Is it a bold vision for reform, a squandered opportunity, or something in between?
How you feel about the Attorney-General’s report on the Privacy Act reform proposals, released today, probably depends on how you interpret three little words: “agrees in-principle”.
Do they mean a commitment to act soon, or a kicking of the can down the road?
Of the 116 proposals for reform laid out in the Attorney-General’s Department report in February 2023, the Attorney-General has agreed and committed the Government to 38. Another 68 are agreed to ‘in-principle’, while 10 are effectively shelved.
There is plenty of agreement that in principle, the government should consult about how something might possibly be done, in the future, maybe. (Because clearly, after a three year review process, including an Issues Paper, a Discussion Paper, and the Review Report, and hundreds of submissions made in response to each, what we need is more consultation.)
One example of some fuzzy language that would surely make Sir Humphrey proud is this, about the employee records exemption: “The Government agrees in-principle that further consultation should be undertaken … on how enhanced privacy protections for private sector employees may be implemented in legislation”.
So… is the employee records exemption staying or going? It’s hard to tell.
The report also reads like the government is hedging its bets on the final direction of reform. There are plenty of quotes and statistics to back up arguments in favour of much stronger privacy protections for Australians. But the report could also be read as laying the groundwork to go another way, with emphasis on the need to consider the financial impact on businesses of reforms.
The introduction to the report states that where the government has agreed ‘in-principle’, that agreement will be “subject to further engagement with regulated entities and a comprehensive impact analysis to ensure the right balance can be struck between privacy benefits for Australians and other impacts on regulated entities”. Somewhat disturbingly, the economic costs and benefits are to be explored by the Attorney-General’s Department “in consultation with Treasury”.
Since when do we try to quantify human rights in dollar terms?
I am concerned that we are being conditioned to accept that the costs of reform – as measured by the financial impact on industry – will look like they outweigh the benefits to us as individuals, because human dignity and autonomy cannot be measured in dollars and cents.
One thing we can be certain of is in relation to the 10 proposals which have been effectively rejected. Six of these were about political parties; no surprise, politicians (from the major parties anyway) are in no rush to subject themselves to regulation.
Three of the rejected proposals were about bringing de-identified information within the scope of the Privacy Act, but to then only apply some of the privacy principles.
And the final rejected proposal was 20.3, which was to “to provide individuals with an unqualified right to opt-out of receiving targeted advertising”.
While the rejection of these proposals around de-identification and targeting may at first appear to be a loss for privacy and consumer advocates, I would disagree. In fact, I am not surprised that these two categories of proposals have been dumped, because they were going to create more problems than they solved. (And the solutions were minimal anyway; for example, the proposed right to opt out of seeing targeted messaging was not going to stop the intrusive profiling going on behind the scenes.)
I argued previously that the attempt to set standards for not only how ‘personal information’ is handled, but also how ‘de-identified’ and ‘unidentified’ information should be handled, would massively over-complicate how the Privacy Act works. (I believe that the easier it is to understand a law, the easier it is to comply with, and thus the law is more likely to be effective in achieving its objectives.)
The Salinger Privacy submission on the 116 proposals suggested that a preferable approach would be to more clearly define ‘personal information’, to state that an individual is ‘identifiable’ if they can be distinguished from all others in a group. Such a definitional change would offer suitable protections in relation to de-identified data posing a high likelihood of re-identifiability, because re-identifiable data would be considered ‘personal information’, without creating a new compliance burden in relation to de-identified data posing a low or remote likelihood of re-identifiability.
We also argued in our submission that fixing the definition of personal information this way would also address many of the privacy risks associated with targeting systems, without needing to create ad hoc legislative provisions in relation to some use cases (noting in particular the difficulty of even deciding what targeting means), thus preserving the principles-based approach of the Act.
Happily, it looks like the Attorney-General agrees with us.
A big win: individuation within scope
Frequent readers of this blog will know that the number one thing I’m passionate about is the need to ensure that the definition of ‘personal information’ is fit for the digital age. Otherwise, we may as well all pack up this law reform gig and go home.
