Confirming that privacy law is far from dead in Australia, on 28 September 2023, the Australian Government issued its response to the Privacy Review publicly released by the Federal Attorney General in February 2023. The response is generally positive.
- 37 recommendations of the Privacy Review have been earmarked for implementation – draft legislation is to be developed followed by targeted consultation.
- 67 recommendations of the Privacy Review will be subject to further engagement with regulated entities and a comprehensive impact analysis – the Government wants to ensure that “the right balance can be struck between privacy benefits for Australians and other impacts on regulated entities”.
- 10 recommendations of the Privacy Review have effectively been rejected.
The Government has noted that it has 5 particular focus areas. Here are some highlights from those areas.
1. Bring the Privacy Act into the digital age
- The Government recognises that there is uncertainty about what information constitutes “personal information”. Therefore, the Government will engage with regulated entities on several recommendations relevant to de-identified information and the re-identification of that information.
- The Government will implement the recommendation to consult on introducing a criminal offence for malicious re-identification of information.
2. Uplift protections
- The Government recognises that individuals don’t necessarily engage with and comprehend the privacy policies and collection notices presented to them. As a result, relying exclusively on notice and consent often places an unrealistic burden on individuals. The Government will engage with regulated entities about imposing an overarching requirement that personal information should be handled fairly and reasonably.
- The Government will implement reforms to enable the Office of the Australian Information Commissioner to provide additional guidance about what reasonable steps an entity should take to:
- keep personal information secure; and
- destroy or de-identify personal information when the entity no longer has a basis for retaining it under the Australian Privacy Principles.
- The Government will engage with regulated entities about changing the eligible data breach notification requirement from “as soon as practicable” to not later than 72 hours – like the European Union.
- In light of recent large-scale data breaches in Australia, the Government will implement reforms to permit the Federal Attorney General to allow affected entities to share information about a breach with appropriate entities (like banks) that may be able to reduce the risk of harm to individuals arising from a data breach.
- The Government will implement reforms so that privacy policies will have to set out the types of personal information that will be used in substantially automated decisions which have a significant effect on an individual’s rights
3. Increase clarity and simplicity for regulated entities and individuals
- The Government will consult with regulated entities about clarifying key concepts like “collection”, “disclosure”, “geolocation tracking data”, “de-identified” and “consent”.
- The Government will consult with regulated entities about introducing a distinction between data “controllers’ and “processors”, like the European Union.
- Given that the Privacy Act is one part of a broader digital and data regulatory framework, the Government will consult with regulated entities about the Attorney General’s Department developing a law design guide to assist Federal agencies when developing new schemes with privacy-related obligations.
- The Government will implement a mechanism to prescribe countries with substantially similar privacy laws, to facilitate overseas data flows.
- The Government will consult with regulated entities about developing standard contractual clauses for transferring personal information to countries that are not prescribed as having substantially similar privacy laws. We expect this would reflect what Australian organisations have been doing with bespoke transborder data handling agreements for several years.
4. Improve transparency and control for individuals
- The Government will consult with regulated entities on improved notice and consent mechanism
5. Strengthen enforcement
- The Government will implement increased powers for the Office of the Australian Information Commissioner.
There will be further consultations on many aspects, and it is expected that there will be transitional periods to give regulated entities sufficient time to comply with new requirements. However, it is important for regulated entities to be aware of the scope and extent of the significant changes that are likely to be implemented.
For further information regarding the above, please contact the authors or any member of our Fintech, Privacy & Emerging Technologies team.
This information and the contents of this publication, current as at the date of publication, is general in nature to offer assistance to Cornwalls’ clients, prospective clients and stakeholders, and is for reference purposes only. It does not constitute legal or financial advice. If you are concerned about any topic covered, we recommend that you seek your own specific legal and financial advice before taking any action.