A step closer to privacy law reform:  The Australian Government responds to the Privacy Act Review Report

Background to the Privacy Act review

In 2019 the Australian Competition & Consumer Commission (ACCC), in the final report from its landmark initial Digital Platforms Inquiry, recommended that changes should be made to the Privacy Act, including for example to update the definition of “personal information”; strengthen notification and consent requirements as well as pro-consumer defaults; provide a direct right of action for individuals; and increase penalties.

In responding to the Digital Platforms Inquiry recommendations of the ACCC, in December 2019 the then Australian Government, building on proposals that it had announced early in 2019, confirmed that it would review the Privacy Act to provide for the protection of the data of Australians, while at the same time ensuring the Act best served the Australian economy.  The stated timing for completing the review was 2021, though this was still a work in progress on the change of Government occurring in 2022.

The current Australian Government committed to continue to pursue privacy reforms and took steps to achieve this by passing the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Cth), which provided for a substantial increase in penalties payable for serious and repeated interferences with privacy, as well as providing for expanded enforcement powers for the Australian Information Commissioner (as the privacy regulator) and greater information sharing powers between the Commissioner and the Australian Communications and Media Authority.

Since its election the current Australian Government has continued the broader review of the Privacy Act, though progress has been slow.  The Attorney-General’s Department released the Privacy Act Review Report in early 2023, seeking input on the wide range of proposals that it had developed following an extensive consultation process undertaken from the time that the then Attorney-General released the terms of reference for the review in October 2020.

The Government’s Response

The Response sorts the proposals from the Privacy Act Review Report into three categories:

• agreed: Proposals that are agreed will be progressed, though further targeted consultation on legislative drafting will be undertaken;
• agreed in-principle: The proposals that are agreed in-principle will also be progressed, though further targeted consultation will be undertaken to ensure those proposals appropriately balance privacy against adverse outcomes, such as increased regulatory burden; and
• noted: Proposals that have been noted will not be progressed.

The Government will also undertake an impact analysis, to ensure that compliance costs as well as other potential economic costs and benefits are considered in pushing forward with the reforms.

The Government accepted almost all of the proposals from the Privacy Act Review Report, with most being agreed or agreed in-principle.  The only proposals from the Privacy Act Review Report which were noted, and therefore will not be pursued, are:

• the range of proposals to provide greater protections for de-identified information (that is, personal information that has been subjected to a process to ensure that no individual is identified or reasonably identifiable);
• proposals to limit the current exemptions provided in the Privacy Act for political parties such as requiring political parties to publish privacy policies; and
• a proposal for an unqualified right for individuals to opt-out of targeted advertising.

A recap of key reforms

Given the Response, it is useful to consider a few of the key changes that are likely to be made to the Privacy Act.   

• Definition of personal information to be amended

The Government has agreed in-principle to amend the definition of personal information, for example, to include inferred and technical information.  These changes may not have much impact in a practical sense on the scope of the information captured by the Act. 

The scope of the sensitive information definition is also likely to be expanded as the Government has agreed in-principle that genomic information should be included as well as potentially precise geolocation data.  If the scope of sensitive information is expanded, consent will be required for the collection of the additional categories of information included in that definition.

• Who will be regulated under the Privacy Act?

The Government has agreed in-principle that small businesses with a turnover of $3 million or less and which are currently exempt from regulation should, in the longer term, be subject to the Privacy Act.  In addition, the removal of the private sector “employee records” exemption has been agreed in principle.  The journalism exemption and the exemption for political parties will remain, though the Government has agreed in-principle that the scope of the journalism exemption should be narrowed.

• Fair and reasonable standard

The proposal from the Privacy Act Review Report that the collection, use and disclosure of personal information must be objectively fair and reasonable has been agreed in-principle.  This has the potential to have far reaching consequences if adopted.  Irrespective of whether notice has been given, or consent has been obtained, some personal information collection and management processes may simply not be permitted.  The proposal that the Privacy Act list the factors that may be considered in determining whether a practice is fair and reasonable, such as the kind, sensitivity and amount of personal information collected, used or disclosed, has also been agreed in-principle.

The Response linked these proposals with the proposal (also agreed in-principle) that online services will be required to adopt a privacy by default approach, making clear that the focus of the Government in this area relates to online personal information collection, use and disclosure practices.

• Direct marketing, targeting and trading

One of the key areas included in the Privacy Act Review Report, and an area where there had been little direct consultation prior to the release of the Report, related to direct marketing, targeting content (including advertising) and the trading of personal information.

As noted earlier, one of the few proposals that the Government did not accept in its Response was that individuals should have an unqualified right to opt-out of targeted advertising.  Nonetheless, the proposals that the Government did either agree or agree in-principle in this area are extensive, including agreement in-principle that:

• individuals should be able to opt-out of their personal information being used for direct marketing;
• direct marketing to children (being persons under 18) should be prohibited unless the direct marketing is in the best interest of the child and the personal information was collected directly from the child;
• targeting should be fair and reasonable and targeting based on sensitive information should be prohibited other than for “socially beneficial content” e.g., public health campaigns, and subject to the qualification that targeting to a child should be prohibited unless this is in the best interests of the child; and
• consent should be required for trading personal information, though trading of personal information of children should be absolutely prohibited.

While the Government did not support an opt-out right for targeted advertising, the Response did state that further consideration will be given to how to provide individuals with more choice and control in relation to use of their personal information for targeted advertising, such as layered opt-outs and industry codes.

• Direct right of action and statutory tort

Some of the more controversial provisions of the Privacy Act Review Report related to the grant of rights to individuals to directly take legal action. 

The Government has agreed in-principle that individuals should have a direct right of action for breaches of the Privacy Act, with the Government seeing this as a means by which individuals may gain greater control of their information.  Notwithstanding that there will be some steps that individuals need to take before they may sue, it is expected that this direct right will impose a significant cost burden on regulated entities in defending claims.

The proposed statutory tort for serious invasions of privacy was also agreed in-principle, though is likely to take a longer time to implement as it will require consultation with Australian States and Territories, as acknowledged in the Response.

Timing for implementation of reform

Given the need for further consultation, even in relation to those proposals that the Government has agreed, no legislation will be passed until 2024.  Although this is not expressly stated in the Response, given the different categorisation of proposals as agreed or agreed in-principle, it may also be the case that the Government adopts a staged approach to reform of the Privacy Act.

The Response refers to the need for transitional arrangements, without stating how long these may be.  The duration of such transitional arrangements is likely to depend on how reforms are implemented.  For example, if a staged approach to implementation is adopted, then transition periods may be shorter than would be the case if all reforms are implemented simultaneously.