Search results for: australia

On 29 November 2024, the Australian Senate passed the Privacy and Other Legislation Amendment Bill 2024 (Cth) (the Privacy Act Bill).  This follows the passage of the Cyber Security Act 2024 (Cth), and other cyber-security related amendments, on 25 November 2024.  

The majority of the amendments to the Privacy Act 1988 (Cth) will commence the day after the Privacy Act Bill receives Royal Assent, with a few exceptions.

The Privacy Act Bill contains key amendments to the Privacy Act including:

  • A statutory tort for serious invasions of privacy – this will only apply (amongst other criteria) where the conduct in question was intentional or reckless, and this section of the Bill will take effect no later than six months after the Act receives Royal Asset.
  • The framework for a Children’s Online Privacy Code – this will be developed by the Information Commissioner and will apply to social media platforms and any online services likely to be accessed by children.
  • Tiered sanctions for less serious privacy breaches – this includes civil penalties of up to AUD 3.3 million for an “interference with privacy” and lower level fines of up to AUD 330,000 for administrative breaches, such as deficient privacy policies.  The headline penalties of up to the greater of AUD 50 million, three times the benefit of a contravention, or 30% of annual turnover, remain for conduct which amounts to a “serious interference with privacy”.
  • Requirements to include details of the use of automated decision making into privacy policies, where personal information is used in wholly or substantially automated decision making that could reasonably be expected  to significantly affect the rights or interests of an individual.  This requirement will not take effect for 24 months however.
  • The introduction of a criminal offence for doxing.
  • Eligible data breach declarations and information sharing – these are designed to allow limited information sharing following a data breach, in circumstances which would otherwise be in breach of the Privacy Act (such as disclosing information to banks and other institutions for the purpose of enhanced monitoring).
  • Clarifications to APP 11 to ensure it is clear that the reasonable steps which entities must take to protect personal information include “technical and organisation measures”.
  • The introduction of equivalency decisions under APP 8 to facilitate cross-border transfers of data.

Our previous post, available here, provides further insights regarding these changes.

Whilst the Privacy Act Bill implements some of the recommendations from the Privacy Act Review Report, subsequent tranches of amendments are expected in the next 12-18 months to implement the remaining recommendations.

The Cyber Security Act 2024 (Cth), which received Royal Asset on 29 November 2024, introduces:

  • A mandatory ransomware reporting requirement – reports must be made to the Department of Home Affairs if a ransomware payment is paid to an extorting entity. This requirement will be implemented after a 6 month implementation period, and is drafted so as to also capture ransomware payments made on behalf of an entity doing business in Australia.
  • A Cyber Review Board which will conduct no-fault, post incident reviews of significant cyber security incidents in Australia.
  • A limited use exception –  this prevents information which is voluntarily provided to certain Government departments from being used for enforcement purposes, and is designed to encourage enhanced cooperation between industry and Government during cyber incidents.
  • Mandatory security standards for smart devices.

Our previous post, available here, includes further details on cyber security legislative package.

“Ethically challenging” and “the most intrusive option” – these are some of the words Australia’s Privacy Commissioner used to describe facial recognition technology (FRT), and its use by national hardware retailer Bunnings.

The Office of the Australian Information Commissioner (OAIC) has released the findings of its much-awaited investigation into the use of FRT in at least 62 Bunnings stores in Victoria and New South Wales between November 2018 and November 2021. FRT was used to, as Bunnings submitted, monitor and identify individuals known by the retailer to engage in antisocial behaviour in its stores.

The investigation was sparked by consumer advocate group Choice, which flagged concerns about the use of FRT by Bunnings and other retailers in 2022. Facial recognition technology collects biometric information about an individual. Biometric information is sensitive information, which is entitled to specific protections under Australia’s overarching privacy law, the Privacy Act 1988 (Cth) (Privacy Act). Choice took the view that sensitive personal information was being collected via in-store FRT without sufficient notice to customers, and that the collection was “disproportionate” to legitimate business functions.

The OAIC’s investigation has affirmed these concerns.

Key Findings

Bunnings breached the Australian Privacy Principles (APPs) in the Privacy Act by unlawfully interfering with the privacy of individuals whose personal and sensitive information it collected through the FRT system.

  • Lack of Consent: Sensitive information was collected without consent, breaching APP 3.3, which prohibits such collection unless specific consent is given (or an exception applies, which it did not in this case).
  • Failure to Notify: Bunnings did not adequately inform individuals about the collection of their personal information. This was a breach of APP 5.1, which requires entities to notify individuals about certain matters regarding their personal information as it is collected.
  • Inadequate Practices and Policies: Bunnings failed to implement proper practices, policies, and procedures to ensure compliance with the APPs, breaching APP 1.2.
  • Incomplete Privacy Policies: Bunnings’ privacy policies did not include information about the kinds of personal information it collected and held, and how, breaching APP 1.3.

The OAIC has emphasised that entities using FRT must be transparent, and ensure individuals can provide informed consent.

Along with the outcome of the investigation, the regulator has also issued specific guidance on the use of FRT, stating, “the use of facial recognition technology interferes with the privacy of anyone who comes into contact with it,” and that convenience is not a sufficient justification for its use. Businesses must consider five key principles when looking to employ FRT: 1) privacy by design; 2) necessity and proportionality; 3) consent and transparency; 4) accuracy and bias; and 5) governance and ongoing assurance.

What’s Next for Bunnings?

Bunnings had already paused its use of FRT. As a result of its investigation, the OAIC has made declarations that Bunnings:

  • Not repeat or continue the acts and practices that led to the interference with individuals’ privacy.
  • Publish a statement about the conduct.
  • Destroy all personal information and sensitive information collected via the FRT system that it still holds (after one year).

