Online Privacy Bill and Privacy Act Discussion Paper: Stricter enforcement, Online Privacy Code and the impact for organisations handling personal information

Increasing the maximum civil penalty for a serious and/or repeated interference with privacy to an amount not exceeding the greater of: $10,000,000; three times the value of the benefit obtained by the body corporate from the conduct constituting the serious and repeated interference with privacy; or, if the value cannot be determined, 10% of their domestic annual turnover. The Bill sets out how to calculate turnover for the purposes of this provision.

• Creating a new infringement notice provision for failing to give information, answer a question or provide a document or record when required to do so as part of an investigation (with associated additional civil penalty provisions).
• Creating a new criminal penalty for multiple instances of non-compliance.
• Expanding the types of declarations that the Commissioner can make in a determination at the conclusion of an investigation.
• ·Enhancing the Commissioner’s capacity to conduct assessments.
• Improving the Commissioner’s information-sharing arrangements with relevant enforcement authorities and the ability for the Commissioner to disclose information in particular circumstances.

Developing an Online Privacy Code applicable to large online platforms (defined as an organisation with at least 2.5 million end-users in Australia in a given year), social media service providers and brokerage service providers.

The Code will need to address how certain existing APPs (including in respect of privacy policies, notices and consents) apply to these organisations.

The Code will require covered organisations to take such steps (if any) as are reasonable in the circumstances to not use or disclose, or to not further use or disclose, an individual’s personal information upon request from that individual.

The Code will also address how both existing and new obligations will apply in relation to children and vulnerable groups.

The Commissioner will have the power to investigate potential breaches of the Code, either following a complaint or on the Commissioner’s own initiative. The Commissioner’s full range of enforcement powers will be available in the event that an investigation finds that a breach has occurred.

See our detailed briefing on the Online privacy code here.

Change the word ‘about’ in the definition of personal information to ‘relates to’, reversing what some considered a narrow interpretation of the definition in the Telstra v Grubb case.

Include a non-exhaustive list of the types of information capable of being covered by the definition of personal information, which could include online identifiers and location data.

Define when an individual would be ‘reasonably identifiable’.

Expressly cover information obtained from any source and by any means, including inferred or generated information.

Re-introduce the Privacy Amendment (Re-identification) Offence Bill 2016 with appropriate amendments. The Bill proposed to introduce criminal and civil penalties into the Privacy Act for re-identification of de-identified information released by Commonwealth agencies.

Require notification at or before the time of collection, or if that is not practicable as soon as possible after collection, unless the individual has already been made aware of the APP 5 matters; or notification would be impossible or would involve disproportionate effort. This will likely increase the circumstances in which notification is required.

Introduce an express requirement in APP 5 that privacy notices must be clear, current and understandable.

Privacy notices to describe, if the collection occurred via a third party, who that third party was and the circumstances of the collection.

Standardised privacy notices could be considered on a sector-specific basis.

Consent to be defined in the Act as being voluntary, informed, current, specific, and an unambiguous indication through clear action.

Standardised consents could be considered on a sector-specific basis.

Collection, use and disclosure of personal information under APP 3 and APP 6 must be fair and reasonable in the circumstances (having regard to reasonable expectation, necessity, proportionality, transparency, best interests (if children are involved), sensitivity and amount of personal information and foreseeable risk of unjustified adverse impacts or harm).

Option 1: APP entities that engage in the following restricted practices must take reasonable steps to identify privacy risks and implement measures to mitigate those risks:

• Sale of personal information on a large scale.
• Direct marketing and online targeted advertising involving collection, use or disclosure of personal information on a large scale.
• The collection, use or disclosure of personal information for influencing individuals’ behaviour or decisions on a large scale.
• Automated decision making with legal or significant effects.
• The collection, use or disclosure of sensitive information, children’s information, location data on a large scale.
• The collection, use or disclosure of biometric or genetic data, including the use of facial recognition software.
• Any collection, use or disclosure that is likely to result in a high privacy risk or risk of harm to an individual.

Option 2: In relation to the specified restricted practices, increase an individual’s capacity to self-manage their privacy in relation to that practice. Possible measures include consent (by expanding the definition of sensitive information), granting absolute opt-out rights in relation to restricted practices or by ensuring that explicit notice for restricted practices is mandatory.

Introduce pro-privacy defaults on a sectoral or other specified basis.

Amend the Act to require consent to be provided by a parent or guardian where a child is under the age of 16 and include further specific protections for children.

An individual may object or withdraw their consent at any time to the collection, use or disclosure of their personal information.

The Discussion Paper does not recommend introducing a right to data portability, noting this could duplicate aspects of the Consumer Data Right scheme and create unnecessary regulatory complexity.

An individual may only request erasure of personal information where certain specified grounds apply (eg where the personal information must be destroyed or de-identified under APP 11.2 or an Australian law, the personal information is sensitive or relates to a child) and subject to some exceptions.

Unqualified right to object to any collection, use or disclosure of personal information for direct marketing.

The use or disclosure of personal information for the purpose of influencing an individual’s behaviour or decisions must be a primary purpose notified to the individual when their personal information is collected.

