The long-awaited Report of the Review (Review) of the Privacy Act 1988 (C’th) (Privacy Act) by the Attorney-General’s Department (A-G) was released on 16 February 2023. It contained 116 proposals at a principles level. The Report did not attach an exposure draft of privacy reform legislation. Additional feedback is now sought by 31 March 2023 before the Government decides what further steps to take.

Review Background

The A-G’s Review was instigated following the Australian Competition and Consumer Commission’s (ACCC) 2019 Digital Platforms Inquiry final report (DPI Report), which made several privacy recommendations. The Review commenced in October 2020 with the release of an Issues Paper, followed by a Discussion Paper in 2021 which put forward proposals for consultation for reform of the Act.

Report welcomed

Both general and specialist media and regulators have welcomed the release of the Report and most proposals, including those not canvassed previously.[i] These included the Australian Information Commissioner, who hailed the proposal for a new positive obligation that personal information handling is fair and reasonable as a new keystone of the Australian privacy framework, stating:

This shifts the burden from individuals, who are currently required to safeguard their privacy by navigating complex privacy policies and consent requirements, and places more responsibility on the organisations who collect and use personal information to ensure that their practices are fair and reasonable in the first place. [ii]

A new carve out for research data use cases is among a number of proposals where fresh discussion is anticipated.  

Three important proposals

Despite the inclusion of new proposals in this Report, at least three of the 116 proposals have featured on the Australian privacy reform agenda for years. Legislation introducing the following three would significantly broaden the application of privacy obligations in Australia and support more effective enforcement:

  • Proposal 1 (Remove the existing) small business exemption, and
  • Proposals 27 (Introduce a) statutory tort for serious invasions of privacy and 26 (Introduce a) direct right of action.
  1. Small business exemption (Proposal 6.6)

The proposed removal of the small business exemption from the Privacy Act recognises the ever-increasing privacy risks posed by small businesses (especially online), together with the benefits of improved privacy protection for both individual Australians and the economy.

Removal of this exemption would require all Australian businesses to comply with the Act, regardless of annual turnover, and not just those businesses with an annual turnover of more than $3 million per annum as at present. This reform would align the Australian privacy regime more closely with the EU’s General Data Protection Regulation (GDPR) and similar international legislation, helping to facilitate international information transfers to Australia.

Nevertheless, due to unique challenges faced by small businesses of which the government is mindful, and the potential regulatory burden associated with complying with the Privacy Act, the Report has proposed that the exemption not be removed until steps have been implemented to facilitate small business compliance and provide support. Accordingly, it recommends that an impact analysis be undertaken to estimate the compliance costs for different types of small businesses (low/medium/high risk). Consultation with small business will focus on determining the most appropriate way for small businesses to meet their obligations proportionate to the risk (for example, through a code).

Despite this, some known high-risk activity is singled out for proposed reform in the short term:

  • prescribe the collection of biometric information for use in facial recognition technology as an exception to the small business exemption, and
  • remove the exemption from the Privacy Act for small businesses that obtain consent to trade in personal information.

Other exemptions are less affected. In respect of the employee records exemption, the Report proposes that enhanced privacy protections be extended to private sector employees. It recommends consultation on how the protections should be implemented in legislation, including how privacy and workplace relations laws should interact, and again floats the possibility of privacy codes. Some tightening of the provisions of the political and journalism exemptions is also proposed.

  1. Statutory tort of privacy (Proposal 27) and direct right of action (Proposal 26)

Proposal 27.1 is for the introduction of a statutory tort of privacy, in the form previously recommended by the Australian Law Reform Commission (ALRC) in its Report 123 (‘Serious Invasions of Privacy’, 2014) but not previously enacted.[iii] The proposed tort concerns serious invasions of privacy that are intentional or reckless but not merely negligent. The invasion of privacy need not cause actual damage and individuals may claim damages for emotional distress.

The tort would extend to individuals and state and territory agencies in addition to APP entities and Commonwealth agencies. The ALRC’s recommendation was that a privacy tort be enacted as a standalone Commonwealth Act rather than the Privacy Act. The Report recognises the need for consultation with states and territories to ensure a consistent national approach is adopted. It anticipates that the tort action could be commenced in both federal and state and territory courts through cross-vesting of federal jurisdiction.

Note that this significant development is coupled with a proposed direct right of action under the Privacy Act (Proposal 26.1) permitting individuals or groups of individuals, including representative individuals by consent of affected group members, to apply to the courts seeking compensation or other damages for loss or damage that results from an established breach of privacy by an APP entity. Such loss or damage could include injury to the person’s feelings, or humiliation (again, emotional distress).

The proposed forum for this direct right is the Federal Court or the FCFCOA, though claimants would first need to make a complaint to the Office of the Australian Information Commissioner (OAIC) and have their complaint assessed for conciliation.

The OAIC would have the ability to appear as amicus curiae or to intervene in proceedings instituted under the Privacy Act, with leave of the court, in respect of both the statutory tort and the direct right of action.

What comes next?

Submissions on the report are due by 31 March 2023. A 42-question survey has also been published to assist in gauging stakeholders’ reactions. [iv] Once this latest consultation period has closed, the Government will formally respond to the Report, possibly indicating which of the 116 proposals it will implement in amending legislation. Only then is it likely to release an exposure draft of an amendment bill.

Comments by the Attorney-General and the Report itself leave little doubt that the Government understands the need for urgent privacy law reform:

Strong privacy laws are essential to Australians’ trust and confidence in the digital economy and digital services provided by governments and industry.

and

… the Privacy Act has not kept pace with the changes in the digital world. The large-scale data breaches of 2022 were distressing for millions of Australians, with sensitive personal information being exposed to the risk of identity fraud and scams.[v]

Although the reform process is slowed yet again by the further round of consultation following this Report, and it remains difficult to predict how long the overall reform process will take, Australians must hope and encourage the Government to achieve significant privacy reform in its current term.

This article is not intended and should not be treated as legal advice.

[i] See for example, ‘Government examines “fair and reasonable test” for personal info handling’, IT news, 16/2/23; ‘Proposed privacy reforms could help Australia play catch-up with other nations. But they fail to tackle targeted ads’, The Conversation, 20/2/23; ‘Company payouts to hack victims’, Australian p.2, 16/2/23.

[ii] https://www.oaic.gov.au/updates/news-and-media/oaic-welcomes-release-of-privacy-act-report

[iii] It was also proposed in the ACCC’s DPI report.

[iv] https://consultations.ag.gov.au/integrity/privacy-act-review-report/consultation/

[v] Hon. Mark Dreyfus media release: https://ministers.ag.gov.au/media-centre/landmark-privacy-act-review-report-released-16-02-2023

 

For further information please contact:

This article is for general information purposes only and does not constitute legal or professional advice.  It should not be used as a substitute for legal advice relating to your particular circumstances.  Please also note that the law may have changed since the date of this article.