The definition of personal information is a critical threshold definition, because the privacy principles only apply to personal information. If a business can successfully argue that some data is not personal information, they can collect, use, disclose and trade the data with impunity.
Right now, the definition of personal information includes if someone is “reasonably identifiable”. But that phrase is foggy, to the detriment of businesses and consumers alike. Until the definition is fixed, we will continue to see Australians subject to a range of digital harms, from micro-targeting of harmful content online to the scraping of our data for commercial exploitation.
In April this year I implored the Attorney-General to take this historic opportunity to strengthen but simplify and clarify the law. Arguing that proposal 4.4 did not go far enough to clear the fog, I suggested that adding just one extra sentence to the definition of personal information will fix it: “An individual is ‘reasonably identifiable’ if they are capable of being distinguished from all others, even if their identity is not known”. It’s a concept referred to as individuation, and a position the OAIC has taken in its guidance and case determinations, but which is not yet embedded in statute.
And it looks like this argument been accepted, because the report today says this: “Importantly, the Government considers that an individual may be reasonably identifiable where they are able to be distinguished from all others, even if their identity is not known”.
That is a significant improvement on the Department’s position earlier this year.
I won’t be popping the champagne until I see individuation included in a Bill successfully through Parliament, but I am chalking this up as an interim win for the protection of Australians.
How about everything else?
Today’s report suggests that in relation to the 38 ‘agreed’ proposals, for those which were about legislation (as opposed to proposals about non-legislative issues like OAIC funding or priorities), the Department will now prepare a Bill and engage in further ‘targeted consultation’. The Attorney-General has committed to bring a Bill to Parliament in 2024.
What is less clear is what happens next with the 68 proposals which were agreed to ‘in-principle’. As I noted above, many of these are intended to trigger further exploration or engagement, so it is not clear if how many, if any, of those proposals might be solidified in time for inclusion in the 2024 Bill.
But looking at today’s news through my glass half full, with the expectation that what has been agreed to in-principle will eventually be legislated in some form, the 16 most impactful reforms we can expect to see are:
- Small businesses to be brought within scope of the Privacy Act
- A clearer and stronger definition of personal information
- A definition for consent to clarify it must be voluntary, informed, specific, current, and unambiguous
- A new ‘fair and reasonable’ test for the collection, use and disclosure of personal information, which can’t be avoided by seeking consent
- Mandatory Privacy Impact Assessment for high-risk activities
- Mandated senior employee to hold privacy responsibility within each entity
- Baseline security outcomes to be embedded in legislation
- A Children’s Online Privacy Code, similar to the UK Age Appropriate Design Code
- Tougher rules for direct marketing, targeting and trading in personal information, in particular in relation to children
- Easier rules for public interest research
- Standard contractual clauses to facilitate compliant cross-border disclosure
- Shorter data breach notification periods
- More expansive access rights, and new individual rights to erasure, de-indexing, and to ‘meaningful information’ about how automated decisions are made
- A lower threshold to measure the seriousness of organisational conduct before the big new fines can be levied, and tiered penalties for less serious conduct
- A direct right of action for individuals to enforce the APPs in court, and
- A statutory tort of serious invasion of privacy.
The Government itself has noted that 89% of Australians want the Government to protect their privacy with better legislation, and today’s report says that the Government is “committed to uplifting privacy protections while encouraging digital innovation”.
As the Attorney-General states, “Australia can no longer afford to have inadequate privacy protections”. I agree. Now let’s get it done.
Photograph © Manki Kim on Unsplash
Want more info?
The Privacy Act in a Nutshell is our plain language guide, offering a ‘101’ on what the Privacy Act requires now, and what is likely to change. (Updated edition released 9 October 2023, to reflect the final set of law reform proposals discussed above). The Privacy Act in a Nutshell, and access to a 90 minute recorded presentation on the Privacy Act Reforms – what’s proposed, what’s next, and how to prepare, is now available in our Privacy Act Reforms Bundle.
Plus more info, analysis of the proposals, and links to reports and submissions, are on our Privacy Reforms hub page.