The Australian Government has announced it is reviewing the Privacy Act 1988 (Cth) (Privacy Act), to “ensure privacy settings empower consumers, protect their data and best serve the Australian economy.” The review is long-awaited and forms part of the government’s response to the Australian Competition and Consumer Commission’s (ACCC) Digital Platforms Inquiry – Final Report.
Conducted over an 18-month period, the Digital Platforms Inquiry examined the power, influence and impact digital platforms had on media, advertisers and consumers. As a result, the ACCC identified an array of privacy issues, including a lack of transparency in data handling practices and a need for stronger consumer privacy protections.
At the commencement of the review of the Privacy Act, the Australian Information Commissioner and Privacy Commissioner, Angelene Falk, reflected that it will provide “a landmark opportunity to ensure our privacy framework can respond to new challenges in the digital environment.”
“Issues such as consent requirements, additional privacy rights, accountability measures and the Privacy Act’s coverage are fundamental to how we address the privacy challenges of the future,” she added. Indeed, any changes to consent requirements and coverage of the privacy laws that apply to the private sector in Australia will have significant, and wide-ranging impact on business.
Broader coverage = uniform obligations and less consumer confusion
The focus on the jurisdiction and scope of the Privacy Act as part of the review is of particular interest in the SME and small business space.
The Issues Paper released by the Attorney-General’s Department setting out potential reform areas, indicates that the review will be examining whether the current exemptions, such as the ‘small business’ and ‘employee records’ exemptions, in the Privacy Act are still appropriate.
Currently, the Australian Privacy Principles (APPs) in the Privacy Act generally apply to:
- Australian Government agencies;
- private sector health service providers;
- contractors that provide services under a Commonwealth contract;
- businesses that trade in personal information; and
- business with a turnover over 3 million dollars.
The appropriateness of this turnover threshold is likely to be the subject of robust debate during the review consultation. Similarly, there are a number of questions in the Issues Paper that relate to the current ‘employee records’ exemption in the Privacy Act, another area where the scope of privacy regulation in Australia can be complicated and unclear.
It has long been the case that consumers assume, and desire, that privacy obligations apply broadly and uniformly to all businesses and all personal information. Indeed, given the ubiquitous and interconnected nature of data protection obligations, it would likely reduce a lot of confusion for both business and consumers if the jurisdiction of the Privacy Act was significantly widened across the private sector.
With the potential for a broadening of the scope of the Privacy Act to address privacy issues in small business and employee records, SMEs and HR departments should follow the review closely.
Is moving towards more regulation a step in the right direction?
In terms of simplifying obligations across organisations however, it is not always the case that one size fits all. To move away from the current principles-based approach to more prescriptive regulation would be a significant shift in the privacy regulatory landscape in this country, which many argue is neither necessary nor desirable.
A more prescriptive approach to consent requirements for the handling of personal information, for example, can lead to organisations relying too heavily on consent and, as a result, significantly restricting their dealings with customers and flexibility in their data handling.
Not only was this approach irritating to consumers, it was also particularly problematic in Australia where the spam rules actually require consent before the sending of commercial electronic messages. Meaning that, if the organisation didn’t already have an individual’s consent to contact them, they were potentially at risk of breaching the Spam Act 2003 (Cth) by sending them an email in the first place!
Currently, the Privacy Act does require consent in limited circumstances, such as when an organisation collects ‘sensitive information’ or uses personal information for a related secondary purpose that is not within the individual’s ‘reasonable expectations’.
This ‘reasonable expectations’ test allows for greater flexibility, provided the organisation is clear and transparent about its information handling practices and the purposes for its collection of the data. To require anything more prescriptive may have unforeseen consequences and limit an organisation’s abilities to share information in a manner that would, in fact, be in the individual’s ‘legitimate interest’ – currently a criterion for permitted data processing even under the very strict GDPR.
Greater power to enforce the rules > stricter rules
The answer to improved privacy regulation in Australia may lie less in the wording of the legislation itself, but in its application, implementation and enforcement. Importantly, one of the key areas of focus for the review is regulation of tech giants and social media platforms, who are unlikely to be swayed by the current maximum penalty under the Australian regime of $2.1 million.
Increasing the powers of the Australian Privacy Commissioner and the penalties for non-compliance are also likely to have a greater impact on the internal stakeholder buy-in for data protection measures in organisations than the introduction of more prescriptive rules.
In the same way that the introduction of the GDPR and the Notifiable Data Breaches scheme brought about more attention for business privacy compliance programs, the proposed increase in penalties under the Privacy Act will likely bring data protection into the corporate governance spotlight once again.
The Issues Paper is the first of two papers available for the public to comment on (if you’d like to lodge a submission you can do so here until 29 November, 2020). A subsequent discussion paper is set to be released early next year, which will be looking for more specific feedback on the initial outcomes, including any and all reform options.
One thing is for certain, the review is a critical step in solidifying Australia’s contemporary approach to data protection regulation. How involved private sector organisations are during the consultation period may impact how involved they are in determining their own data-protection compliance measures in future.
1300 774 788
Suite 17, 116-120 Melbourne St, Nth Adelaide, SA 5006
1300 774 788
Suite 17, 116-120 Melbourne St, Nth Adelaide, SA 5006