Watch the webinar: On 3 March 2023, our panel of legal and risk experts examined the key reforms, themes and issues emerging from the Government's report and shared their insights on what these recommendations will mean. A recording of the webinar is available here.
What you need to know
- Today, the Attorney-General's Department released its Privacy Act Review Report 2022.
- Two years in the making, the report delivers 116 specific recommendations that, if adopted, will fundamentally change how we deal with data in Australia.
- You have 6 weeks to influence the Government's response – submissions to its consultation close 31 March 2023. We expect the Government to push comprehensive privacy law reform as a key priority before the next election.
- The 116 recommendations are a comprehensive reform package – broadening and clarifying the information protected by privacy laws, enhancing privacy protections with a focus on protecting and empowering individuals, and building a stronger more flexible enforcement and compliance toolkit.
- Recommended reforms have the potential to drive complexity into data handling (for example, through more stringent consent requirements), to increase potential liability from incidents (through direct causes of action), and to significantly constrain direct marketing, data analytics, artificial intelligence and the use of third party data.
What you need to do
- Understand what's coming – After two years of work, the report is likely to be the most comprehensive picture of the future of privacy in Australia. Getting across 116 recommendations, and how they impact your business, requires focus. Read more about key recommendations below.
- Make your views known – With an aggressive reform agenda and the political importance of cybersecurity and privacy reforms, we expect the Government will move fast. Now is the chance to influence the Government response by making targeted submissions.
- Expect enforcement activity – Experience of privacy uplifts overseas indicates that, as a first step, we will see more enforcement and investigation activity in Australia in relation to existing privacy obligations before new obligations get traction. New privacy obligations may have lead times, but new regulatory tools and enforcement options probably won't.
- Understand your data better – Build the internal resources and partnerships that will give you better visibility of how you collect, store, use, disclose, track, monitor and control personal information. Know what you should do and what you actually do – and have the controls in place to manage and understand this in real time.
- Know your challenge – Explore and evaluate the scale of activities required to comply with key reforms that affect your business.
- Focus on security and privacy –Security and privacy support each other, but are not the same thing. Security incidents can occur without a data breach, and a data breach can occur without being attacked.
- Understand, secure and build capacity – Start planning now for how you will recruit and retain privacy and tech talent, or find the right partners to help get your organisation where it needs to be.
116 recommendations – but time to influence Government's response
The Attorney-General's Department has released its report on its long-running review of Australia's privacy laws. The report delivers 116 recommendations that, if adopted, will fundamentally change how we deal with data in Australia.
The report is not the final word – consultation on the Government's response will close on 31 March 2023, giving only 6 weeks to influence Australia's ambitious privacy agenda.
The report aims to bring stronger privacy protections to support digital innovation and enhance Australia's reputation as a trusted trading partner. With such a broad and ambitious set of reforms, it is vital for industry and stakeholders to make sure their views have been heard, and to bring to light any unintended consequences of recommended reforms.
What is recommended?
Broadly speaking, the 116 recommendations in the report focus on:
- broadening and clarifying the type of information covered by Australian privacy laws;
- enhancing privacy protections – with a focus on protecting and empowering individuals; and
- strengthening enforcement and compliance toolkit – providing more options to the regulator, reducing regulatory complexity and providing greater flexibility.
We look at some of the key reform recommendations below.
New privacy rules
The report recommends a raft of new privacy rules, including:
- Fair and reasonable test: An objective test for the collection, use and disclosure of information to be fair and reasonable in the circumstances. This will apply another overlay to existing principles based rules for the handling of personal information and will likely add further uncertainty to the lawful handling of personal information.
- Consent: Consent will only be valid if it is voluntary, informed, current, specific and unambiguous. Further, any consent must be capable of being withdrawn. Importantly, the report does not recommend replacing Australia's primary and secondary purposes with a European GDPR style focus on consent as the primary mechanism to allow collection, use or disclosure of personal information.
