Re-defining the basics of Australian privacy law

Change to the definition of personal Information

• The Privacy Act presently applies to ‘personal information’, which is currently defined as information that is ‘about’ an individual who is identifiable or reasonably identifiable. However, there is significant uncertainty regarding what types of data are ‘about’ an individual. In particular, the increasing use of technical information (such as IP addresses, device identifiers, location data and other types of metadata that may potentially identify an individual) for profiling and identification purposes has drawn concern from regulators such as the Australian Competition and Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC).

• In order to address these concerns, the Report has proposed an amendment to the definition of ‘personal information’. The proposal will change the definition of ‘personal information’ to mean ‘information that relates to an individual’. This change will bring the Australian definition of ‘personal information’ in closer alignment with the definition of ‘personal data’ under the GDPR and clarifies that a broad range technical information may be captured under the Privacy Act.

• Additionally, the Report proposes to develop a non-exhaustive list of the types of data that may ‘relate to’ an individual. The proposed list includes, amongst other things, contact details, identification numbers, online identifiers, pseudonyms, location data, technical or behavioural data in relation to an individual’s activities, preferences and identity, and inferred information and profiles generated from aggregated information.

Removal of small business exemption & introduction of controller-processor distinction

• The Report proposes to remove the small business exemption, which currently exempts the majority of businesses with an annual turnover of less than $3 million from the operation of the Privacy Act. This proposal has largely been welcomed by industry. As noted in the Report, the majority of businesses in Australia do not meet the AU$3 million annual turnover threshold, resulting in a high number of businesses managing personal information without being bound by the requirements of the Privacy Act. The removal of this exemption would bring the Privacy Act in line with its international counterparts.

• Noting that small businesses may face significantly increased compliance costs and that some small businesses which hold data have no direct relationship with individuals, the Report proposes to introduce the concept of data ‘controllers’ and ‘processors’ to the Privacy Act, albeit in a more limited manner than in the GDPR. Broadly speaking:

  • ‘controllers’ are entities that determine the purposes and methods for processing personal information; and
  • ‘processors’ are entities that hold and process the data on behalf of controllers.

It is proposed that any small business ‘processor’ will be subject to limited requirements under the Privacy Act and only required to comply with APP 1 ‘Open and transparent management of personal information’, APP 11 ‘Security of Personal Information’ and the Notifiable Data Breach Scheme (NDB Scheme) obligations.

• Both proposals are currently at a preliminary stage, and will be subject to further consultation and impact analysis prior to being introduced. In the short term, however, the Report proposes carving out the use of biometric data from the small business exemption.

Removal of employee records exemption

• The Privacy Act currently exempts certain information relating to employees from the scope of the Privacy Act. The Privacy Act Discussion Paper explored potential options for removing the exemption or limiting its scope.
• The Report concluded that enhanced privacy protections should be extended to private sector employees, although it did not provide a conclusion as to whether the exemption should be modified, removed entirely, or if enhanced privacy protections should be incorporated into workplace relations legislation instead. However, it is clear that the employee records exemption and workplace privacy laws will undergo change, subject to further consultation.

De-identified data requirements

• Presently, de-identified information that cannot be attributed to an individual does not meet the legal definition of ‘personal information’ and is not regulated by the Privacy Act.

• The Report proposes to extend some of the protections in the Privacy Act to de-identified information, which include (amongst others):

  • the requirement that APP entities take steps that are reasonable in the circumstances to protect de-deidentified information from misuse, interference and loss, and from unauthorised re-identification, access, modification or disclosure (APP 11.1);
  • requirement that APP entities take steps as are reasonable in the circumstances to ensure that any overseas recipient to whom de-identified information is disclosed to does not breach the APPs in relation to de-identified information (APP 8);
  • introduction of an unqualified right of individual to opt-out of targeted advertising, including where only an individual’s de-identified information is used for the purposes of targeted advertising; and
  • a prohibition on re-identifying de-identified information obtained from a source other than the individual to who the information relates.

Fair and reasonable test

• Introducing a requirement that all data collection, use and disclosure is ‘fair and reasonable’ in the circumstances. This standard must be met at all times and applies regardless of whether an individual has provided consent to a particular activity.

Privacy Impact Assessments for high risk activities

• Introducing a requirement for APP entities (i.e. companies covered by the Privacy Act) to conduct privacy impact assessments prior to commencing activities with high-privacy risks, which include (but are not limited to)

  • the collection, use or disclosure of sensitive information or children’s personal information on a large scale;
  • online tracking, profiling and targeting of individuals and geo-location tracking;
  • the use of biometric templates for verification of identification, the sale of personal information; and
  • the collection of personal information for the purposes of automated decision-making.

Protection of children and vulnerable persons

• Introducing additional protections for children and vulnerable persons. For children (i.e. any individual under 18 years of age), these include prohibitions on direct marketing and targeted advertising directed at children, requirements that APP entities must act with regard to the best interests of the child, and the introduction of a Children’s Online Privacy Code that aligns with the UK Age Appropriate Design Code.

