government's response to the Supporting Responsible AI consultation or the Royal Commission into the Robodebt Scheme. For example, the Royal Commission into the Robodebt Scheme includes recommendations, in relation to government automated decision-making processes, for review of automated decisions, making business rules and algorithms available for expert scrutiny, and granting powers to a body to audit those processes.
Complying with the new rules proposed under the Privacy Act will require:
Automated decision-making will be significantly impacted by a broad range of other proposals – from changes around permitted uses of information, to more granular consents, to new requirements for privacy impact assessments for high-risk activities.
In response to consumer concern around several high- profile data breaches, the reforms took a predictable aim at security of personal information.
The Government has agreed to enhance current obligations to take reasonable steps to protect personal information to include both technical and organisational measures (adopting language from Europe's GDPR), largely a codification of current OAIC guidance. The Government has also agreed in-principle to new requirements to implement practices, procedures and systems to respond to a data breach.
Entities will need to reconsider their cyber security practices, procedures and systems (including organisational practices, hardware, software, networks and suppliers) to make sure they meet the "reasonable steps" requirement in a rapidly evolving cyber security environment – and be able to prove it to the regulator.
The occurrence of a cyber attack does not necessarily mean a breach privacy laws – but investigations often reveal compliance problems in "business as usual" management of information – failure to take reasonable steps to secure it, or not having adequate practices, procedures and systems in place. Increasingly, regulators are looking to pro-actively investigate privacy and security capabilities before a data breach occurs – emphasising the need for formal, documented and accurately maintained risk management and incident response frameworks.
The Government has also agreed in-principle to review all legal provisions requiring retention of personal information, reflecting a similar commitment in the National Strategy for Identity Resilience. Read more about data retention and data minimisation strategies you can pursue in our article on identity resilience and digital identity, and in our submission to Australia's 2023-2030 Cyber Security Strategy.
Currently, an organisation must notify the OAIC as soon as practicable after it becomes aware that there are reasonable grounds to believe an eligible data breach has occurred. The Government has agreed in-principle that notification should happen within 72 hours at the latest, with the ability to notify further information progressively as details emerge, aligned to cyber incident notifications for critical infrastructure.
Organisations must also notify affected individuals as soon as practicable. Again, the Government has agreed in-principle that information can be notified progressively. This may in practice mean organisations will be under pressure to give more limited notifications earlier, before full details are understood.
As noted below under Other changes of note, the Government has agreed in-principle to the introduction of a controller/processor distinction similar to the concepts used under the GDPR. One implication of this change may be that only the controller (and not the processor) is required to undertake data breach notifications, potentially simplifying circumstances where a data breach relates to multiple entities.
A tighter focus on reporting timeframes may increase the risk of adverse public relations and customer outcomes for entities in having to publicly disclose data breaches before they have been fully investigated – as recent incidents have demonstrated, knowing a data breach has occurred can be very different from understanding exactly what data or individuals are impacted, to what degree, and what should be done in response.
To navigate these risks, organisations need incident response plans that include the ability to stand up and execute strong and secure decision-making, approval and regulator engagement processes. Organisations will also have to ensure they have a comprehensive oversight of their data estate before an incident occurs – incident responses become significantly delayed when organisations first have to discover the types of data stored in an affected asset.
You can read more practical tips on managing incident notification obligations in our article on recently commenced cyber incident reporting obligations for critical infrastructure sectors.
The Government has agreed to consult on clarifying last year's amendments, which meant that collecting personal information in Australia was no longer a requirement for Australian privacy law to apply. These amendments gave rise to concerns that so long as an organisation is doing business in Australia, all of the personal information which it collects, regardless of its geographical source, is regulated by the Privacy Act (as noted in Clearview AI Inc v Australian Information Commissioner  AATA 1069). Traditional notions of what it means to be "doing business in Australia" in the context of the Privacy Act in a digital age are also coming into question.
In passing last year's amendments, the Government accepted the Senate Legal and Constitutional Affairs Committee recommendation to examine this issue further. The Government will be under pressure to clarify this uncertainty sooner rather than later.
In any event, multi-national company groups should carefully consider how data from different jurisdictions is managed, by what group companies – and which group companies might be "doing business in Australia" (including by providing services to other group companies). Multi-national organisations will need to make strategic decisions about whether to harmonise global business practices to comply with a pastiche of jurisdiction-specific data privacy regulations, or if business and data operations can be structured so that only local group companies need to manage local laws.
