It was almost 4 years ago, back in December of 2019 that the review of the Privacy Act 1988 (Cth) (Privacy Act) was first announced by the then Attorney-General (the Review).
After years of extensive public consultation, including around an issues paper released in October 2020 and a discussion paper released 2 years ago in October 2021, the Privacy Act Review Report (the Report) was released in February of this year, which included 116 proposals for reform.
Last Thursday, the Federal Government delivered its long-awaited response to the Report (the Response). Whilst the total reform agenda is significant and was always expected to be in tranches, the announcement was hoped to offer industry and individuals clarity on how the Federal Government plans to reform the Privacy Act.
However, the Response as delivered offers a fairly modest (if not, timid) schedule of agreed reforms and defers most matters to further consultation, signalling that the Review may be an even more protracted process than first envisioned following the Report.
Overview of Federal Government Response
As we previously examined, the Report contained 116 proposals for how to make the Privacy Act, in the words of the Attorney-General, “fit for purpose” and able to “adequately protect Australians privacy in the digital age”. As such, the proposals ranged from relatively uncontroversial uplifts, through to those leveraging GDPR-esque reforms and changes (said to be) responding to recent shifts in technology and community expectations.
In its Response, the Federal Government agrees with 38 of the Report’s 116 proposals, agrees in-principle with a further 68, and notes the remaining 10.
Before we get into the detail on what has and has not been agreed to, it’s important to understand what each of these outcomes means in practice and how it relates to next steps:
- ‘Agrees’ is relatively straightforward, and is what most lawyers would generally interpret as “agreed in principle”. That is: the principle is agreed, and the Federal Government will move forward to implement the principle into draft legislation, which will then be subject to targeted consultation.
- ‘Agrees in-principle’ is a little murky. The ‘glass half empty’ view, and reading the strict words of the Response, is simply a directional indicator that the Federal Government likes the idea, but needs to consult on “whether and how they could be implemented so as to proportionately balance privacy safeguards with potential other consequences and additional regulatory burden”. So it’s not just a matter of how to implement, but there is also a question of whether to implement. Hence the murkiness.
- ‘Notes’ is the most non-committal of the Government’s responses offered, yet as we discuss in this article, does fall short of actual rejection or disagreement. However, given the volume of agreed and agreed in-principle proposals to progress, we suggest that, in practice, ‘notes’ amounts to a rejection at this time.
What has been agreed to in the Privacy Act Review so far?
Whilst there has been a fair amount of press that the Government has agreed to 38 proposals, which is true, many of these proposals are:
- not substantive changes to the privacy protections offered to individuals, and instead relate to enhanced regulatory powers for the Government; or
- merely proposals to further consult or consider a given issue.
Agreed: New obligations on regulated entities
Indeed, if you look at the proposals “agreed" which are substantive shifts in the protection offered to individuals, you end up with a much smaller number. Surprisingly, only 2 of the 38 agreed proposals are for a new express obligation on regulated entities (or a new right for individuals), with both relating to automated decision-making.
The first, proposal 19.1, would require regulated entities to ensure that their privacy policies set out the types of personal information that will be used in ‘substantially automated decisions’ which have a legal or otherwise significant effect on an individual. The Response cited denials of consequential services or support, or access to basic necessities, as examples of decisions to which this new requirement could apply.
Proposal 19.3, also agreed, proposes that individuals should have a right to request meaningful, jargon-free and clear information about how automated decisions are made which have a legal (or similarly significant) effect on an individual’s rights.
These proposals are modelled on Article 22 of the GDPR but would apply to a wider range of automated decision-making than under the GDPR, which applies to solely automated, rather than substantially automated, decisions.
Agreed: Enhanced regulatory powers
A majority of the “agreed” proposals relate to regulatory powers, enforcement and investigations. These include bolstering the scope and powers of the Office of the Australian Information Commissioner (OAIC), expanding the order-making powers available to the courts for interferences with privacy, and enabling the Attorney-General to permit the sharing of information with appropriate entities in the fallout of an eligible data breach where such sharing would reduce the risk of harm.
Another major area of agreed change is regarding the OAIC’s code-making and subordinate instrument powers, including temporary APP codes, more targeted Emergency Declarations and the introduction of a ‘Children’s Online Privacy Code’ that applies to online services likely to be accessed by children. (Noting that increased protection for the privacy of children was also a proposal mooted in the Online Privacy Bill under the previous Coalition government.)
Finally, there are a handful of agreed proposals that relate to commissioning enhanced or new OAIC guidance on a range of issues, including capacity and consent, Australian Privacy Principle (APP) 11, new technologies and emerging privacy risks.
Agreed: Further consultation
Interestingly, 8 of the 38 “agreed” proposals were merely proposals for further consultation on or consideration of a particular issue or reform. The subject matter of such further consultation ranges from fairly impactful (such as proposal 4.7, which relates to a new criminal offence for malicious re-identification of de-identified information), to administrative in nature (such as proposal 25.10, which proposes the OAIC conduct an internal review into their own enforcement posture).