Automated decision making

• Introducing requirements to set out the use of automated decision-making (ADM) in privacy policies where the use of such technology may have a legal or similarly significant effect on an individual’s rights, and a right for individuals to request meaningful information about how substantially automated decisions with legal or similarly significant effect are made.

Retention periods

• Requiring APP entities to establish minimum and maximum data retention periods, which must be set out in the entity’s privacy policy

Civil penalties

• New mid-tier civil penalty provision to cover interferences with privacy that are not considered egregious enough to constitute a ‘serious’ interference with privacy and therefore are outside of the scope of the current penalty provision.
• New low-level civil penalty provision to cover specific administrative breaches of the Privacy Act, which also allow the OAIC to issue infringement notices with fixed penalties.
• Amend the current penalty provision in section 13G of the Privacy Act to remove the word ‘repeated’ and clarify that the provision covers ‘serious’ interferences with privacy. ‘Serious’ interferences with privacy may include:
  • repeated interferences;
  • interferences that involve sensitive information, affect vulnerable people or large groups of people; and/or
  • inferences involving wilful misconduct and involve serious failures to take proper steps to protect personal data).

Expanded regulatory powers

• New regulatory powers for the OAIC, including powers to conduct public inquiries and undertake investigations in relation to civil penalty provisions.

Changes to the NDB Scheme

• Amending the reporting requirements in the NDB Scheme to specify that entities must notify the OAIC of eligible data breaches within 72 hours of becoming aware. This brings the Privacy Act in line with similar requirements under the GDPR, as well as related legislation such as the Security of Critical Infrastructure Act 2018 (Cth) and the My Health Records Act 2012 (Cth).

• It was recently announced that the Australian Federal Government will allocate resources to restructure the OAIC – the OAIC will move to a three commissioner format, including a commissioner dedicated to handling data breach matters.

Potential increased burden of compliance

• The expanded scope of the Privacy Act and strengthened privacy protections may result in increased regulatory burden and compliance cost for most organisations.
• In the short term, the most significant impact will most likely be felt by entities who are not currently covered by the Privacy Act (such as small businesses). At this stage, it is unclear how the removal of the small business exemption will be implemented and what supports will be available to aid businesses in the transition. However, businesses should consider evaluating their privacy practices to ensure that they are best-placed to comply with the Privacy Act if the exemption is removed.

Change to global privacy assessment

• The expanded definition of personal information, as well as the introduction of new requirements for de-identified data, will bring a broader range of practices into the scope of the Privacy Act.
• There may be certain projects or business functions in Australia that currently operate outside of the Privacy Act due to its de-identified/anonymised nature which will likely require the introduction of controls to ensure compliance of this information against the Privacy Act and APPs.

Cross-border transfer of information

• Global businesses that often navigate cross-border transfer of data may be particularly interested in the changes regarding the transfer of data to overseas recipients. In particular, the introduction of a mechanism to prescribe or ‘whitelist’ countries and certifications for the purposes of APP 8.2 may significantly reduce the burden on businesses when determining whether a cross-border disclosure is permissible under the Act. Similarly, the introduction of standard contractual clauses (similar to the GDPR) provides useful guidance and clarity for businesses seeking to ensure that they fulfil the requirement to undertake ‘reasonable steps’ in relation to the disclosure of personal information to overseas recipients.
• There is also potential for the proposed reforms to open a pathway to Australia receiving an adequacy finding from the European Commission under the GDPR, which could facilitate a more streamlined process for navigating cross-border transfers of data to and from the EU. In particular, the proposals to removal or modify of the small business and employee records exemptions, which have been perceived major as roadblocks to Australia receiving an adequacy finding from the European Commission under the GDPR. While these proposals are subject to further consultation, and adequacy decision was not a main focus of the Privacy Act Review, the Report bookmarked the potential for an adequacy decision following the implementation of the proposed reforms.

Increased focus on enforcement

• There is a growing shift towards stricter enforcement of breaches of the Privacy Act.
• As mentioned above, increased penalties for interferences with privacy have recently been introduced and the Report proposes further penalty provisions and enforcement powers.
• Further and separately to the Privacy Act Review, the Commonwealth Attorney-General announced on 2 May 2023 that the OAIC will be expanding and moving from having a single Information Commissioner towards a ‘three Commissioner structure’ in a move that was described as necessary to deal with ‘the growing threats to data security and the increasing volume and complexity of privacy issues’. The new structure will involve splitting the current Information Commissioner role into three distinct roles: the overarching Information Commissioner, a Privacy Commissioner, and a Freedom of Information Commissioner.
• The appointment of a dedicated Privacy Commissioner is in line with the recent trend towards increased regulation and enforcement of privacy laws and signals the current Government’s intention to allocate greater resources to privacy regulation.