Privacy policy to describe (i) whether the entity is likely to use personal information, alone or in combination with any other information, for the purpose of influencing an individual’s behaviour or decisions and if so, the types of information that will be used, generated or inferred to influence the individual, and (ii) third parties used in the provision of online marketing materials.

Repeal APP 7 in light of existing protections in the Act and other proposals for reform.

Require privacy policies to include information on whether personal information will be used in automated decision-making, which has a legal or similarly significant effect on people’s rights.

‘Reasonable steps’ to protect personal information to include technical and organisational measures (similar language to the GDPR).

Include a list of factors that indicate what reasonable steps may be required.

APP entities to take all reasonable steps to destroy the information or ensure that the information is anonymised where the entity no longer needs the information for any purpose for which the information may be used or disclosed by the entity under the APPs.

Introduce further organisational accountability requirements into the Act, targeting measures to where there is the greatest privacy risk.

Amend the Act to introduce a mechanism to approve countries and certification schemes.

Standard contractual clauses for transferring personal information overseas to be made available to APP entities to facilitate overseas disclosures of personal information.

Remove the informed consent exception in APP 8.2(b).

Strengthen the transparency requirements in relation to potential overseas disclosures to include the countries that personal information may be disclosed to, as well as the specific personal information that may be disclosed overseas in the entity’s up-to-date APP privacy policy required to be kept under APP 1.3.

Introduce a definition of ‘disclosure’ that is consistent with the current definition in the APP Guidelines.

Amend the Act to clarify what circumstances are relevant to determining what ‘reasonable steps’ are, in relation to ensuring a recipient’s compliance with the APPs for the purpose of APP 8.1.

Continue to progress implementation of the APEC Cross-Border Privacy Rules (CBPR).

Introduce a voluntary domestic privacy certification scheme that is based on, and works alongside CBPR.

Create tiers of civil penalty provisions to give the OAIC more options so they can better target regulatory responses.

Clarify what is a ‘serious’ or ‘repeated’ interference with privacy.

Empower the OAIC to undertake public inquiries and reviews into specified matters.

Require an APP entity to identify, mitigate and redress actual or reasonably foreseeable loss.

Give the Federal Court the power to make any order it sees fit after a civil penalty provision has been established.

Introduce an industry funding model similar to ASIC’s, incorporating two different levies.

Create a direct right of action with the following design elements:

• The action would be available to any individual or group of individuals whose privacy has been interfered with by an APP entity.
• The action would be heard by the Federal Court or the Federal Circuit Court.
• The claimant would first need to make a complaint to the OAIC (or new Federal Privacy Ombudsman) and have their complaint assessed for conciliation either by the OAIC or a recognised external dispute resolution scheme, such as a relevant industry ombudsman.
• The complainant could then elect to initiate action in court where the matter is deemed unsuitable for conciliation, conciliation has failed, or the complainant chooses not to pursue conciliation. The complainant would need to seek leave of the court to make the application.
• The OAIC would have the ability to appear as amicus curiae to provide expert evidence at the request of the court. Remedies available under this right would be any order the court sees fit, including any amount of damages.

Option 1: Introduce a statutory tort for invasion of privacy as recommended by the ALRC Report.

Option 2: Introduce a minimalist statutory tort that recognises the existence of the cause of action but leaves the scope and application of the tort to be developed by the courts.

Option 3: Do not introduce a statutory tort and allow the common law to develop as required. However, extend the application of the Act to individuals in a non-business capacity for collection, use or disclosure of personal information that would be highly offensive to an objective reasonable person.

Option 4: In light of the development of the equitable duty of confidence in Australia, states could consider legislating that damages for emotional distress are available in equitable breach of confidence.

Statement about an eligible data breach must set out the steps the entity has taken or intends to take in response to the breach, including, where appropriate, steps to reduce any adverse impacts on the individuals to whom the relevant information relates.

• How might the employee records exemption be modified to better protect those records while retaining the flexibility employers need to administer the employment relationship, and address the impact of the Fair Work Commission’s decision in Lee v Superior Wood?
• To what extent would the fair and reasonable test for the collection, use and disclosure of personal information proposed above be suitable for the employment context?
• To what extent would the current exceptions in APPs 12 (access) and 13 (correction) address concerns about the need for employers to conduct investigations and manage employee performance if the exemption were modified?
• What would be the benefits and costs associated with requiring employers to take reasonable steps to prevent employees’ personal information from misuse, interference or loss?
• What challenges or barriers would there be to requiring employers to comply with the NDBS in relation to eligible data breaches involving all employee records?
• What would be the benefits and limitations of providing enhanced protections for employees’ privacy in workplace relations laws?

• What high privacy risk acts and practices should be prescribed as exceptions?
• What support for small business would assist with adopting the privacy standards in the Act?
• What could be the impact of specific proposals including around consent voluntary domestic privacy certification scheme on small business?

• What would be the benefits and costs of applying some specific APPs to political parties and their affiliates?
• What impact would introducing a public interest requirement into the journalism exemption, have on the free flow of information to the public through the media?
• What might be the positive or adverse consequences of applying security obligations under APP 11 to media organisations in the course of journalism?

• Are there any advantages or disadvantages of introducing these concepts in the Act?
• If adopted, what obligations under the Act should processors have (record keeping, security, NDBS etc.)?