elevenM’s Cassie Findlay and Tessa Loftus summarise the Government’s response to the Privacy Act Report and what to expect next. You can also catch a discussion of the response on the elevenM podcast, This week in digital trust.
The current review of the Privacy Act 1988 was started as a response to recommendations made by the ACCC in its 2019 Digital platforms inquiry report. In the initial Issues Paper that was then released by the Attorney General’s Department in October of 2020, the Government committed to “undertake a review of the Privacy Act and to consult on options for implementing a number of privacy-specific recommendations to better empower consumers, protect their data and best serve the Australian economy”.
Submissions from industry, members of the public and interest groups have been made at each stage of the review, including by elevenM. In late September 2023, the Albanese Government published its response to the Attorney General’s Department’s final Review Report.
How the Government has responded
Of the 116 recommendations made in the Attorney-General’s Department’s report, the Government has:
- Agreed to 37 recommendations
The Government has indicated that for the recommendations it has agreed to, draft legislative provisions will be developed for these measures and it will undertake targeted consultation with relevant entities prior to settling their final form.
Some key issues included here are children’s privacy (although it is split between ‘agree’ and ‘agree-in-principle’), an increase in OAIC regulatory powers, and acknowledgement of facial recognition risks.
- Agreed in-principle to 69 recommendations
For those recommendations to which the Government has ‘agreed in-principle’, it has indicated that the Attorney-General’s Department, in consultation with Treasury, will lead further engagement with regulated entities and the preparation of an impact analysis to test the benefits and the economic costs of the proposals.
Some key issues included here are the introduction of a fair and reasonable test, removal of the small business and employee exemptions, the introduction of partial privacy requirements for journalism, and the introduction of both a direct right of action and a statutory tort for serious invasion of privacy.
- Noted 10 recommendations
If the Government has ‘noted’ a recommendation it is signalling that it does not propose to act on it or explore it further. Amongst the recommendations that have been ‘noted’ are the proposal to exempt political parties from the operation of the Act, and the proposal to provide individuals with an unqualified right to opt-out of receiving targeted advertising.
Some key areas
The Government response has agreed to addressing children’s privacy through the development of a Children’s Online Privacy code (and formally defining a child as a person under 18). However, the other recommendations for protecting children are all ‘agreed in-principle’, which means there will be further engagement and consultation before action is taken on these issues. The children’s privacy issues that are ‘agree in-principle’ are that targeting to a child should be prohibited, that trading in the personal information of children should also be prohibited, that direct marketing to persons under 18 should be prohibited, that entities should be required to provide privacy notices and policies that are clear and understandable for any information addressed specifically to a child, that the Privacy Act should codify the principle that valid consent must be given with capacity. And, probably most significantly, an ‘agree in-principle’ (not an ‘agreed’) that entities should be required to have regard to the best interests of the child as part of considering whether a collection, use or disclosure is fair and reasonable in the circumstances.
The Government response has agreed to a range of changes to give the Office of the Australian Information Commissioner a stronger focus on enforcement and additional powers, including additional powers for investigations of civil penalty provisions and the power to undertake public inquiries and reviews into specified matters on the approval or direction of the Attorney-General. There is also an ‘agree in-principle’ to investigate the possibility of an industry-funding model to ensure sustainable resourcing, so watch this space on that one.
A range of high-risk activities are considered in the response, and in addition to agreeing that the OAIC should continue to provide guidance on emerging privacy risks, they also agree that “further consideration should be given to enhanced risk assessment requirements in the context of facial recognition technology and other uses of biometric information.” An in-principle agreement has also been given to require privacy sector entities to be required to complete PIAs for high-risk activities.
Fair and reasonable test
The introduction of a fair and reasonable test for information collection and handling was proposed as a way to somewhat address the power imbalance between individuals wishing to access services and entities collecting their PI, and to address the complexity of the correct ‘notice and consent’ model. The Government has agreed in-principle to introduce this requirement and that “the fair and reasonable test should apply irrespective of whether consent has been obtained.” In this same category of issues, the Government has also agreed in-principle that privacy settings for online services should be required to be ‘privacy-by-default’. Everything in this category is ‘in-principle’ agreement, so is likely to be coming a bit further down the road.
The Attorney-General’s Department will continue to progress the review, with next steps including:
- the drafting of legislative provisions for ‘agreed’ recommendations will commence, followed by targeted consultation on the provisions’ wording;
- consultation with relevant groups on the ‘agreed-in-principle’ recommendations; and
- the preparation of an impact analysis that considers the costs and benefits of all of the supported recommendations, both from the perspective of regulated entities and consumers.
In terms of the timing of the introduction of new obligations, the report indicates that transition periods will be looked at as part of the development of the legislation.
For more information…
For a more detailed discussion of the Government’s response to the Privacy Act Review Report, listen to this week’s episode of This Week in Digital Trust.