Mark Taylor
Senior Editorial Manager
Australia is preparing the most radical overhaul of its data privacy laws for over a decade.
Businesses of all sizes have been advised to begin preparing for updates to the Privacy Act, following a response to a four-year consultation by the federal government indicating support for change.
Of 116 proposals floated in the Response to the Privacy Act Review report, the government agreed with 38, agreed “in-principle” with 68 and “noted” 10. Further consultations are expected, with the initial tranche of updates to come in 2024.
The “agreed in principle” changes are subject to further engagement with the organisations and sectors most likely to be impacted, and a “comprehensive impact analysis” before any final decision is made ahead of implementation.
“Business will need to continue waiting for clarity on these long-anticipated reforms,” said David Rountree, technology partner at Allens Linklaters law firm in Brisbane.
“However, organisations can take some steps now to get ahead of the implementation requirements and likely changes, for what is set to be the most significant overhaul of Australian privacy laws since 2014.”
Senior managers including compliance personnel will be impacted, as the government accepted proposals related to organisational accountability. This means increased responsibility for senior management in matters of privacy and the mandatory implementation of privacy impact assessments for high-risk activities.
What did the government agree to implement without qualification?
Concerning the security and destruction of personal information, extra steps must be taken by businesses, which will be laid out in technical and organisational measures.
The Office of the Australian Information Commissioner (OAIC) is providing additional guidance as to what this constitutes, drawing on advice from the Australian Cyber Security Centre.
Regarding automated decision making, privacy policies must outline the types of personal information used in substantially automated decisions that have a significant effect on individuals’ rights.
A Children’s Online Privacy Code will be introduced, which will apply to online services likely to be accessed by anyone under the age of 18.
Experts believe the government will impose additional obligations relating to the collection of personal information, “which were some of the more controversial and topical proposals” according to James North, head of technology at Corrs.
These include introducing a “positive standard of fairness and reasonableness” to all collection of personal information and require that Privacy Impact Assessments be undertaken for high-risk activities like facial recognition, North said.
“These proposals are designed to address the emergence of practices that may pose significant privacy risks or otherwise be considered to be unfair, like screen-scraping,” he said.
How will enforcement of data privacy breaches change?
An array of new rights for individuals is predicted in respect to the collection and handling of their personal information. This includes rights of explanation, correction and erasure, as well as potential claims where personal information is mishandled, including a direct right of action for privacy-related damages as well as a statutory tort for serious invasions of privacy.
“Such a direct right of action is likely to significantly increase the volume of privacy-related litigation, as under the current regime only the Office of the Australian Information Commissioner (OAIC), may bring such action,” said North.
The regulator will gain significant new powers, having been reticent to use its enforcement capabilities in the past, compared to other more aggressive watchdogs, like the Australian Competition and Consumer Commission (ACCC).
A tiered infringement scheme has been agreed, which would see the introduction of low-tier and mid-tier civil penalty provisions.
“In general, the changes herald a more prolific and uniform enforcement approach taken by an empowered OAIC, and a larger regulatory ‘attack surface’ for companies processing personal information of Australians,” North said.
A new middle-tier civil penalty provision will be introduced for interferences with privacy that do not hold the “serious” element, along with new low-level civil penalty provisions for administrative breaches.
Australia’s judiciary will also have expanded powers to make orders on top of civil penalties if they see fit.
Australia’s Information Commissioner will be granted new powers to investigate of civil penalty provisions and to undertake public inquiries and reviews on approval or direction by the Attorney-General.
How can businesses respond to the Privacy Act proposals?
The Government has said it intends to introduce legislation in 2024. The Attorney-General’s Department will draft legislative proposals and consult further with relevant entities on the “agreed” proposals.
Businesses not fully compliant with the current privacy law “will face an uphill battle to comply within the transition period” said Alec Christie, tech law expert and partner at Clyde & Co.
He said that he expects a short turnaround time for many of the “agreed” proposals.
“Also, any privacy or cyber security related work being undertaken from now on must consider and build into any recommendations, controls, proposed approaches, policies or procedures the ‘agreed’ proposed changes and the core ‘agreed in principle’ changes that are likely to be implemented,” he said.
This will help future-proof whatever privacy or cyber security upgrades are being carried out and “reduce the risk of having to retro-fit significant privacy or cyber changes” when the proposed changes are legislated in 2024 and 2025, he added.
“Australian companies may wish to consider the steps that will need to be taken to comply with a more expansive Privacy Act and respond to newly empowered individuals and regulators,” said North.
This may include implementing privacy by design principles into their organisation’s operational processes and investing in the data governance frameworks and technology required to ensure compliance, he said.
CUBE comment
Australia has fired the starting gun on major reforms to its data privacy laws that will bring the country in line with international standards such as the EU’s General Data Protection Regulation (GDPR).
As such, businesses would do well to get ahead of the changes and begin planning implementation now.
Compliance officers should also take note of the introduction of an accountability regime for key staff and how it will impact on their work, and how automated audit solutions may reduce risks.
CUBE’s data privacy compliance solution offers a way for firms to stay ahead of their compliance obligations in a challenging data privacy landscape. Built with powerful artificial intelligence, we tailor our data privacy solutions to the needs of businesses, delivering automated speed, accuracy, efficiency, horizon scanning, and day-to-day regulatory assurance.
To learn more about CUBE’s data privacy solution and regulatory technology platform, get in touch today.