The Commonwealth Government is in the late stages of an investigation into privacy law reform that has its origins as far back as 2013. In the decade since this reform process started, even then overdue, there has been a significant increase in risk to personal information, partly due to the volumes of data about individuals that has been created in that time, but more so due to the technological advances in data science that has seen the power of personal information grow.
CyberCX has been monitoring this legislative reform process closely over the last few years. The 116 proposals which were released in the Attorney-General’s Department Privacy Act Review Report 2022 and addressed in the Government’s response in September 2023 will require Australian organisations to undertake significant uplift in data governance, privacy risk and information security management.
Whilst the fate of this review and any subsequent legislation is yet to be confirmed by the Government, Prime Minister Albanese and Attorney-General Dreyfuss have both publicly committed to seeing privacy law reform achieved by the current Government.
What do organisations need to consider to be ready for change?
In February 2023, the Commonwealth Government released its much-anticipated Australian privacy law reform proposals, following the introduction of new penalties and regulator powers in December 2022. This has been followed with the Government’s response to those proposals in September 2023. Following that response, our privacy practitioners at CyberCX have distilled the 116 proposals down to key considerations for Australian businesses.
The Definition of Personal Information may expand to include any information that relates to a person, which would increase the personal information holdings of a business. This may include personal device identifiers, certain IP addresses and certain metadata that are arguably not captured under current definition.
Employee Records may be included in the definition of Personal Information where data relates to an employee, which may afford this data and the data subjects all the protections and rights available under the Act. Employee records are currently exempt.
Small business (defined as having an annual turnover of $3M or less) personal information handling may be captured, either in full or for the handling of certain categories of information or for high-risk processing. Small businesses are currently exempt.
Penalties and enforcement
A Strengthen Regulator may result through an industry funded model, not unlike that of ASIC, will mean that the Privacy Commissioner will have greater funding and therefore capacity to enforce the Act.
Increased Penalties which became law in December 2022 include the ability to fine up to $50m, three times the benefit obtained from a breach, or if that cannot be determined, 30% of an entity’s turnover for the period of the breach (with a minimum of twelve months), per privacy breach.
Increased Commissioner Powers which also became law in 2022, include a greater ability to fine and conduct investigations, including in a data breach scenario.
A right to erasure may become law and will be an express right to have your data destroyed in the absence of any other legal requirement for an organisation to hold an individual’s personal information.
A right to sue for privacy breaches may be made available when an entity is responsible for serious invasion of privacy. This would include the right to sue for data breaches, but also where a company has misused an individual’s data.
Automated decision making (such as an AI application processing an individual’s information) may need to be expressly disclosed and this will possibly work in tandem with an individual right to object to the data being used, and decisions being made, in that way. This right may also have broader application to data processing.
A fair and reasonable test may be introduced to ensure that all personal information processing by an entity is within a reasonable person’s expectations and is not harmful to them.
Geo-location data may need consent for its collection and use in all circumstances.
Consent requirements may be enhanced, with a clearer definition of what constitutes consent and new a requirement on entities to make it as easy to withdraw consent as it was to provide it. Further there will likely be enhanced protections in this domain for children and other classes on individuals considered to be vulnerable persons.
Online privacy settings may be required to follow the Privacy by Default principle.
Where collection hasn’t been directly from an individual, entities may be responsible for ensuring that it has occurred lawfully at the point of original collection or creation.
Privacy Impact Assessments may become mandatory for any personal information processing by an entity that is considered an inherently high risk to privacy, or likely to have a significant impact on the privacy of individuals e.g. the processing of biometric or other sensitive information.
The Controllers and Processers concept, as found in the GDPR, may be introduced to distinguish between entities that have the direct relationship with an individual and/or which are making decisions about how personal information will be processed, versus those that are processing on behalf of a controller.
A Record of Processing may be required to be maintained for all personal information processing activities.
A Privacy Officer may need to be appointed and will be required to be a senior position and can be someone who has other responsibilities.
Mandatory Data Breach Notifications may need to be made to the regulator within 72 hours of discovery of a notifiable data breach, where currently entities have 30 days to report.
Retention and Destruction requirements may be enhanced to ensure entities aren’t retaining data longer than is necessary.
Re-identification of De-identified Information may become a criminal offence where the re-identification has been with the intention to cause harm or to obtain another illegitimate benefit.