The report is long-awaited, and the reforms it canvasses are increasingly critical to the way businesses run and operate in a digital economy. We have seen evidence of this in Australia with large scale cyber-attacks affecting personal information held by businesses and government.
The Report puts forward 116 proposals for reforming the Privacy Act. A majority of the proposals align with those made in the 2021 Discussion Paper (see our briefing here). These include broadening the definition of personal information, strengthening consent and notice requirements, expanding enforcement powers and options, introducing new rights for individuals, fairness requirements, and additional protections for practices involving a greater privacy risk.
Other notable recommendations, including some not raised in the Discussion Paper, include:
- Application of Privacy Act
- removal of the small business exemption (in the medium term)
- extending some privacy protections to private sector employees
- New roles of entities
- introducing aspects of the GDPR-like distinction between ‘controllers’ (entities that determine how and why personal information is handled) and ‘processors’ (those that act on the instructions of controllers)
- New obligations on use / retention of personal information
- specific requirements relating to ‘trading’ in (e.g. selling) personal information and targeting individuals
- introduction of a Children’s Online Privacy Code
- privacy impact assessments for high privacy risk activities
- Data breaches – regulatory
- a 72-hour timeframe to notify the Information Commissioner (OAIC) of serious data breaches
- a new mid-tier range penalty for breaches (even if they are not serious and / or repeated) and a lower-level civil penalty with infringement notice powers for administrative breaches.
- new OAIC powers to conduct public inquiries and reviews (other regulators like the ACCC have these powers)
- Data breaches -claims by impacted individuals
- introduction of a direct right of action to sue for breaches of the Privacy Act and tort of serious invasion of privacy (which only arises for intentional or reckless invasions, not merely negligent), subject to some requirements. These recommendations open the gateway to much greater class action risk than is presently the case.
The Government is now seeking feedback by 31 March 2023 to inform its response to the Report, including through an online survey facility.
Any proposals ultimately adopted by the Government will apply in the context of the increased penalties ($50 million and more), greater regulatory powers and expanded extra-territorial application of the Privacy Act, being the priority reforms which took effect in December 2022 (briefing here).
Our detailed commentary on the Report is avaliable here.
In the meantime, do not hesitate to contact us if you have any queries about the Australian privacy law reforms, how they may impact you, or wish discuss how to engage with the consultation process.