2023 Government Response to the Privacy Act Review Report

2023 Government Response to the Privacy Act Review Report

3 October 2023

James Patto and Annie Zhang

Special thanks to contributors: Natalie Mu, Sylvia Ng and Elsa Zhong.

_{Share this article}

The eagerly awaited reforms to Australia’s privacy laws are about to get underway with the Attorney General’s Department releasing its response to the Privacy Act Review Report which, when originally released in February this year, made 116 recommendations to reform the Privacy Act 1988 (Cth) (see our summary and hot takes and our submission in response to the report). The reforms proposed were ambitious and wide-ranging and, if implemented, would have resulted in the most significant change to Australian privacy laws since the introduction of the APPs.

Despite initial suggestions that there would be substantial and expedited reform of the Australian privacy regime coming out of the Privacy Act Review Report, it appears that the Australian Government has adopted a more cautious and measured approach. Rather than proceeding to preparing draft legislation on many of the key reforms, the Government has elected to undertake further industry consultation instead. Only then will the Government commit to more substantial changes to the Privacy Act and prepare legislation to reflect these changes. The Government has advised that the delay and further consultation is being undertaken on the basis that practical considerations need to be examined to ensure there is balance between uplifting privacy protection and the regulatory burden.

Set out below we highlight some of the key reforms that will be significant in re-shaping the landscape of Australia’s privacy and data protection laws. 

Key proposals ‘Agreed’ by the Government

Of the 116 proposals, only 38 were ‘agreed’ by the Government (i.e. legislation will be developed with plans to hold targeted consultations). Interestingly, not all 38 proposals will result in legislative change and it appears that the actual scope of legislative change that will emerge from this review process, at least in first instance, will be quite limited. 

11 of these reforms are proposals for further consideration or consultation and 6 of these reforms relate to OAIC activity or other recommendations that are unlikely the result in legislative change. This means that, in reality, only 21 of the 116 recommendations will find its way into the first tranche of draft legislation to be released shortly. 

However, we do expect to see some imminent changes, including:

• changes in relation to the use of automated decision-making such as a requirement for privacy policies to include meaningful information on the types of personal information used as part of automated decisions and requirements of transparency in relation to how automated decisions are made;
• strengthening of the Notifiable Data Breaches scheme by allowing the Attorney-General to permit the information sharing with appropriate entities that may be able to reduce the risk of harm in a data breach;
• relaxing the threshold for ‘serious and repeated’ breaches of privacy by eliminating the requirement that breaches need to be repeated, and thereby making it easier to sanction breaches of privacy; 
• changes to the enforcement regime, including giving the courts power to ‘make any order it sees fit’ once a privacy interference has been established, and new powers and requirements on the OAIC; and
• uplifting protections to children’s privacy by introducing a Children's Online Privacy Code that applies to online services that are likely to be accessed by children.

In addition, the OAIC will have a key role to play with the following:

• developing practice specific guidance for new technologies and emerging privacy risks;
• new regulatory guidance to identify and distinguish the different categories of vulnerable individuals who are at a higher risk of harm from data misuse, and updated best practice information for securing their consent; and
• providing improvements and additions to guidance around information security, including to APP 11 and what constitutes as ‘reasonable’ steps to secure, destroy or de-identify personal information, and the type of conduct / behaviour the OAIC expects from entities to identify, mitigate and redress actual or reasonably foreseeable loss.

Key proposals ‘Agreed In-Principle’ by the Government

The Government has given a more tentative nod to 68 other recommendations – ‘agreed in-principle’ – and will look to engage with stakeholders in another round of consultations on these matters. The Government has further indicated that these proposals need to be considered in light of other potential consequences and additional regulatory burden. These 68 recommendations are where the more ambitious major uplifts to the Privacy Act lie. It is unclear what form the further consultation will take but the Government has indicated that further consultation will continue into 2024 and will be led by the Attorney General’s Department in consultation with Treasury.