Some of the agreed consultation proposals relate to other proposals which have not been agreed outright. For example, while proposal 13.1 (which recommended that entities be required to conduct privacy impact assessments for high-risk activities) was only agreed in-principle, the associated proposal 13.2, to consider how enhanced risk assessment requirements for facial recognition technology could be adopted as part of implementing 13.1, was ‘agreed’.
As with the proposals agreed in-principle, the timeline for consultation on these agreed items and the practical outcomes of such consultation remains unclear. We note that these proposals were of course framed as consultative by nature in the Report, which inherently narrows how the Federal Government can respond.
Agreed: Key refinements, tests and terminology
Finally, around a quarter of the “agreed” proposals relate to discrete, but key, sections of the Privacy Act and either play a clarifying role, or serve to loosen or tighten the nature of certain provisions.
For example, proposal 9.11 relates to the existing journalism exemption in the Privacy Act and creates a strengthened eligibility test for accessing the exemption that requires media organisations to be subject to adequate privacy standards. This can be read as a counterbalance to the Federal Government’s “noting” of some of the other proposals around journalism.
In a welcome development for clarity, agreed proposal 23.2 will introduce a mechanism to prescribe countries and certification schemes as providing substantially similar protection to the APPs under APP 8.2(a). As the Report commented on, but contained no proposals relating to, Cross-Border Privacy Rules or domestic certification schemes, agreement to proposal 23.2 should nevertheless assist regulated entities in understanding and complying with their cross-border privacy obligations.
In a notable ‘tightening’ of language, agreed proposal 25.2 would remove the concept of ‘repeated’ from the existing ‘serious and repeated interferences with privacy’ offence at section 13G of the Privacy Act. It would also see a new list of what ‘serious interferences’ would include, such as practices involving sensitive information, adversely affecting large groups of people, impacting vulnerable people, wilful misconduct or serious failures to take proper steps to protect personal information. Repeated breaches are also included as a proposed example here, so while an interference will not need to be repeated as under the current law, it may still be a relevant component when considering whether the serious threshold is met.
The majority of proposals in the Report were agreed in-principle by the Federal Government. The Response notes that these proposals will be subject to further engagement and impact assessments to ensure the right balance is struck between the privacy of Australians, impacts on regulated entities, and broader economic benefits and costs.
The Response also suggests that at least some of the proposals agreed in-principle are likely to interact with separate reform processes underway in cybersecurity, AI, automated decision-making and digital identity contexts. As such, the Attorney-General’s Department is tasked with navigating further consultation with these other reform programs in mind – many of which are only in the very early stages.
As mentioned above, it is not clear what the fate of these proposals will be , however, there is no commitment that any will be reflected in the draft legislation due in 2024. While sequencing some of the agreed in-principle proposals around other reform processes may be viewed as sensible (and perhaps as necessary on some issues), delivery timelines of these reforms is either unclear or a fair way in the future.
When we last considered the Report we outlined what we considered to be the ‘big ticket’ proposals to watch. These included the proposal to act fairly and reasonably when handling personal information, an amended definition of consent, a direct right of action to enforce individual privacy rights, a statutory tort for serious invasions of privacy, tighter timeframes for notifiable data breaches, and a requirement to conduct privacy impact assessments for high privacy risk activities. All of these proposals, and most others identified in that article, have been “agreed-in-principle” for now.
“We note your proposal”
In the Response, the Federal Government ‘notes’ 10 proposals, indicating that they will not incorporate these proposals into forthcoming draft legislation, and that they also are not able to offer in-principle agreement.
It appears, however, that ‘notes’ may also be another way of deferring a decision to another time. Indeed, several of the instances where the Federal Government notes a proposal are also accompanied by a statement that the Federal Government will further consider the matter.
Commentators were also quick to point out that proposals 8.1 through to 8.6, each relating to a tightening of the Privacy Act for political entities, were each noted without further commentary from the Federal Government about a future appetite for reform.
What’s next for the Privacy Act Review
While the Response stops short of offering a target date for draft legislation, we do not expect to see this until (at least) the end of the first quarter of 2024. We understand that this draft will at minimum reflect the proposals agreed by the Federal Government, and may include some of the agreed in-principle proposals. The Attorney-General’s Department will consult again when a draft has been finalised, in addition to what sounds like a raft of other consultation processes it will lead in 2024 and beyond.
With only a modest selection of proposals now having a clear (or clearer) path of reform set , the Response can be characterised as concise, cautious and (certainly) consultative. The Response indicates that the Federal Government sees the overhaul of Australia’s privacy framework as an even longer-term project, to which next year’s draft legislation (fingers-crossed) will be only the first in a series of reforms.