Government Announces Two Privacy Reviews – Summary for IAB Members

The federal Attorney-General’s department released two privacy reviews on 25th October 2021. These reviews set out a range of reforms intended to strengthen privacy protection for consumers in the evolving online environment.  These reviews are:

1. Privacy Act Review – Discussion Paper October 2021

This Discussion Paper sets out a range of potential longer-term reforms to the Privacy Act, to “..ensure privacy settings empower consumers, protect their data and best serve the Australian economy”.

This Discussion Paper follows on from an Issues Paper in October 2020 and consultations with industry that were done at that time. 

It presents a further developed set of proposals for consultation which effectively broaden the scope and enforceability of the Act, including:

1. Broadening the definition of what constitutes “personal information” including clarifying the types of information capable of falling within the new definition.
2. Requiring additional matters to be included in privacy policies, including for example in relation to whether third parties are used for marketing purposes and if so, the details of those third parties.
3. Strengthening the requirement for when a collection notice is required.
4. Introducing an additional requirement that handling of personal information (including collection, use or disclosure of personal information) must be ‘fair and reasonable in the circumstances’.
5. New requirements for pro-privacy default settings on websites (on a sectoral or other specified basis), for example, opt-in rather than opt-out.
6. Changed rules for cross-border data flows.
7. Replacement of the requirement to ‘de-identify’ data with the higher standard requirement to ‘anonymise’ data before the provisions of the Privacy Act no longer apply.
8. Additional requirements in relation to mandatory notification following certain data breaches.
9. A right to erasure of personal information in certain circumstances.
10. Creation of a direct right of action for breaches of privacy under the Act.
11. Introduction of a statutory tort for invasion of privacy.
12. Modifying the journalism exemption (to potentially narrow it), including for example by introducing a public interest requirement. (NB The exemption doesn’t currently apply to advertising).

Submission to this review are due on 10 January 2022.

 

2. Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021

The second privacy review, also released by the Attorney-General’s Department this week, was draft legislation proposing what are intended to be more immediate amendments to the Privacy Act including:

• Allowing for the development and implementation of an Online Privacy Code (OP Code)
• Increasing the penalties and strengthening the enforcement powers available to the OAIC under the Privacy Act.

OP Code

The introduction of an Online Privacy Code was a recommended outcome of the Government’s recent Digital Platforms inquiry, and the intention is it will:

• apply to “social media, data brokerage services and other large online platforms” with at least 2.5 million users
• be industry led.
• be developed and registered within 12 months of the legislation coming into effect.
• apply to those organisations that it covers in addition to the provisions of the Privacy Act.

The Draft legislation sets out a range of matters that the Code is expected to cover.  For example, the draft legislation requires the OP Code to include provision for matters including:

• The types of notices that organisations will need to provide to users when collecting personal information
• reasonable steps that organisations will need to take to not disclose personal information if that is what a consumer has requested
• new strengthened protections for children and vulnerable people such as rules around how to obtain consent from these groups.

Enforcement and Penalty provisions

The legislation also contains a range of increased penalties and OAIC powers to enforce the Code, including:

• increased the maximum penalty for serious or repeated breaches of privacy
• introduction of a new infringement notice provision for failing to give information as part of an investigation (with associated civil penalty provisions attached)
• creating new criminal penalty provisions for multiple instances of non-compliance of the Act.

Process from here

Comments from stakeholders on the exposure draft legislation are due on 6 December while comments on broader Privacy Act reforms are due on 10 January 2022.

There will be several steps to go from here before these reforms come into law.  The more immediate reforms in the draft exposure legislation will need to first go through the government consultation process and be introduced and pass the Parliament before the process for developing and implementing a Code can begin and before the new enforcement and penalty provisions commence.  The longer-term reforms are even further off.

However, overall, if introduced, these amendments will have wide-ranging implications for all media and tech organisations and will require businesses to review their practices to ensure compliance. The IAB will go through the proposed reforms in more detail and provide further updates on the implications of both reform processes in future newsletters.