The Australian Attorney-General has published the (long-awaited) results of the Privacy Act review.
The report recommends a number of changes to the Australian privacy framework, including various changes to Australia’s core privacy legislation, the Privacy Act 1988 (Cth).
The report does not represent official Government policy and there is no guarantee that the proposed changes will eventually make their way into law. However Australian businesses should start preparing for these changes, particularly given the level of bipartisan support for privacy reform following several large-scale data breaches in 2022.
What changes are proposed?
Broadly the structure of the Privacy Act will remain unchanged, despite the number of recommended changes identified. Notably, the Australian Privacy Principles will not be supplemented with more precise rules governing data processing activities.
Some of the proposals can be viewed as clarifications rather than substantive changes, including calls for expanded guidance notes from Australia’s privacy regulator, the Office of the Australian Information Commissioner.
However there are a number of recommendations which, if implemented, will materially change the way in which Australian organisations approach privacy compliance. For example:
- A significant expansion of data subject rights, with many concepts borrowed from other regimes such as the GDPR, including the right of erasure, right to withdraw consent, right to object to the collection, use or disclosure of personal information and the right to de-index online search results containing certain categories of personal information.
- Introduction of a direct right of action for individuals, for a serious interference with privacy, plus a statutory tort of privacy.
- More structured processes around direct marketing, tracking and trading in personal information, including an unqualified right to opt-out of receiving targeted advertising.
- A partial removal of the exemption for employee records, with limited obligations applying to HR data such as the requirement to keep data secure and notify staff of relevant data breaches.
- Greater transparency around privacy policies and collection notices, with additional data points to be included and calls for development of standardised templates and layouts on a sector-by-sector basis, to make it easier for data subjects to understand and compare policies.
- Updating the basis on which offshore transfers can be made, including where Standard Contractual Clauses are used, where informed consent has been obtained or where an adequacy decision is in place.
- Removal of the exemption for small businesses (i.e. with an annual turnover of AUD 3 million or less), which will materially increase the number of organisations required to comply with the Privacy Act, although this has been flagged as requiring further consultation.
- For organisations which process the personal information of minors, a suite of changes including development of a Children’s Online Privacy Code and a prohibition on direct marketing to children unless certain conditions are met.
What are the next steps?
It’s yet to be seen how the Australian Government will respond to the review, and whether it will accept the recommendations made.
The report itself notes that some proposals have not had the benefit of stakeholder feedback and will require further consultation prior to implementation. Therefore it’s likely to be some time before the changes can be adopted in full (if indeed they are adopted at all).
In the interim, there are changes which Australian businesses can make to their processes now, to reduce the impact if and when these recommendations are adopted.