Brief on Australia Privacy Act Review Report 2022

The Attorney-General of Australia on February 16 2023 released the Privacy Act Review Report1, which proposes many reforms to the Privacy Act 1988 (Cth)2 and is proposed to strengthen and modernize privacy protections for Australians. With increasing cybersecurity incidents and data breach reports, reforms were needed in place.

S. No.ParticularsProposed Amendments
1.LawsPrivacy Act 1988 (Cth)  
2.Objects1. Act is about the protection of personal information

2. Act to recognise the public interest in protecting privacy
 
3.Definitions1. Personal Information: The scope maybe expanded with the change of the ‘about’ in the definition of personal information to ‘relates to’.
2. Include a non-exhaustive list of information which may be personal information to assist APP entities to identify the types of information which could fall within the definition.
3. Collection: expressly cover information obtained from any source and by any means, including inferred or generated information.
4. Reasonably Identifiable: should be supported by a non-exhaustive (illustrative) list of circumstances to which APP entities will be expected to have regard in their assessment
5. De identified: define in such a way that de-identification is a process, informed by best available practice, applied to personal information
6. Sensitive Information: definition to include ‘genomic’ information. Replace the word ‘about’ with ‘relates to’.
7. Geolocation tracking data: personal information which shows an individual’s precise geolocation which is collected and stored by reference to a particular individual at a particular place and time and tracked over time.
8. Organisation: Include ‘registered political party’ and include registered political parties within the scope of the exemption in section 7C.
9. Introduce the concept of APP entity controllers and APP entity processors into the Act.
10. Children: Individual who has not reached 18 years of age  
4.Scope1. Act be extended to apply to personal information handled by small businesses
2. Consult with small businesses about what support and resources may be needed to help ensure that those businesses are able to comply when the exemption is removed
3. Enhanced privacy protections should be extended to private sector employees
4. Extend transparency and security requirements to employee records, as well as making them subject to the notifiable data breach regime.
5. Further consultation is required to determine whether employee record-specific requirements should be implemented in privacy legislation or a code, or in the Fair Work Act.
6. Political exemption should subject to requirements and OAIC to develop guidance to assist political entities with obligations.
7. Media organisation for journalism exemption must have appropriate privacy standards overseen by a recognised body. 
 
5.Collection, use and disclosure of personal information1. Notice and record keeping: Requires a business to disclose in its privacy collection notice if an individual’s information is to be collected, used or disclosed for a high privacy risk activity.

Provide details on how an individual can exercise any applicable ‘rights of an individual’ and set out the types of personal information that may be disclosed by the entity to overseas recipients.   

2. Businesses be required to keep records of the primary purposes for which it will collect, use and disclose personal information – this information should reflect what is set out in the business’ privacy collection notice. If the business subsequently wants to use or disclose the personal information for a secondary purpose, it must also make a record of that secondary purpose prior to or at the time the information is used or disclosed.  

3. Fair and reasonable personal information handling test: This will be used to determine whether the collection, use and disclosure of personal information is necessary for an entity’s function and activities. Business will consider:  

a. the reasonable expectations of the individual;  

b. the kind, sensitivity and amount of personal information being collected, used or disclosed; and  

c. whether the impact on privacy is proportionate to the benefit  

4. Precise geolocation tracking data as a practice requires consent.  
6.Consent RequirementsReport recommends that the OAIC develop guidance on how online services should design consent requests. This guidance will outline specific layouts, wording or icons which could be used when obtaining consent, and could set out how the elements of valid consent should be interpreted in an online context.  

The Report also specifies additional circumstances in which a business may need to obtain an individual’s consent, including where the business is trading the individual’s personal information for some benefit.  
7.Cross Border data transfersIt is proposed to be permitted to disclose personal information to an overseas recipient if:  

1. the overseas recipient is located in a ‘whitelisted’ jurisdiction or is subject to a prescribed certification scheme;  

2. the APP entity entered into standard contractual clauses with the overseas recipient

3. the individual gives their informed consent to the disclosure, having been informed that privacy protections will not apply to their information, if disclosed  
 
8.Individual Rights1. Right to access personal information that relates to them and to receive an explanation of how the business collected that information and what it is used for;  

2. Right to object to the collection, use and disclosure of their personal information

3. Right to have internet search results about them de-indexed and to correct personal information published in online publications.  

