03/11/2021

The Commonwealth Attorney-General’s Department looks set to have a busy summer ahead as it moves forward with its Privacy Act review and reforms on a number of fronts. Last week, the Department published:

  1. an exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Draft Bill) and associated explanatory memorandum; and
  2. a discussion paper for the on-going Privacy Act review (Discussion Paper).

The Draft Bill proposes two distinct reforms:

  1. the introduction of an Online Privacy Code that will apply to social media platforms, data brokers and large online platforms; and
  2. an increased penalty regime which brings penalties under the Privacy Act 1988 (Cth) (Privacy Act) into line with those under the Australian Consumer Law.

We consider each of these reforms and the Discussion Paper below.

Online Privacy Code

The Privacy Act currently empowers the Information Commissioner to implement and enforce Australian Privacy Principle (APP) Codes and Credit Reporting Codes. APP Codes, which may be developed by industry and/or the Information Commissioner, set out how entities in a particular industry will comply with one or more of the APPs. Credit Reporting Codes, as the name suggests, may be implemented in respect of entities bound by Part IIIA of the Privacy Act and set out how those entities comply with the credit reporting obligations.

The Draft Bill proposes a third category of Code for online privacy. It will apply to “OP organisations”, that is, organisations providing any of the following:

  1. social media platforms (which includes social networks, online dating, online content, online blog or forum sites, gaming platforms and online messaging platforms);
  2. data brokerage services which are services involving the collection of personal information for the purpose of on-supply; or
  3. “large online platforms” which is any business that collects personal information in the course of providing access to information, goods or services online (that is, by the use of an “electronic service”) and has at least 2.5 million Australian end users (such as Apple, Google, Amazon or Spotify).

This third category is likely to be especially broad as it will feasibly capture large banks with online banking platforms (however, note our comment below regarding conflicts between the OP Code and the consumer data right) and large retailers/ecommerce stores. Interestingly, however, the Draft Bill specifically excludes organisations that collect personal information in the course of providing a customer loyalty scheme.

The OP Code itself is yet to be developed but will be required to set out the ways in which OP organisations will comply with the following APPs (in sum):

  1. APP 1.4(c) which is the purposes disclosure requirement in a privacy policy;
  2. APP 5 which sets out obligations around collection notices; and
  3. APP 3 and APP 6 which deals with the seeking of consent for collection, use and disclosure of personal information.

The OP Code will also require organisations to take reasonable steps (if any exist) to cease using an individual’s personal information if they request it to do so. This appears to be similar to the “right to be forgotten” which is included in the European Union’s GDPR but stops short by limiting the steps required to be taken by reasonableness.

The OP Code will also need to address how organisations interact with children, including, in respect of social media platforms specifically, an express fairness obligation and the requirement to obtain parental/guardian consent for the collection, use or disclosure of personal information for anyone under the age of 16 years.

The Information Commissioner must adopt an OP Code within 12 months of the legislation taking effect and development of the code will follow a similar process to the existing codes for APPs and credit reporting.

As mentioned, because a high number of organisations are likely to be caught by the OP Code, the Draft Bill sets out an order of precedence for resolving conflicts between obligations under the OP Code with other requirements. Where there is a conflict between the OP Code and either an APP Code or credit reporting code, then the provisions of the OP Code will prevail. However, where there is a conflict between the OP Code and the privacy requirements in relation to the consumer data right (CDR), then the CDR obligations will prevail.

Consultation on the exposure draft is open until 6 December 2021.

Penalties under the Privacy Act

The Draft Bill also provides for an increase in penalties under the Privacy Act. These changes were announced in 2019 but are only now being legislated (see our previous article here).

The proposal will see the maximum penalties for privacy breaches increase from $2.2 million to the greater of:

  • $10 million; and
  • three times the value of any benefit obtained (directly or indirectly) from the contravention; or
  • if the value of the benefit cannot be ascertained, 10 per cent of the annual turnover of the organisation.

These changes bring the penalties into line with those under the Australian Consumer Law.

Privacy Reform Discussion Paper

At the same time as releasing the Draft Bill for the online privacy code and increase in penalties, the Attorney-General’s Department also released its Privacy Act Review Discussion Paper. This is part of the wholesale review of the Privacy Act undertaken as recommended by the Digital Platforms Inquiry which was published in July 2019.

We will consider the full scope of the points raised in the Discussion Paper in a separate article to be published shortly. However, the table below sets out the proposed changes at a glance:

ChangeDetails on Proposed Amendments
Definition of personal informationDefinition of personal information broadened to include "technical information"
Notice of collectionExpress requirement that privacy notices be clear, current and understandable
Consent to collection, use and disclosureUpdate definition of consent to be a voluntary, informed, current, specific, and an unambiguous indication through clear action
Standardised Notice and ConsentSuggestion that standardised privacy notices or consent with standardised layouts, wording and icons could be introduced in a Privacy Code
Additional requirements for collection, use and disclosureRequirements for collection, use and disclosure of personal information to be "fair and reasonable"
Replace “de-identified” with "anonymous" for information not caught by Privacy ActIncrease standard from "de-identified" to "anonymous" for information to no longer be considered "personal information" that is caught by the Privacy Act
Right to object / withdraw consentA right for individuals to object or withdraw consent at any time to the collection, use or disclosure of their personal information
Right to erasure of personal informationA right for individuals to request erasure of personal information under specific circumstances
Restricted PracticesIntroducing requirements for entities to take reasonable steps to identify and mitigate privacy risks in relation to certain restricted practices
Pro-privacy defaults

2 options proposed:

  1. (Strict) Pro-privacy settings selected by default, which means entities must pre-select the most restrictive privacy settings
  2. (Less strict) Easily accessible privacy settings, which means entities must make it easy to set privacy settings to the most restrictive, without jumping through any hoops
Additional protections for childrenAmend the Privacy Act to require consent to be provided by a parent or guardian where a child is under the age of 16 (interestingly, this may have the effect of  generalising similar provisions in the proposed OP Code discussed above)
Direct right of actionCreation of a direct right of action for individuals or groups of individuals whom have been subject to an interference with their privacy
Statutory tortFour options proposed, ranging from the introduction of a statutory tort for invasion of privacy to not introducing a tort and allowing common law to develop instead
Overseas data flows – CertificationIntroduce a mechanism to prescribe and certify countries with substantially similar privacy laws as Australia, with the result that certain privacy obligations do not apply when disclosing information to those countries

Given this list of items has been produced out of the submissions made to the Issues Paper published in October 2020, we think it is likely that most, if not all, of these changes will be captured in the review’s final report, unless there is considerable opposition received through submissions to the Discussion Paper.

Consultation on the Discussion Paper is open until 10 January 2022.

Expertise Area
Technology + Digital
Decarbonising Australia

DECARBONISING AUSTRALIA - SURVEY

Learn more
""

Visit Smart Counsel

Learn More