The Attorney-General’s Department continues to consider submissions made in response to the Issues Paper released in late October 2020 that marked the commencement of the Government’s wholesale review (Review) of the Privacy Act 1988 (Cth) (Privacy Act). The Review, announced in early December 2019, represents an opportunity for the largest step-change in Australian privacy law since the Privacy Amendment (Private Sector) Act 2000 (Cth) introduced the current principles-based framework to private sector entities.
With the first-stage of consultation attracting a broad array of organisations and businesses, including some off-shore interest by the likes of the New York Times and the United States Chamber of Commerce, we consider the issues most likely to be taken forward into the Discussion Paper set for imminent release.
The Review follows the March 2019 announcement of a planned, but as of yet unseen, increase to the maximum civil penalties under the Privacy Act as well as the 2019 release of the Australian Competition and Consumer Commission’s (ACCC) Digital Platforms Inquiry (DPI) and its final report (DPI Report), which recommended privacy reform grounded in consumer data privacy issues.
The scope of the Review builds on the recommendations made by the ACCC in the DPI Report and includes a consideration of the objectives of the Privacy Act, the global interoperability of Australian privacy law and the adequacy of the current enforcement regime under the Privacy Act, in addition to consumer data privacy issues. Notably, the Review revisits the decade long debate over the introduction of a statutory tort for a serious invasion of privacy in Australia.
The Office of the Australian Information Commissioner’s (OAIC) own submissions to the Issues Paper, at 150 pages, adds considerable weight to several proposals expected to form part of an amended Privacy Act, as well as supporting some of the more ambitious reforms in the Review’s Issues Paper and Terms of Reference.
Adequacy of notice and consent safeguards
Among the privacy-related recommendations made by the DPI Report was the strengthening of notification and consent obligations on organisations when collecting personal information in an effort to increase transparency around data use. These recommendations gained the in-principle commitment of the Government subject to consultation.
As reflected in the Review’s Issues Paper, the Attorney-General sought comment on what notice requirements in an amended Privacy Act would strike the right balance between awareness-raising of important privacy matters and ‘consent fatigue’ - the information burden individuals experience in navigating innumerable daily instances of personal information collection.
It is unclear what the Review will mean for notice and consent in a reworked privacy framework, particularly where meaningful transparency in complex data use terms is difficult to achieve. As noted by the ACCC and the OAIC in different arenas, for data-driven businesses, notice requirements may prove counterproductive when resulting in further complexity for individuals seeking to exercise meaningful choice in controlling their personal information.
The OAIC’s own submission supported a reconsideration of notice and consent safeguards, however, focused on countering information overload and consent fatigue experienced by individuals. The OAIC specifically endorsed the standardisation of collection notices such as the use of standard words and icons and the use of video notices or privacy dashboards.
While standardisation of consent information may potentially be introduced as codes, legally binding rules or Commissioner-issued guidelines, the OAIC has endorsed the DPI Report recommendation that consent should be defined in an amended Privacy Act to require a clear and affirmative act that is freely given, specific, unambiguous and informed. Whilst this position is not inconsistent with the OAIC’s current guidelines on consent, this change in the Privacy Act itself would have the dual benefit of aligning the definition of consent more closely with the GDPR (under Article 7 and recital 32) and tackling the long-standing issue of the validity of ‘bundled consent’.
Fairness and Accountability
Accompanying the OAIC’s proposals on strengthening notice and consent requirements is its proposal to shift the burden of improving privacy from consumers to organisations themselves, in the form of greater fairness and accountability requirements.
The first aspect of this proposal is to introduce an explicit requirement for APP entities to collect, use and disclose personal information ‘fairly and reasonably’, a change from the current requirement that such information is collected through ‘fair and lawful’ means, which, in the OAIC’s experience, does not adequately target practices that ‘unfairly’ affect individual rights and interests. Additionally, the current protection only applies to the collection of personal information, not its use or disclosure.
In addition to expanding protections through the ‘fair and reasonable’ requirements, the OAIC further recommends creating ‘no-go’ and ‘proceed with caution’ zones (complete and partial prohibitions, respectively) under the privacy framework. This would subject an entity engaging in ‘high risk’ activities to increased organisational accountability, even if it has purported to receive consent to the collection or disclosure of certain data. The practices specifically targeting by these prohibitions include the profiling of and directed advertising towards children, scraping of personal information from online platforms, the collection, use and disclosure of location information, and certain uses of AI technology to make decisions about individuals.
The second aspect of this OAIC recommendation is an explicit requirement on entities to implement, and demonstrate the steps taken to implement, a ‘privacy by design’ and ‘privacy by default approach’. The OAIC describes the former as referring to a system that has been designed with privacy in mind from the ground-up, rather than overlaying privacy options at the end of a product’s life-cycle, while the latter refers to entities minimising data collection as a default setting.
Current exemptions under the microscope
The Review also considers the scope and application of the Privacy Act to types of information, entities and classes of individuals that are currently exempt. Most relevantly, these include employee records and small businesses.
While the relative compliance burden of small businesses under the Privacy Act remains a concern, the Issues Paper also considered whether the design of the small business exemption remains appropriate in today’s data rich world — a reasonable question given the current $3 million threshold is not subject to indexation and does not consider the types of data practices an entity engages in. It is notable that no comparable jurisdiction (including the United Kingdom, New Zealand, Canada and the European Union) retains an exemption in privacy law for small businesses. With the global interoperability of Australia’s privacy regime also featuring in the consultation materials, the continuing exemption of an estimated 94% of Australian businesses from Privacy Act obligations under the small-business exemption may loom large as an issue relevant to the adequacy of Australia’s privacy regime as determined by our digital trade and data export partners. For these reasons, the OAIC submits that the small business exemption should be removed in any reformed legislation.
