Overhaul of Australian privacy laws imminent
16 February 2023
Watch the webinar: On 3 March 2023, our panel of legal and risk experts examined the key reforms, themes and issues emerging from the Government's report and shared their insights on what these recommendations will mean. A recording of the webinar is available here.
The Attorney-General's Department has released its report on its long-running review of Australia's privacy laws. The report delivers 116 recommendations that, if adopted, will fundamentally change how we deal with data in Australia.
The report is not the final word – consultation on the Government's response will close on 31 March 2023, giving only 6 weeks to influence Australia's ambitious privacy agenda.
The report aims to bring stronger privacy protections to support digital innovation and enhance Australia's reputation as a trusted trading partner. With such a broad and ambitious set of reforms, it is vital for industry and stakeholders to make sure their views have been heard, and to bring to light any unintended consequences of recommended reforms.
Broadly speaking, the 116 recommendations in the report focus on:
We look at some of the key reform recommendations below.
The report recommends a raft of new privacy rules, including:
The report recommends:
The proposed direct right is likely to significantly expand liability exposure especially arising from data breaches and increases the risk of class action suits. A statutory privacy tort would be more accessible than existing causes of action such as breach of confidence or defamation.
The recommendations propose a much stricter regime for all of these activities, ensuring the individual has some degree of control over them. These include recommendations that:
Activities which are likely to have a significant impact on the privacy of an individual will require privacy impact assessments. In addition, privacy collection notices must include the circumstances of collection, use and disclosure of personal information for a high privacy risk activity.
Undertaking an impact assessment will expose entities to claims that they failed to properly consider and mitigate risks adequately, should adverse consequences arise.
Mandatory privacy impact assessments already exist in the public sector, and they have been a voluntary best practice in the private sector for several years. A new mandatory requirement for the private sector (and increased visibility of "high risk" activities) emphasises the need for better visibility of data collected, the purposes for which it is collected, what the data may be used and disclosed for, how data is actually used, and connected data governance that links these things together. This is particularly important when combined with stricter privacy rules and requirements to keep records of primary and secondary uses and disclosures of personal information.
In addition to the recent significant increase in maximum penalties for interferences with privacy, the report recommends introduction of:
This may enliven class actions for interferences with the privacy of individuals and facilitate a more active regulatory oversight of compliance with privacy laws, with proportionate outcomes for breaches of the Privacy Act.
A tightening of the journalism exemption, requiring media organisations to be subject to privacy standards either overseen by a recognised oversight body, or that adequately deal with privacy. Media organisations may also need to comply with security and destruction/de-identification obligations and data breach notification rules (with modifications to account for public interests in journalism). The proposed statutory tort discussed above will also have a significant impact on media organisations.
As part of a broader initiative to regulate artificial intelligence and automated decision making, the following was recommended:
There is no right to have those decisions reviewed by an individual within the entity, which would be a more meaningful right, but we assume this might be considered as part of a set of further reforms going beyond information handling.
There are a number of proposed changes.
This proposal will increase the risk of adverse public relations and customer outcomes for entities in having to publicly disclose data breaches before confirming they have actually occurred.
Over time, we expect data breach notification timeframes and processes to align between State and Commonwealth privacy regimes, the Security of Critical Infrastructure regime and other regulatory notification requirements.
The report recommends:
The scope of information regulated by the Privacy Act would:
Privacy reforms have been a long time coming – with the need for reforms tracing back to the ACCC's 2019 Digital Platforms Inquiry.
Making Australia's privacy laws "fit for purpose" in a digital age is a key election commitment – the Government will be under increasing pressure to make "ratchet changes" to Australia's data landscape.
Massive new privacy penalties and other reforms were brought it last year with bipartisan support despite significant criticism (see Australia's massive new privacy penalties become law, but will be clarified). While increased penalties were first flagged in the ACCC's 2019 Digital Platforms Inquiry, specific reforms were introduced in late October 2022 and passed by late December 2022 – demonstrating the pace at which reforms might be possible.
