The Privacy Act 1988 (the Privacy Act) was introduced to protect the privacy of individuals and regulate how businesses (generally with a turnover higher than $3 million) handle personal information. Reforms over the years have expanded the powers of the Information Commissioner and included stricter data breach regulations.
If your business is regulated by the Privacy Act 1988 (Cth), then you’ll need to know how upcoming amendments will affect the way you collect, use, store and disclose personal information relating to your consumers.
Why Do We Need Changes?
Advances in technology, and digital platforms’ ability to access, store, use and share personal information, mean that concerns have grown over the current Act’s ability to maintain consumer rights to privacy and to hold businesses accountable for protecting consumers’ personal information.
The Big Picture
There are two prongs to the upcoming reforms that both invite input from businesses and individuals.
Online Privacy Bill
The first one is the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 or the Online Privacy Bill. This bill has been drawn up in response to the Australian Competition and Consumer Commission (ACCC)’s Digital Platforms Inquiry. It will provide an online privacy code for social media and certain other large online platforms, laying out penalties and enforcement measures.
Much of these measures are in response to an increase in mental health issues among young social media platform users. Submissions are invited by 6th December 2021.
The other is a Privacy Act Review Discussion Paper that aims to build on the outcomes of the first consultation by ensuring that Australia’s privacy law framework protects consumers’ data.
This relates to broader reform to privacy legislation proposed to strengthen the backbone of privacy laws in Australia. The discussion paper is open to submissions until 10th January 2021.
Current Provisions Of The Privacy Act
The Privacy Act doesn’t regulate all businesses. If you’re unsure as to whether your business is affected by the Privacy Act, we have outlined the main criteria in a simple guide for you here, or you can use this checklist.
For example, if your business has an annual turnover of less than $3 million, then you may not need to comply with the Act.
The Act deals with the collection, storage and distribution of personal information. So, the Act will affect your business activities if it involves the collection of consumers’ personal information and should regulate how you treat that data. Such information might be their contact details, activities, financial or tax information.
The Act contains 13 Australian Privacy Principles (APPs) that specify the following:
- Your business must manage all personal information in an open and transparent way
- Your business must give individuals the option of not identifying themselves or using a pseudonym
- When it is appropriate (or reasonably necessary) for your business to collect personal information
- What to do when you receive or collect an individual’s personal information without having taken any action to receive that information
- When your business collects an individual’s personal information, you must take reasonable steps to disclose certain information about your business and why you need their information
- When your business collects personal information, it is expected that you only use that personal information in ways that the individuals would expect
- Your business cannot use personal information for the purpose of direct marketing, unless they might reasonably expect you to and you must offer options to unsubscribe
- You must take all reasonable steps to ensure that any overseas recipient of personal information does not breach the APPs (you are accountable)
- The use and disclosure of government related identifiers are restricted, such as passport, medicare, centrelink and license details
- Your business must take all necessary steps to ensure that the personal information it collects is accurate, up-to-date and complete
- Your business must ensure that the personal information you collect is not misused, interfered with or lost (this APP talks about security systems and monitoring for data breaches)
- Your business must generally allow access by an individual to personal information you hold about them
- Your business is required to correct personal information to ensure that it is accurate, up-to-date, complete, relevant and not misleading
If you’re not too familiar with these principles, we’ve written about them in more detail here.
Proposed Online Privacy Bill
Since the Privacy Act 1988 doesn’t specify protections against abuse of personal information by social media or online platforms, there need to be some changes to current provisions to allow for this online privacy (OP) code.
The Australian Competition and Consumer Commission’s (ACCC) Digital Platforms July 2019 report recommendations have led to some proposed key changes including specifying the kinds of businesses (OP businesses) that are targeted.
They include social media services such as:
- Social networking such as Facebook
- Dating applications
- Online content services such as Only Fans
- Online blogging or forum sites such as Reddit
- Gaming platforms that operate in a model which enables end-users to interact with other end-users, such as multiplayer online games with chat functionalities
- Online messaging and videoconferencing platforms such as WhatsApp and Zoom
They also include data brokerage services and large online electronic services with over 2,500,000 end users in a year.