In welcoming the Privacy Act Review Report, the OAIC pointed to the new "fair and reasonable" requirement as shifting the burden of safeguarding privacy from individuals to organisations, describing it as a "new keystone of the Australian privacy framework".
The proposal will require any collection, use and disclosure of information to be fair and reasonable in the circumstances – even where an organisation has obtained consent.
The Government has described the test it terms of a balancing act – making sure impacts on individuals and the public interest in protecting privacy are considered alongside an organisation's interest in carrying out its activities or functions. This balancing of interests is similar to the ability to use information for a "legitimate interest" under European privacy law – with the important difference that the Australian "fair and reasonable" test will apply to all handling of personal information, including with consent.
This new test will apply another overlay to existing principles-based rules, and will likely add further uncertainty and complexity. Organisations will need good visibility of their data handling practices, an active assessment and review process, and transparency in policies and collection notices to ensure the "fair and reasonable" test is actively applied in their business, and have comfort that data handling practices and new innovations are not open to challenge.
In a key departure from the Privacy Act Review Report recommendations, the Government has flagged that it will expand the scope of personal information governed by the Privacy Act to include information that relates to an individual, “even if the identity of the individual is unknown” – for example, tracking shopping or internet browsing by the user's IP address, mobile device or using cookies. This concept refers to the ability to single out a person even if identity details (such as their name) are not known.
The Privacy Act Review Report concluded this information should not be covered by the definition of personal information, and instead that limited additional protections should apply to de-identified information (a proposal that the Government noted, but did not agree with).
Instead, in its response to the Privacy Act Review Report, the Government stated that it considers that information will be personal information regulated by the Act if it (by itself, or in combination with other information):
This change could have significant implications for what data is regulated. Data sets used and traded by businesses and researchers might currently be de-identified to the point that there is a low or no risk of re-identification, but that data might still contain enough information to distinguish an individual from all others – there's a very real risk that this data may be covered by Privacy Act protections in the future.
This is a significant change to the scope of Australian privacy law. We expect the Government will consult further on this issue, and consider how the protection of de-identified data should be protected through other mechanisms. However, organisations should prepare for the very real risk that much more of their data will be covered by the Act – even outside of this concept, the Government has also agreed in-principle to clarify that personal information is an expansive concept that includes technical, inferred or generated information.
We will likely see a much stricter regime for all of these activities, ensuring the individual has some degree of control over them.
Applying these rules to information about individuals who are not known (as discussed above) may be extremely complex – for example, managing opt-outs or consents of unknown individuals. Further consultation on exactly what "marketing", "targeting" and "trading" covers will have significant implications for who is more tightly regulated, and who is not.
The Government has emphasised that changes affecting employee records and small business will need significant further consultation to manage impacts.
The proposals stop short of calling for complete removal of the employee records exemption. Instead, the Government agreed in-principle to consider how enhanced privacy protections for private sector employees may be implemented in legislation, including how workplace and privacy laws should interact. Areas of note from the Privacy Act Review Report include transparency, protecting the security of employee records, and requirements for consents in collecting sensitive information, all while maintaining adequate flexibility.
While consent and similar requirements have driven a level of traceability and systematic management of customer records, the broad range of often unstructured information collected about employees can be practically much more difficult to manage. To get ahead of likely reforms, as well as to protect the security of employee data, uplift programs should include a focus on ensuring robust collection, security, retention and destruction policies for employee records.
Whether employee records protections are progressed or not, organisations must bear in mind that the current exemption is not bullet proof – for example, the Privacy Act applies to collecting information before it is added to an employee record, or to use or disclosure not directly related to the employee relationship.
The Government has agreed in-principle that consent must be voluntary, current, specific and unambiguous – a codification of current OAIC guidance. These requirements will have far-reaching implications in practice.
In another codification of OAIC guidance, the Government has agreed in-principle that privacy notices should be clear, up-to-date, concise and understandable, with appropriate accessibility measures in place. Collection notices should also include specific matters (for example, if information is collected, used or disclosed for high privacy risk activities). Balancing accuracy and completeness with keeping information concise and understandable is a growing challenge as business operations become more complex. For many organisations, keeping this information up to date will require active monitoring and near real-time visibility of personal information handling practices.
The Government has agreed in-principle a range of new individual rights, and accompanying obligations for organisations to assist individuals to exercise their rights. These rights include:
These new rights will not be absolute, but instead they will be subject to exceptions to balance the interests of individuals against other countervailing interests such as public interests. They will not apply for requests that are technically impossible, unreasonable, frivolous or vexatious.