With over two years of work under both Labor and Liberal governments and several rounds of extensive consultation under its belt, the Government will be in a position to push its ambitious privacy and data security agenda – and will be under pressure to pass meaningful reforms before the Federal election.
Controversial issues may emerge, but it is increasingly common to either allow controversial legislation to pass subject to clarification, to defer complex issues to industry consultation, or to accelerate less controversial reforms (as occurred with the "splitting" of Security of Critical Infrastructure legislation in 2021).
The Government's response to the Privacy Act review will be a political commitment, and it will be difficult for the Government to change paths once announced. With several rounds of consultation behind them, now is the time to shine light on big ticket issues and unexpected consequences.
The report recommends a more flexible Privacy Act. The Privacy Act will continue to be "principles-driven", with more specific detail where required – in the legislation, in privacy codes, or through more specific guidance from the regulator.
This approach is not new, and reflects the approach taken both by the privacy regulator and other regulators in Australia. However, building this approach further into the legislation will likely give the privacy regulator a more interventionist and forward-looking role moving forward.
This approach of using legislation to establish the framework but not the detail of obligations has been criticised, for example in current debates on Consumer Data Right reforms, as limiting parliamentary scrutiny. Australia's Security of Critical Infrastructure legislation follows a similar approach, with important detail about which obligations apply to which entities and in what circumstances determined through industry consultation.
We expect this trend to legislate at a framework, rather than a substance level, to continue.
A key part of this picture is a likely increased reliance on privacy codes for "hot button" issues – and the ability for the regulator to impose codes where it is not satisfied with industry's approach.
This means ensuring your organisation has strong engagement with regulators and will not suffer from "consultation fatigue" is vital to both planning for regulatory change and influencing regulation.
New obligations are unlikely to apply to past conduct, and we can expect some lead time for businesses to bring practices up to speed with new rules.
Recent high profile cybersecurity incidents and massive new penalties introduced last year have brought significant focus and investment on cyber security and data retention practices in particular. But the scope of proposed reforms go much further than securing data from external threats.
More will need to be done to understand and track how data is or should be used within organisations – protecting data from misuse as well as disclosure, and having strong policy and management frameworks in play.
Privacy by design and security by design principles are gaining traction in many industries, but many organisations are still burdened by legacy systems and technical debt that makes change hard.
With a tight market for data privacy and technical talent, and increasingly stretched budgets and project pipelines, building capacity through retention, recruitment and the right partners is key.
The first step in preparing for the future state of privacy is to improve your understanding of your organisation – knowing what is happening on the ground is half the battle:
In the race for digitalisation and artificial intelligence, many organisations are deliberately de-siloing data to gain better business insights and simplifying IT operations to make delivering IT projects easier in a tough environment.
Managing how information can and should be used must be built into the governance, culture and systems – adopting privacy by design principles.
You can read more practical steps on managing data risks in our previous Digital Economy and Risk Alert – Understanding Your Organisations Data.
While we might not know yet the detail of new privacy obligations or timeframes for compliance – we do know that the regulator has already been given new powers, and will likely be given further powers in the future. New privacy obligations will have lead times – but new regulatory tools will probably not have lead times.
We expect the regulator to be better funded to take a more pro-active role in driving compliance before incidents occur. With this uplift, we are expecting an increase in enforcement action in relation to existing privacy obligations.
With an escalating cyber threat landscape, the availability, coverage and cost of cyber insurance is a growing concern.
With massive new penalties already in play, a more active regulator, stricter privacy rules and the prospect of a privacy tort, it will be important to monitor how insurers react. We may see cyber or data specific insurance become more unattainable, see more carve-outs from other insurance policies, and new opportunities for insurance and mitigation services.
Authors: Tim Brookes, Partner; and Andrew Hilton, Expertise Counsel.
We draw on Ashurst's combined legal and risk advisory expertise to help organisations keep pace with the evolving Privacy Act reforms and the actions they can take to position themselves for success.
Learn more about privacy reform in AustraliaThe information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.
Sign-up to select your areas of interest
Sign-up