Proposed Inclusions And Amendments
The key changes proposed to allow for these added protections for online platform users include:
- Increased penalties – maximum penalties under the Privacy Act are to increase to $10 million
- Third party information – a third party’s identity should be readily available if reasonably possible
- Fair and reasonable handling of data – it should allow for easy opt-out and companies should mitigate for risks in relation to sensitive information
- Overseas data flows – removing consent exceptions and including some standard contractual privacy protection clauses
- Mandating the erasure of personal information where it relates to sensitive information or children
- Greater transparency and the right to object in direct marketing where personal information will be used to influence an individual’s behaviour
- Possibly lowering the annual turnover threshold of $3 million
- Better protection for employee data with respect to former employers
- Requests for submissions relating to concepts of data controllers and data processors
- A proposed direct right of action for privacy breaches
Privacy Act 1988 Discussion Paper
The purpose of the review of the Act is to ensure privacy protections empower consumers, protect their data and best serve the Australian economy. The discussion paper seeks to determine:
- The scope and application of the Privacy Act
- Whether the Act effectively protects personal information and promotes good privacy practices by businesses
- Whether individuals should have direct rights of action to enforce privacy obligations
- Whether a statutory tort for serious invasions of privacy should be introduced
- The impact and effectiveness of the notifiable data breach scheme
- The effectiveness of enforcement powers
- Interest in an independent certification scheme to monitor and demonstrate compliance with Australian privacy laws
Key Proposed Amendments
There are a number of proposed amendments, however the key amendments to take away from the review are as follows:
- Broadening the definition of personal information – this would include online identifiers and location data, as well as defining when a person is ‘reasonably identifiable’
- Providing greater clarity around giving notice of collection of personal information
- Defining ‘consent’ (to data collection and use) as being voluntary, informed, current, specific, and unambiguous
- Collection, use and disclosure of personal data must be fair and reasonable in the circumstances – this is tightened by reference to reasonable expectation, necessity, proportionality, transparency, best interests in the case of children, sensitivity and amount of personal information and foreseeable risks
- Introducing increased protections with regard to businesses that deal in restricted practices such as data brokering or the collection of sensitive information
- Introduce some default pro-privacy settings
- Increased protection for children and vulnerable individuals
- An unequivocal right for an individual to object or withdraw consent to their data being collected used or disclosed
- Notification of use of information to affect behaviour (such as direct marketing) must be given
- Privacy policies to include information on whether personal information will be used in automated decision-making
- Tightening up the definition of reasonable steps to ensure personal data is secure and is destructed when no longer required
- Further organisational accountability requirements to be introduced where there is greatest privacy risk, and specifically in relation to any secondary purposes of data collection
- Improving security and transparency in relation to overseas data flows
- Creating and/or clarify enforcement provisions
- Creating a direct right of action for privacy breach victims, including a process for conciliation and court action
- Options laid out for a possible statutory tort of privacy
- Amendments to the Notifiable Data Breaches Scheme (NDBS) to include the steps the entity has taken or intends to take in response to the breach
Both the Online Privacy Bill and the Privacy Act Review Discussion Paper recognise that the increased use of social media and digital platforms means we need to extend privacy provisions to those spaces so that personal information collection, use and distribution is consistently regulated.
So, they are seeking input from businesses and individuals to help shape the reforms to the Privacy Act 1988. You can do this by following these links:
If you’re a business affected by the Privacy Act 1988, then you’ll need to look at whether any of the proposals will affect the way you collect, use and distribute any personal information relating to your consumers. You may need to look at your processes, procedures, security measures and how you monitor for data breaches to ensure you remain compliant.
If you have concerns or need legal advice about privacy laws and how it affects your business, Sprintlaw has the expertise. Reach out to our team for a free, no-obligations chat at firstname.lastname@example.org or 1800 730 617.
Need legal help?
Get a free, fixed-fee quote.
We'll get back to you within 1 business day.