The Australian Government has published an issues paper outlining and seeking feedback on the Privacy Act 1988 (the Act) and other Australian laws protecting personal information, with submissions on a series of 68 questions due by 29 November 2020.
It will then prepare and release a discussion paper including possible options for reform early next year. This is likely to be the most significant reform to the Act since the 2014 reforms which introduced the Australian Privacy Principles (APPs) and a reworked credit reporting scheme.
The issues paper follows the Government’s December 2019 announcement that it would conduct a review of the Act as part of its response to the Australian Competition and Consumer Commission's Digital Platforms Inquiry (DPI) report1. We published a detailed overview of the DPI’s privacy recommendations and Government response earlier this year, comparing key recommendations to the European Union’s General Data Protection Regulation (GDPR) and the 2008 Australian Law Reform Commission report on Australian privacy law (ALRC Report)2.
The new issues paper largely restates/summarises findings and recommendations in the DPI, as well as referencing earlier reports such as the ALRC Report. The ALRC Report ultimately led to the 2014 Privacy Act reforms described above, however many of the ALRC’s recommendations were not responded to by the Government or received in-principle support but were never implemented.
The table below sets out some of the key topics and issues raised in the issues paper.
||Issues paper questions
|Definition of personal information
Should the definition change to provide more coverage for:
- technical data
- inferred personal information (eg data combined from multiple sources for customer profiling)
- de-identified data (until it is permanently anonymised)
- deceased individuals?
|Flexibility of the APPs
Are the APPs sufficiently scalable and adaptable?
Are the mechanisms (eg regulations, APP codes) available to deal with more specific types of entities, information and activities appropriate?
|Privacy Act exemptions
Should any of the following exemptions be removed or modified:
- small business
- employee records
- political parties
How should concerns about employees’ ability to freely consent to employers’ collection of their personal information be addressed?
How can individuals’ awareness and understanding of the handling of their personal information be improved, while limiting regulatory burden and information overload?
Would a standardised notice framework (eg using standard words and icons) assist?
Where an entity collects an individual’s personal information and is unable to notify the individual of the collection, should additional requirements or limitations be placed on the use or disclosure of that information?
What approaches should be considered to ensure that consent to the collection, use and disclosure of information is freely given and informed?
Should individuals be required to separately consent to each purpose for which an entity collects, uses and discloses information?
If an individual refuses to consent to their personal information being collected, used or disclosed for a purpose that is not necessary or central to providing the relevant product or service, should that be grounds to deny them access to that product or service?
What requirements should be considered to manage ‘consent fatigue’ of individuals?
Should pro-privacy defaults be required for certain uses and disclosures of personal information?
Should specific requirements be introduced in relation to how entities seek consent from children?
Should entities be required to refresh an individual’s consent on a regular basis?
Should entities be required to expressly provide individuals with the option of withdrawing consent?
Should reforms be considered to restrict uses and disclosures of personal information? If so, how should any reforms be balanced to ensure that they do not have an undue impact on the legitimate uses of personal information by entities? Are the current ‘permitted general situations’ and ‘permitted health situations’ exceptions appropriate?
|Internet of things
||How can the personal information of individuals be protected where IoT devices collect personal information from multiple individuals?
||Should direct marketing protections for individuals be improved? Are current consent practices too broad?
|Overseas data flows
Are APP 8 and section 16C on overseas disclosure (restrictions and exceptions) still appropriate?
Are the exceptions in sections 6A and 6B for overseas conduct required by foreign laws appropriate?
Should there be restrictions on overseas use (as opposed to disclosure) of personal information, eg storage by overseas cloud storage providers?
Should Australia seek EU ‘adequacy’ status under GDPR to facilitate transfers of personal data from the EU to Australia?
What are the challenges of implementing the APEC Cross-Border Privacy Rules? Should a separate privacy compliance certification scheme be developed?
- Data security
- Requirements to destroy/de-identify personal information no longer needed
- A new right of erasure
- Overcollection of personal information
- Individual rights to access and correct their personal information
- A new direct right to sue for invasion of privacy
- Notifiable data breach scheme
- Interaction between the Act and other laws
- Digital Platform Inquiry Final Report
- Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice (Report No 108, May 2008)