4. Right of erasure: 30-day window for businesses to comply with the request to delete all of the personal information that relates to the relevant individual and inform any third parties to whom the personal information has been disclosed of the deletion request.
Exception: where there is public interest in retaining the information (e.g. required for law enforcement) or where the information is required to be retained at law. Information that has already been de-identified does not need to be erased unless it is subsequently re-identified.  

5. Direct right of action: This is for individuals who have suffered loss  or damage as a result of privacy interference by an APP entity. Statutory tort: statutory tort for serious invasions of privacy which fall outside the Act  
9.Governing Authority powersIncreased investigatory powers for the OAIC in relation to civil penalty provisions. The OAIC will have the power to undertake public inquiries and conduct reviews on approval of the Attorney-General.  

The OAIC may also make determinations requiring business to identify and mitigate reasonably foreseeable risks to individuals that may result from an interference with privacy. It also proposes the power to issue temporary APP codes and make an increased range of Emergency Declarations.  
10.Technical and Organisational measures1. New set of privacy outcomes be included and to clarify that ‘reasonable steps’ to protect personal information includes both technical and organisational measures.  

2. For entities with reporting obligations under multiple frameworks, harmonising of security requirements across different regimes to be done.  

3. It requires the entities to ensure that the protections (such as listed below) are applied to de-identified information-  

a. APP 11.1- protect from misuse, interference and loss  

b. APP 8- APP entities when disclosing de-identified information overseas to take steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles in relation to de-identified information.  

c. Prohibit an APP entity from re-identifying de-identified information obtained from a source other than the individual to whom the information relates.
Exceptions: the re-identified information was de-identified by the APP entity itselfthe re-identification is conducted by a processor with the authority of an APP entity controller of the information.  
11.Data retentionRequirement for entities to establish minimum and maximum data retention periods, and to include these periods in privacy policies.  
12.Data breach72-hour window for APP entities to report eligible data breaches to the OAIC, starting from when they become aware that there are reasonable grounds to believe an eligible data breach has occurred.

In cases of multi-party data breaches, all parties required to notify the OAIC, but only controllers required to notify affected individuals.  
13.Offences and Penalties1. Introduction of new low-tier and mid-tier civil penalty provisions (amounts are yet to be considered)
a. Mid-tier covers interferences with privacy that are not ‘serious’

b. low-tier provision is to cover ‘administrative’ breaches  

2. ‘Serious and repeated interferences with privacy’ should remove the word ‘repeated’ and clarify the essentials involving serious interferences with privacy.  
3. Introduce a criminal offence for malicious re-identification of de-identified information where there is an intention to harm another or obtain an illegitimate benefit. Exceptions will be given.
14.Federal CourtsFederal Court and Federal Circuit Court have the power to make ‘any order it sees fit’ in a civil penalty proceeding where there is an interference with privacy.  
15.Privacy Impact AssessmentAPP entities must conduct a Privacy Impact Assessment for activities with high privacy risks.

1. A Privacy Impact Assessment should be undertaken prior to the commencement of the high-risk activity.

2. An entity should be required to produce a Privacy Impact Assessment to the OAIC on request.

3. enhanced risk assessment requirements for facial recognition technology and other uses of biometric information to require Privacy Impact Assessments for high privacy risk activities.
16.Direct marketing, targeting and trading(a)       Direct marketing – capture the collection, use or disclosure of personal information to communicate directly with an individual to promote advertising or marketing material.

(b)       Targeting – capture the collection, use or disclosure of information which relates to an individual including personal information, deidentified information, and unidentified information (internet history/tracking etc.) for tailoring services, content, information, advertisements or offers provided to or withheld from an individual.

(c)       Trading – capture the disclosure of personal information for a benefit, service or advantage.

Various requirements:

1. Provide individuals with an unqualified right to opt-out of their personal information being used or disclosed for direct marketing purposes.

2. Provide individuals with an unqualified right to opt-out of receiving targeted advertising.

3. Introduce a requirement that an individual’s consent must be obtained to trade their personal information. Prohibit direct marketing, targeting and trading to a child
17.ChildrenExisting OAIC guidance on children and young people and capacity will continue.

Collection notices and privacy policies should be clearly amended in the act and entities should have best interests while collection, use or disclosure  

Introduce a Children’s Online Privacy Code that applies to online services that are ‘likely to be accessed by children’. Scope will be similar to UK Age Appropriate Design Code including exemptions.  

References

  1. Privacy Act Review Report 2022- https://www.ag.gov.au/sites/default/files/2023-02/privacy-act-review-report_0.pdf
  2. Privacy Act 1988 (Cth)- https://www.legislation.gov.au/Details/C2022C00361