- Right to erasure: A right for an individual to have their personal information held by an entity erased. This will likely involve significant practical complexity given the recording of information for valid reasons such as data restoration. This will also include an obligation for those entities to pass the erasure request to third parties to whom they have disclosed the relevant individual's personal information, unless the effort to do so is disproportionate.
- Objecting to collection of information: A right for an individual to object to the collection, use and disclosure of their personal information, coupled with a requirement for an entity to provide a written response to the objecting individual, with reasons.
- Reasonable assistance: Entities will be required to provide individuals with reasonable assistance in the exercise by those individuals of their privacy rights, and they must also take reasonable steps to respond to the exercise of rights by that individual.
- Records of purpose of collection: A requirement for entities to determine and record the purposes for which they will collect, use and disclose personal information at or before the time of collection. This will increase markedly the compliance burden for entities, and requires significant acumen to foresee all potential or future handling of personal information.
- Record of secondary purpose: A requirement to record a secondary purpose of use and disclosure before undertaking that use or disclosure. This will create additional compliance burdens. It is not clear whether the regulatory benefit will outweigh that burden.
Direct rights of action
The report recommends:
- a direct right of action for individuals for Privacy Act breaches which cause harm; and
- a statutory cause of action for individuals in respect of a serious invasion of their privacy, as recommended by the Australian Law Reform Commission in its report in 2014 to enable remedies for individuals for breaches of privacy which fall outside the Privacy Act.
The proposed direct right is likely to significantly expand liability exposure especially arising from data breaches and increases the risk of class action suits. A statutory privacy tort would be more accessible than existing causes of action such as breach of confidence or defamation.
Direct Marketing, Targeting and Trading
The recommendations propose a much stricter regime for all of these activities, ensuring the individual has some degree of control over them. These include recommendations that:
- An individual's consent must be obtained prior to the trading of their personal information. Trading includes the disclosure of personal information for a benefit, service or advantage. This would seem to have significant scope to affect legitimate disclosures of personal information which would not fall within the normal conception of 'trading'.
- The right for an individual to opt out from receiving targeted advertising. Targeting is broadly defined to be the handling of personal information for tailoring services, content, advertisements or offers provided to an individual whether on their own or as a member of a class. This will limit analytics and marketing directly or on the basis of cohorts. The consequences of extending this prohibition beyond merely using the information may create difficulties.
- A right for an individual to opt-out of their personal information being used for direct marketing.
Privacy assessments for high risk activities
Activities which are likely to have a significant impact on the privacy of an individual will require privacy impact assessments. In addition, privacy collection notices must include the circumstances of collection, use and disclosure of personal information for a high privacy risk activity.
Undertaking an impact assessment will expose entities to claims that they failed to properly consider and mitigate risks adequately, should adverse consequences arise.
Mandatory privacy impact assessments already exist in the public sector, and they have been a voluntary best practice in the private sector for several years. A new mandatory requirement for the private sector (and increased visibility of "high risk" activities) emphasises the need for better visibility of data collected, the purposes for which it is collected, what the data may be used and disclosed for, how data is actually used, and connected data governance that links these things together. This is particularly important when combined with stricter privacy rules and requirements to keep records of primary and secondary uses and disclosures of personal information.
More remedies for privacy breaches
In addition to the recent significant increase in maximum penalties for interferences with privacy, the report recommends introduction of:
- tiers of civil penalties to target interferences of privacy which are not serious and administrative breaches of the Privacy Act; and
- a power for the OAIC to direct entities to identify, mitigate and redress actual or reasonably foreseeable loss.
This may enliven class actions for interferences with the privacy of individuals and facilitate a more active regulatory oversight of compliance with privacy laws, with proportionate outcomes for breaches of the Privacy Act.
Media organisations and journalism
A tightening of the journalism exemption, requiring media organisations to be subject to privacy standards either overseen by a recognised oversight body, or that adequately deal with privacy. Media organisations may also need to comply with security and destruction/de-identification obligations and data breach notification rules (with modifications to account for public interests in journalism). The proposed statutory tort discussed above will also have a significant impact on media organisations.