In addition, the Review’s Issues Paper focused on the employee records exemption, which currently exempts certain acts and practices relating to employee records and current and former employment relationships. The digitisation of workplace processes and practices and ever more common features of modern workplaces, such as biometric security systems and employee well-being programs, have led to increases in the volume of health and other sensitive information employers collect from their employees. Recent COVID-19 workplace mitigation efforts that rely on the collection of employee health information have only accelerated this trend. Like the small business exemption, Australia remains a global anomaly in this regard, with no exemption in comparable jurisdictions. The OAIC has therefore also recommended that the employee records exemption be removed.
Direct right to redress
The introduction of a direct right for individuals to litigate a breach of their privacy under the Privacy Act was agreed in-principle by the Government in response to the DPI Report recommendations. Currently, individuals may only complain to the OAIC who may seek to investigate and resolve the complaint on their behalf.
The Review’s Issues Paper focused on the framing of any direct right of action, noting that while greater control in enforcing privacy protections is desirable for individuals, this must be balanced against the court resources required to facilitate such claims. What role representative actions may play in striking that balance remains unclear. While the Issues Paper proposed limiting the right of direct action to the courts to ‘serious’ breaches of privacy as a means to strike this balance, the OAIC considers that such a limit would substantially curtail the right’s effectiveness, not only precluding many individuals from seeking recourse in the courts for breaches of their privacy, but also limiting the incentive for organisations to comply with their obligations. The OAIC also notes the lack of a threshold requirement to seek court redress in equivalent privacy legislation in jurisdictions such as Singapore and the UK, and under the GDPR.
The OAIC further recommends that damages recoverable under a direct right of action should not be capped, to enable Courts to set standards for the levels of damage for privacy breaches with respect to the facts of each case, as well as allow the compensation amounts awarded by Courts to reflect and adapt to the changing landscape of privacy harms (this would also be consistent with the current position under the Privacy Act in that the OAIC may award compensation which is not subject to any financial limit).
The introduction of a direct cause of action for an interference with privacy under the Privacy Act, coupled with the announced strengthened enforcement regime and higher penalties for non-compliance, may pave the way for a new era of landmark privacy breach actions in Australia.
Gap-filling for serious invasions of privacy
The Review’s Issue Paper also revisited the long-running debate surrounding the introduction of a statutory tort for a serious invasion of privacy first canvassed in 2011 and most recently recommended by the DPI Report, adopting the 2014 recommendation of the Australian Law Reform Commission (ALRC).
As distinct from interferences with privacy covered under the Privacy Act, the introduction of a statutory tort for serious invasions of privacy would provide a remedy to intrusions into an individual’s physical seclusion and the misuse of private information through unauthorised public disclosure.
Chief among the issues canvassed by the Review’s Issues Paper was the balancing of public interest factors such as freedom of expression, open justice, national security and the proper administration of government against an individual’s right to privacy, with an objective ‘reasonable expectation of privacy’ test seemingly preferred by the Attorney-General’s Department. This position has been adopted by the OAIC in its submissions on the operation of the proposed statutory tort.
Harmonisation of Australian and international privacy obligations
In recognition of the increased risk and importance of offshore data flows to the digital economy, the Issues Paper accepted a recommendation of the DPI Report that the review of the Privacy Act include a consideration of the adoption or development of an independent certification scheme for privacy compliance for overseas data flows. Importantly, this includes considering whether such a scheme would be intended to satisfy the adequacy requirements of other jurisdictions such as those of APEC trading partners under the Cross-Border Privacy Rules scheme and the EU under the GDPR. In considering the viability of these schemes the OAIC noted the difficulty of operating an ‘adequacy’ list, citing the European experience where only 12 countries have received an Adequacy Decision from the EU Commission.
A significant recommendation by the OAIC is to amend the Privacy Act to address issues with extraterritoriality. As noted in the Issues Paper, the extraterritorial application of the Privacy Act is intended to capture multinational corporations based overseas with offices in Australia, as well as entities with an online presence, but no physical presence in Australia. Under the Privacy Act currently, it can be difficult to establish jurisdiction against well-resourced international companies with several subsidiaries. The OAIC therefore suggests broadening the application of the Privacy Act by removing the requirement that the relevant information must have been held or collected in Australia, as well as expanding the application of the Privacy Act to body corporates that have collected Australians’ personal information from a related body corporate (irrespective of whether it carries on business in Australia in its own right).
The Review’s interest in exploring the harmonisation of standards regulating cross-border data flows mirrors the Government’s interest in expanding its national security and law enforcement powers in relation to data and communications sent or received from outside of Australia. The 2018 passage of the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) which provided new powers to compel industry assistance with accessing encrypted communications and established to facilitate reciprocal cross-border access to data held by certain communications providers are two notable examples.
While balancing the privacy and information rights of Australians and the legitimate interests of businesses in accessing their personal information will no doubt remain the focus of amendments to the Privacy Act, it is perhaps the decisions made by Australia’s digital trade and data export partners that will ultimately be determinative of what balance is eventually struck. With many of Australia’s trade partners having recently enacted or currently enacting privacy law reform, the economic impacts of an inadequate domestic privacy regime might ensure that the Review is not the last we see in the short term.
What issues are taken forward into the Review’s narrowed Discussion Paper may provide some sense of the durability of the eventual amendments to the Privacy Act and how soon more amendments will need to follow.
Authors: Melissa Fai, Mitch Bennett and Rishabh Khanna