Of note are the following recommendations that, when proposed in the initial Privacy Act Review Report, looked to significantly modernise and strengthen privacy protections for Australians. 

• Requirement to determine and record the purposes for which organisations collect, use and disclose personal information.
• Amendments to exemptions such as the employee records exemption and removal of the small business exemption.
• Obligations to appoint or designate a senior employee as having specific responsibility for privacy within the organisation.
• Requirements to perform privacy impact assessments for high-risk activities.
• Direct right of action under the Privacy Act and a statutory tort for serious invasions of privacy.
• Unqualified right to opt-out of individuals’ personal information being used or disclosed for direct marketing purposes.
• Industry-based funding model for the OAIC.
• New individual rights, modelled on the EU GDPR ‘data subject rights’, including rights to object, to request erasure, to opt-out of receiving targeted advertising and being used / disclosed for direct marketing purposes, and to have search results deindexed).
• ‘Fair and reasonable’ test to determine whether the collection, use and disclosure of personal information is necessary for an entity’s function and activities.
• Mechanism to prescribe countries with substantially similar privacy laws, and introduction of standard contractual clauses for transferring personal information to countries that are not prescribed.

These are now subject to additional consultation, delaying the modernisation and alignment of the Australian privacy regime with other jurisdictions.

Key proposals ‘Noted’ by the Government

Several proposals were simply ‘noted’ by the Government, with no further action to be taken. Interestingly, the Government will not be looking to legislate on additional requirements to round out the political exemption, including requiring that political entities take reasonable steps to protect and destroy / de-identify personal information and comply with the NDB scheme, and the proposal to increase privacy protections and security measures for de-identified information.

Our perspectives and insights

Whilst the Government needed to start somewhere, we expected a more ambitious reform agenda in first instance. In our submission, we suggested a tranched approach to reforms, however this was to pragmatically help industry implement the wide-ranging changes to the regime that appeared likely at the time. With many proposals marked as ‘agreed in-principle’ and no clarity on what will or will not be changed in this group, organisations do not yet have certainty needed around the direction of the law to drive their compliance uplift activities.

There are a number of recommendations which are simply good practice and we recommend industry take steps without waiting for the Government to land on the final legislative position. For example, key reforms relating the time taken to notify an eligible data breach, the requirement to appoint or designate a senior employee as having specific responsibility for privacy within the organisation, and requirements to perform privacy impact assessments for high-risk activities. These are only three examples, but there are a range of other ‘low-hanging fruit’ recommendations that industry should focus on today, and could have easily been included in the initial set of reforms.

Further, there is a risk that the approach that is being taken by the Government to these reforms leaves organisations with even greater uncertainty as to what they should be prioritising in terms of their data governance and compliance uplift. Like Damocles’ sword hanging over these organisations, they know that some level of reform is coming – but is this enough for organisations to justify substantially increased expenditure on privacy uplift when at this stage there is no certain position from Government on many of the more significant reforms?

It is, however, encouraging to see recommendations relating to substantial regulation of de-identified data being dismissed. These recommendations over-complicated the privacy regime in Australia and would impose onerous and burdensome obligations on Australian organisations that would be out of step with international equivalents.

Whilst the Government Response shows a recognition of the need to enhance trust and confidence of individuals and entities in the handling of personal information in Australia, there is a missed opportunity that a more comprehensive reform package has not been included in the first round of changes. The reality is that GDPR first came into effect in 2018 and many parts of the world have adopted GDPR-like regulations since – leaving Australia even further behind in its legislative reform process. 

What should organisations do?

Organisations should consider the ‘agreed’ reforms immediately in the context of their business to determine if further compliance uplift is required. These uplifts should be prioritised to ensure that the journey to compliance is managed appropriately.

Despite the Government ‘agree[ing] in principle’ to the key reforms, there is clearly an appetite in the longer term for substantial uplift to the Privacy Act as a whole. As a result, organisations should be working towards compliance with the wider range of reforms – and should consider using GDPR as a benchmark for their compliance activities.