Automated decision making
As part of a broader initiative to regulate artificial intelligence and automated decision making, the following was recommended:
- a right for individuals to request information about how substantially automated decisions are made where they have a significant effect on an individual.
There is no right to have those decisions reviewed by an individual within the entity, which would be a more meaningful right, but we assume this might be considered as part of a set of further reforms going beyond information handling.
There are a number of proposed changes.
- Reduce the time period for the mandatory reporting of data breaches after an entity becomes aware there are reasonable grounds to believe there has been a notifiable data breach to:
- the OAIC, to 72 hours; and
- to individuals as soon as practicable, and if necessary to do so progressively.
This proposal will increase the risk of adverse public relations and customer outcomes for entities in having to publicly disclose data breaches before confirming they have actually occurred.
Over time, we expect data breach notification timeframes and processes to align between State and Commonwealth privacy regimes, the Security of Critical Infrastructure regime and other regulatory notification requirements.
- Require entities to set out the steps taken or to be taken in response to a breach, including those to reduce adverse impacts to individuals.
- Expanding the categories of information that trigger a mandatory data breach notification to include employees' personal information.
- The consideration of imposing an obligation to take reasonable steps to prevent or reduce the harm that is likely to arise for individuals as a result of a data breach. This could create significant complexity if it needs to be undertaken on an individual by individual basis, and potentially would impose a liability arising from a failure to take such mitigating steps.
- Entities would be subject to an obligation to take reasonable steps to implement practices, procedures and systems to enable them to respond to a data breach. This will mean entities must have well considered and rehearsed processes in place to deal with privacy breaches, as their actions to deal with incidents could be examined and found wanting in hindsight.
- The introduction of a criminal offence for malicious re-identification of de-identified information with intent to harm another or obtain an illegitimate benefit.
Employee records and small business
The report recommends:
- removing the small business exemption, but after consultation, and with measures to address the difficulties for these organisations to assume this compliance burden; and
- modifying the employee records exemption to provide transparency to employees of information handling practices, while preserving employers right to have flexibility in handing employees personal information for the employment relationship. In addition, better protecting employees' personal information from being handled incorrectly and destroyed when no longer required.
Broadening and clarifying "personal information" protected
The scope of information regulated by the Privacy Act would:
- be expanded - To apply to identifiable information which relates to an individual rather than identifiable information about an individual, in order to address the limitation of the latter formulation requiring the need for the individual to be the subject matter of the information. Sensitive information (which requires consent for collection from the individual) would be expanded to include genomic information. Additionally, personal information which had been de-identified would be subject to a limited set of privacy regulations to protect it from unauthorised handling, loss or re-identification; and
- be reduced - At present the Privacy Act regulates all personal information held by an entity which does business in Australia, regardless of the absence of any nexus which that regulated personal information may have with Australia. The report recognises there should be a further nexus with Australia before that information is regulated by the Privacy Act.
How close are new "fit for purpose" privacy laws?
Privacy reforms have been a long time coming – with the need for reforms tracing back to the ACCC's 2019 Digital Platforms Inquiry.
Making Australia's privacy laws "fit for purpose" in a digital age is a key election commitment – the Government will be under increasing pressure to make "ratchet changes" to Australia's data landscape.
Massive new privacy penalties and other reforms were brought it last year with bipartisan support despite significant criticism (see Australia's massive new privacy penalties become law, but will be clarified). While increased penalties were first flagged in the ACCC's 2019 Digital Platforms Inquiry, specific reforms were introduced in late October 2022 and passed by late December 2022 – demonstrating the pace at which reforms might be possible.
With over two years of work under both Labor and Liberal governments and several rounds of extensive consultation under its belt, the Government will be in a position to push its ambitious privacy and data security agenda – and will be under pressure to pass meaningful reforms before the Federal election.
Controversial issues may emerge, but it is increasingly common to either allow controversial legislation to pass subject to clarification, to defer complex issues to industry consultation, or to accelerate less controversial reforms (as occurred with the "splitting" of Security of Critical Infrastructure legislation in 2021).
