The road to law reform is often long, and in the case of the Australian Privacy Act this latest iteration will prove no exception.
In October 2020 the Australian government released an Issues Paper to explore the question of whether the Privacy Act 1988 and its enforcement mechanisms remain fit for purpose. Submissions were called for, against a range of questions, and will be published on the Attorney General’s Department website in due course. In terms of next steps, the Government’s plan is to follow up this round of review by publishing a Discussion Paper in 2021 with more concrete proposals for legislative amendments.
This blog provides an overview of the background to this particular review, and thoughts on the likely shape of law reform to come in 2021 and beyond.
Federal privacy law in Australia dates back to 1988, when the Privacy Act was first introduced to regulate federal public sector agencies. That law was born from a proposal to introduce a national identity card, which was ultimately dropped by the Australian government due to public opposition, amidst a growing demand for privacy laws to rein in the powers of bureaucrats.
For the first decade or so the Privacy Act only regulated government agencies, but it was reformed in 2000 to extend its scope to also cover much of the private sector. (Public sector agencies at the state, territory and local government levels are instead regulated by a patchwork of state and territory privacy laws.)
In 2008 the Australian Law Reform Commission (ALRC) tabled the results of its two year long review into the Privacy Act, and made numerous recommendations for reform. Some of those recommendations were accepted and taken up in amendments to the Act, which ultimately took effect in 2014.
The explosion of growth in digital technologies, social media platforms and the Internet of Things all point to the need for privacy law to keep up with the challenges posed to individual privacy by new technologies. In 2019 the Australian Competition and Consumer Commission (ACCC) published its final report from its Digital Platforms Inquiry, which considered the behaviour of the major platforms such as Facebook and Google. The ACCC’s report highlighted risks for both consumers and businesses from the business models followed by major technology companies which primarily rely on the collection and analysis of consumer data as the source of their wealth and power. Amongst their other recommendations, the ACCC suggested that the Australian Government should conduct a review into whether the Privacy Act remains fit for purpose in this digital age. In late 2019 the Government agreed to review and reform the Act, which brings us to the Issues Paper released in October 2020.
Terms of Reference
The issues paper asks for submissions in response to 68 questions, ranging across the Terms of Reference, which are to examine and consider options for reform on matters including:
- The scope and application of the Privacy Act including in relation to: the definition of ‘personal information’, current exemptions, and general permitted situations for the collection, use and disclosure of personal information.
- Whether the Privacy Act effectively protects personal information and provides a practical and proportionate framework for promoting good privacy practices including in relation to: notification requirements, consent requirements including default privacy settings, overseas data flows, and erasure of personal information.
- Whether individuals should have direct rights of action to enforce privacy obligations under the Privacy Act.
- Whether a statutory tort for serious invasions of privacy should be introduced into Australian law.
- The impact of the notifiable data breach scheme and its effectiveness in meeting its objectives.
- The effectiveness of enforcement powers and mechanisms under the Privacy Act and the interaction with other Commonwealth regulatory frameworks.
- The desirability and feasibility of an independent certification scheme to monitor and demonstrate compliance with Australian privacy laws.
Likely directions for reform
One of the themes running through this latest review is the need to ensure that Australia’s privacy laws empower consumers to protect their data, while also ensuring that businesses can engage with consumers online to secure their economic growth. Of particular concern is the need to ensure that the Privacy Act is brought closer into line with GDPR, so that Australia could – possibly – finally secure an ‘adequacy’ decision from the European Commission, which would open up more possibilities for trade in personal information. To date, an adequacy ruling has escaped Australia, primarily because of a number of carve-outs from the Act’s coverage of the private sector, including exemptions for small businesses, employee records, political parties and media organisations. Expect to see significant debate over any proposals to scrap those exemptions; this is not the first time the matter has been considered.
One of the topics canvassed in the 2008 ALRC report was whether or not Australia should have a statutory tort of privacy, with the ALRC concluding that it should. The Government did not act on that recommendation. This topic was however referred back to the ALRC in 2013 for its own more comprehensive review, which resulted in a report in 2014. That report again recommended the introduction of a statutory tort for serious invasions of privacy. Again, the Government of the day did not act. However the idea has been the subject of numerous other independent or bi-partisan inquiries and recommendations, at both federal and state levels, including most recently by the ACCC. 2021 might finally be the year in which the Government acts on the multiple recommendations.
Between European Parliament moving on AdTech and Google phasing out third party cookies by 2022, expect this latest review to also focus on targeted advertising, personalised content and the role of online identifiers. A re-think of the threshold definition of ‘personal information’ and whether it does implicitly, or should explicitly, include online identifiers and technical data, or should allow for individuation, could lead to significant shifts in the scope of Australian privacy regulation.
Another topic likely to gain plenty of attention is the need to reduce reliance on the ‘notice and consent’ self-management model of privacy regulation, in favour of stricter limits on collection, use and disclosure. The Issues Paper canvasses alternative models such as GDPR-type over-arching fairness tests and Canadian no-go zones for certain types of data flows.
Also looking to other jurisdictions for influence and ideas, the Issues Paper asks whether Australia should introduce some GDPR-type individual rights, such as the right to erasure, or US-type certification schemes.
Finally, expect some consideration about how to improve access to justice, such as a direct right of action for individuals with a complaint about a breach of a privacy principle. To date complainants can only approach the privacy regulator, the Office of the Australian Information Commissioner (OAIC), whose backlog of complaints creates delays and operates as a barrier to resolution. The ability to take a complaint to a tribunal or court with the power to order compensation – as happens under some State privacy laws – could see a meaningful improvement in access to justice for those individuals keen to have their day in court.
The Salinger Privacy wishlist
What’s on our wishlist for 2021? A Privacy Act fit for the digital economy. You can read our detailed submission in response to the Issues Paper here.
Photograph © Shutterstock