Australia is poised to implement the most extensive reforms to its privacy legislation since the Act was first introduced in 1988. The Privacy Act 1988 is a key piece of legislation that regulates how personal information can be collected, used, and shared by most government agencies and certain private sector organisations. Driving privacy principles that underpin the law, are transparency, fairness, reasonableness, and a lawful purposes for handling personal information to protect an individuals’ privacy.
A Brief History of the Privacy Act
The Privacy Act 1988 was introduced to regulate how federal government agencies could collect, store, use, and share personal information about its citizens. For the first decade of its existence, the Privacy Act applied solely to government bodies, leaving the private sector largely unregulated in terms of privacy protection.
It wasn’t until the start of the new millennium – coinciding with the dot com bubble – that the scope of the Privacy Act 1988 was extended to include some private sector organisations. In 2000, the scope of the Privacy Act was extended to cover private organisations with an annual turnover of more than AUD $3 million and certain high-risk industries irrespective of their turnover (e.g. health care, businesses trading in personal information).
However, the vast number of organisations were and still are exempt from having to comply with the privacy laws (e.g. small businesses, media organisations, registered political parties, and employee records) meaning there is no need to maintain the confidentiality, availability and integrity of personal information.
Nevertheless, the private sector extension marked a crucial shift in the landscape of data protection in Australia, as it brought a portion of the private sector under the same regulatory umbrella as government agencies. In 2014, further amendments introduced a unified set of 13 “Australian Privacy Principles” (APPs), which apply to all “APP entities.”
Further strengthening of the Privacy Act came with the introduction of the mandatory Notifiable Data Breaches (NDB) scheme in February 2018. This scheme introduced the requirement to notify individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach was likely to result in serious harm. The NDB scheme was a response to the increasing frequency and severity of data breaches, recognizing the need for greater transparency and accountability when individuals’ personal information is compromised.
These historical developments laid the foundation for the current privacy reform process, which aims to modernise the Privacy Act further and address the challenges posed by new technologies and data harvesting practices.
Modernising the Australian Privacy Act
The government’s reform approach emphasises the need for stronger protections for personal information, particularly in high-risk activities and emerging technologies. A new requirement will be introduced, mandating that not just the collection of personal information but also its use or disclosure be fair and reasonable in the circumstances. This “fair and reasonable” test is designed to prevent excessive or intrusive data practices, ensuring that entities only use and share personal information responsibly.
Privacy Impact Assessments
Another core proposal is the introduction of a mandatory requirement to complete Privacy Impact Assessments (PIAs) for activities deemed to pose high privacy risks. Australia’s privacy law is unique in that it currently does not mandate a PIA for high-risk processing of personal information.
The legislator will introduce a mandatory PIA requirement for data processing in the context of automated decision-making systems and facial recognition. The introduction of PIAs represents a proactive approach to privacy management, encouraging entities to consider the privacy implications of their products and services before they are implemented.
In response to the growing concern about data breaches, the government plans to strengthen the security and destruction requirements under the Privacy Act. Entities will be required to implement specific minimum technical and organisational safeguards to protect personal information.
Data Security and Data Retention
The government also plans to provide clearer guidance on data retention and destruction practices. Entities will be required to establish retention periods that are appropriate for the type, sensitivity, and purpose of the information they hold. This measure is intended to reduce the risks associated with overcollection and long-term data storage, to ensure that personal information is only retained for as long as it is needed. This approach aims to reduce the ‘blast radius’ in the event of a data breach.
A key theme throughout the government’s response is the emphasis on organisational accountability. The proposed reforms are designed to shift the burden of proof to protect personal information from the individuals to the entities that process personal information. In addition to expanding individual rights, the government proposes to strengthen consent mechanisms under the Privacy Act. Consent must be voluntary, informed, current, specific, and unambiguous, ensuring that individuals fully understand what they are agreeing to. The Act will also explicitly recognise the right to withdraw consent easily, reinforcing the principle that individuals should have ongoing control over their personal information.
To further enhance transparency, the government plans to update the requirements for privacy notices and policies. These documents will need to be clear, concise, and accessible, providing individuals with the information they need to make informed decisions about their data.
Increased Transparency and Control for Individuals
One of the most anticipated aspects of the proposed reforms is the increased transparency and control that individuals will have over their personal information. The government recognises that the current system does not provide individuals with sufficient information about how their data is being used or enough control over their personal information.
To address these concerns, the government plans to introduce several new rights for individuals. These include the right to request the deletion of their personal information (also known as the right to erasure), the right to access more detailed information about how their data is being used, and the right to challenge an entity’s data handling practices. These rights are designed to empower individuals, giving them greater agency over their personal information and the ability to hold entities accountable for how their data is used.
Strengthening Enforcement
The final pillar of the government’s response is the strengthening of enforcement mechanisms under the Privacy Act. The government is expected to release draft legislation to significantly strengthen the enforcement and deterrence provisions under the Privacy Act.
Until December 2022, the maximum penalty for breaches of the Privacy Act was AUD 2.2 million, applicable only to breaches severe enough to be classified as ‘serious’ or ‘repeated’. The law reform will remove the word ‘repeated’ and clarify that a ‘serious’ interference with privacy may include:
- breaches involving ‘sensitive information’ or other information of a sensitive nature
- breaches that adversely affect large groups of individuals;
- breaches impacting people experiencing vulnerability;
- repeated breaches or wilful misconduct; and
- serious failures to take proper steps to protect personal data.
The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 increased the maximum penalties from the then current $2.22 million penalty to the greater of:
- $50 million;
- three times the value of any benefit obtained through the misuse of information; or
- 30 per cent of a company’s adjusted turnover in the relevant period.
The Government will also introduce a new mid-tier civil penalty provision to cover interferences with privacy which do not meet the threshold of ‘serious’. A new low-level civil penalty provision for specific administrative breaches of the Privacy Act will be legislated with attached infringement notice powers for the Information Commissioner with set penalties. The Government will also grant powers to courts to make penalty orders relating to an interference with privacy. In addition, the Government will require entities to identify, mitigate and redress actual or foreseeable loss suffered by an individual.
The government will consider a proposal to introduce a direct right of action, allowing individuals to take legal action directly against entities for breaches of the Privacy Act. This new avenue for redress would increase the pressure on businesses to comply with privacy laws.These enhanced enforcement mechanisms are intended to deter non-compliance and to ensure that entities are held accountable for any violations of the Privacy Act.