The Government's response to the Privacy Act review will be a political commitment, and it will be difficult for the Government to change paths once announced. With several rounds of consultation behind them, now is the time to shine light on big ticket issues and unexpected consequences.
Strong engagement is vital
The report recommends a more flexible Privacy Act. The Privacy Act will continue to be "principles-driven", with more specific detail where required – in the legislation, in privacy codes, or through more specific guidance from the regulator.
This approach is not new, and reflects the approach taken both by the privacy regulator and other regulators in Australia. However, building this approach further into the legislation will likely give the privacy regulator a more interventionist and forward-looking role moving forward.
This approach of using legislation to establish the framework but not the detail of obligations has been criticised, for example in current debates on Consumer Data Right reforms, as limiting parliamentary scrutiny. Australia's Security of Critical Infrastructure legislation follows a similar approach, with important detail about which obligations apply to which entities and in what circumstances determined through industry consultation.
We expect this trend to legislate at a framework, rather than a substance level, to continue.
A key part of this picture is a likely increased reliance on privacy codes for "hot button" issues – and the ability for the regulator to impose codes where it is not satisfied with industry's approach.
This means ensuring your organisation has strong engagement with regulators and will not suffer from "consultation fatigue" is vital to both planning for regulatory change and influencing regulation.
Preparing for change
New obligations are unlikely to apply to past conduct, and we can expect some lead time for businesses to bring practices up to speed with new rules.
Recent high profile cybersecurity incidents and massive new penalties introduced last year have brought significant focus and investment on cyber security and data retention practices in particular. But the scope of proposed reforms go much further than securing data from external threats.
More will need to be done to understand and track how data is or should be used within organisations – protecting data from misuse as well as disclosure, and having strong policy and management frameworks in play.
Privacy by design and security by design principles are gaining traction in many industries, but many organisations are still burdened by legacy systems and technical debt that makes change hard.
With a tight market for data privacy and technical talent, and increasingly stretched budgets and project pipelines, building capacity through retention, recruitment and the right partners is key.
Get your house in order – understanding your data
The first step in preparing for the future state of privacy is to improve your understanding of your organisation – knowing what is happening on the ground is half the battle:
- What personal information do you collect and hold? How long do you hold it for?
- What personal information should you collect and hold? How long should you hold it for?
- What should various personal information be used for? For what purpose was it collected, and what consents apply? How can you tell?
- What is the data in fact being used and disclosed for – can you map the use of data to a lawful purpose, such as a consent?
- Do you de-identify information? What de-identified information do you hold, and how do you use and disclose it?
- How are new proposed uses of data identified and assessed?
- What controls do you have in place to make sure these answers line up with policies, consents and privacy laws?
- What records can you use to demonstrate compliance should the regulator come knocking?
In the race for digitalisation and artificial intelligence, many organisations are deliberately de-siloing data to gain better business insights and simplifying IT operations to make delivering IT projects easier in a tough environment.
Managing how information can and should be used must be built into the governance, culture and systems – adopting privacy by design principles.
You can read more practical steps on managing data risks in our previous Digital Economy and Risk Alert – Understanding Your Organisations Data.
Expect more enforcement and investigations
While we might not know yet the detail of new privacy obligations or timeframes for compliance – we do know that the regulator has already been given new powers, and will likely be given further powers in the future. New privacy obligations will have lead times – but new regulatory tools will probably not have lead times.
We expect the regulator to be better funded to take a more pro-active role in driving compliance before incidents occur. With this uplift, we are expecting an increase in enforcement action in relation to existing privacy obligations.
What does this mean for insurance?
With an escalating cyber threat landscape, the availability, coverage and cost of cyber insurance is a growing concern.
With massive new penalties already in play, a more active regulator, stricter privacy rules and the prospect of a privacy tort, it will be important to monitor how insurers react. We may see cyber or data specific insurance become more unattainable, see more carve-outs from other insurance policies, and new opportunities for insurance and mitigation services.
Authors: Tim Brookes, Partner; and Andrew Hilton, Expertise Counsel.