Meeting these requirements requires good visibility of business data operations, including strong traceability of data, purposes of collection and use, and consents. Organisations burdened by legacy systems may face significant compliance costs in simply managing interactions with customers, let alone taking requested actions. Organisations need to have strong governance structures in place to ensure operational staff are aware of their roles and responsibilities in responding to, and providing reasonable assistance to, consumers exercising their rights, with support from privacy subject matter experts in the form of process documents, policies and advice.
Significant concerns about the potential administrative burden has not gone unnoticed – the Government has confirmed it will further consider the scope and application of these new individual rights in light of feedback about the administrative burden.
Consistent with trends overseas, the Government's response signals more requirements to assess, monitor and record privacy activities and risks – looking to drive better internal governance, and require organisations to create and maintain the records the OAIC will need to investigate non-compliance. New internal accountability measures include:
These requirements can be seen as the minimum baseline of capability required to comply with other privacy obligations – for example, the ability to respond to an individual's objection to data handling practices requires an organisation to hold the records to explain the data collected; the purpose of collection; the details of any consent (and whether it was voluntary, informed, current, specific, and unambiguous); how the data was actually used or disclosed; the purpose of that use or disclosure (and whether it was a primary or secondary purpose, or covered by a consent) and finally an assessment of whether all of these things were fair and reasonable in the circumstances.
While at first glance these changes may appear administrative, the complexity they could add to the business processes of an organisation cannot be understated. Similar requirements exist under the GDPR, which requires detailed records of processing activities to be kept.
A direct right of action for breaches of the Privacy Act, and a statutory tort for serious invasions of privacy (for acts not covered by the Act) are likely to significantly expand liability exposure especially arising from data breaches and increases the risk of class action suits. The direct right of action could result in any order the court sees fit, including any amount of damages (potentially beyond the maximum penalties under the Privacy Act).
Outside the Privacy Act, a statutory privacy tort would be more accessible than existing causes of action such as breach of confidence or defamation, particularly when claimants are able to take advantage of the new individual rights discussed above. It may also open up an avenue for claims against organisations or individuals who are not otherwise bound by the Privacy Act.
In both of these cases, the expansion of rights that individuals have to bring claims directly in court also increases the potential class action risk, whether as a result of major data breaches or any other large privacy breaches that could arise in future.
The proposed changes are numerous, and there are others not mentioned here that will also have a significant impact on the way that entities comply with their privacy obligations. In particular:
We don't know the specifics of the reforms yet, but given how broad some of the changes are, entities can't afford to wait and see. We need to start building underlying capabilities today.
Adapting to these reforms would be hard enough if complying with new privacy laws was the only thing on the agenda. Ashurst’s recent Risk in Real Life report found that legal teams are already struggling to keep up with the pace of change and feel significant risk exposure. Teams often feel disempowered, and face organisational barriers in their ability to manage company-wide risk. These challenges are coming into sharp focus with an accelerating rate of regulatory change, and heightened expectations from governments, regulators and customers.
Outpacing change means developing the technical and organisational capabilities to understand the business in real time. Better visibility, governance, control and risk management capabilities will help organisations not only adapt to and thrive under coming privacy reforms, but improve cyber security and enable organisations to adapt to the increasingly intense and uncertain regulatory compliance and reform environment. Investment in core capabilities is a "no regrets" decision that can be made before we see the detail of coming reforms.
Through close collaboration between Ashurst’s legal and risk advisory services, we help in-house teams outpace change, translating legal insight into risk-informed interventions, systems and controls to shift the dial where it matters most.
To learn more about what you can do today to get in front of coming reforms, please reach out to the key contacts below.
Authors: Tim Brookes (Partner, Digital Economy); Geoff McGrath (Partner, Digital Economy); Rebecca Cope (Partner, Digital Economy); Leon Franklin (Director, Risk Advisory); Andrew Hilton (Expertise Counsel, Digital Economy); Kendrick Deng (Associate, Digital Economy); and Michael Turner (Executive, Risk Advisory).
This publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.
The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.
The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.
For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com
This material is current as at 1 November 2023 but does not take into account any developments to the law after that date. It is not intended to be a comprehensive review of all developments in the law and in practice, or to cover all aspects of those referred to, and does not constitute legal advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent legal advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst. While we use reasonable skill and care in the preparation of this material, we accept no liability for use of and reliance upon it by any person.