This decision aligns with the continued emphasis on privacy rights in Australia. As we await further legislative updates to the Privacy Act in the new year, businesses operating in Australia will need to apply greater scrutiny to the security and privacy practices adopted in respect of consumers.

It has been a busy month for cyber and privacy regulation in Australia. On the heels of the proposed amendments to the Privacy Act 1988 released just under a month ago (see our summary here), three further draft Bills relating to cyber security were released this week.

The key takeaways from the new Bills are summarised below:

Mandatory ransomware reporting

          The Cyber Security Bill 2024 (Cyber Security Bill) introduces a mandatory reporting requirement where a ransomware payment (or other benefit) is paid to an extorting entity. The aim is to give the Australian Government greater visibility over the extent of the threat which ransomware poses to Australian businesses, particularly in light of the Australian privacy regulator’s ongoing concern regarding the under-reporting of ransomware incidents under the notifiable data breach regime in the Privacy Act 1988.

          A report will need to be made to the Department of Home Affairs within 72 hours, if the following criteria are met:

          • a cyber security incident has occurred, is occurring or is imminent and has had, is having or could reasonably be expected to have, a direct or indirect impact on a reporting business entity;
          • an extorting entity makes a demand of the reporting business entity, or some third party directly related to the incident impacting the reporting entity, in order to benefit from the incident or the impact on the reporting business entity; and
          • the reporting business entity provides, or is aware that another entity, directly related to the reporting entity, has provided a payment or benefit to the extorting entity that is directly related to the demand.

          Some Australian businesses will be exempt from the reporting requirement, if their annual turnover falls below an as-yet unspecified amount.

          A two-stage reporting obligation had previously been proposed, which would have required notifications to be made if a request for payment of ransomware was received and additionally if any payment was subsequently made.

          Cyber Review Board

              Australia is following in the footsteps of other jurisdictions such as the United States by establishing a Cyber Review Board. The Board’s remit will be to conduct no-fault, post-incident reviews of significant cyber security incidents in Australia. The intent is to strengthen cyber resilience, by providing recommendations to Government and industry based on lessons learned from previous incidents.

              Limited information gathering powers will be granted to the Board, so it will largely rely on cooperation by impacted businesses. 

              The Board will be comprised of a Chair, standing members and an Expert Panel. The Expert Panel will be drawn from of a pool of industry members with relevant expertise.

              Limited Use Exception

              A ‘limited use’ obligation will be established under the Cyber Security Bill and the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 (Intelligence Services Bill), designed to encourage engagement and reporting between industry and the Government during cyber incidents.

              The regime is designed to assure businesses that any information which is voluntarily provided to the National Cyber Security Coordinator or Australian Signals Directorate (ASD) regarding a cyber incident can only be recorded, used and disclosed by those entities for limited purposes.

              Crucially, it guarantees that information which is provided voluntarily or in response to a request within the framework of the limited use regime cannot later be used against the entity by a regulator.

              The ‘limited use’ obligation will apply to information provided to, acquired or prepared by the National Cyber Security Coordinator or ASD by an impacted entity during a cyber security incident, as well information which is provided on behalf of the impacted entity (such as by its external advisors).

              Mandatory security standards for smart devices

              The Cyber Security Bill also establishes a framework under which mandatory security standards for smart devices will be issued.

              Suppliers of smart devices will be prevented from supplying devices which do not meet these security standards, and will be required to provide statements of compliance for devices manufactured in Australia or supplied to the Australian market.

              The Secretary of Home Affairs will be given the power to issue enforcement notices (including compliance, stop and recall notices) if a certificate of compliance for a specific device cannot be verified.

              Security of Critical Infrastructure

              The Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 will amend the Security of Critical Infrastructure Act 2018, by giving effect to the legislative reforms contained in the 2023-2030 Australian Cyber Security Strategy.

              The changes are designed to strengthen the security and resilience of critical infrastructure assets in Australia. 

              The key change to note for regulated entities is that secondary assets which hold ‘business critical data’ may also be captured as critical infrastructure assets, regardless of the primary purpose of the asset. This is not intended to capture all non-operational systems which hold business critical data, but rather those where there is a material risk that a hazard to the data storage system could have an adverse impact on a critical infrastructure asset.

              Other changes to the Security of Critical Infrastructure Act 2018 include the provision of further clarity on the secrecy and disclosure provisions, and the implementation of new powers for the Secretary of the Department of Home Affairs.

              We will provide further updates once these Bills are passed. 

              The Australian Government has today published a draft Bill outlining the next steps in Australia’s Privacy Act Review process. 

              The changes to be implemented by the Privacy and Other Legislation Amendment Bill 2024 include the introduction of:

              • A statutory tort for serious invasions of privacy, which has previously been referred to as filling an “increasingly conspicuous gap” in Australian law regarding the rights and remedies available to individuals following a breach of their privacy.  The cause of action will be based on a misuse of information in circumstances where the individual has a reasonable expectation of privacy, the invasion of privacy was serious and the invasion of privacy was intentional or reckless.  Claimants won’t need to prove that losses arose from the invasion of privacy, but will need to demonstrate that the public interest in protecting their privacy outweighs any competing public interest raised by the defendant.  The remedies will include recovery of non-economic losses, however damages will be capped at AUD 478,550.  This is a significant development that will materially change the risk profile for entities processing personal information in Australia.  In the last few years we’ve seen a rapid rise in the number of class actions following data breaches and other privacy incidents, and the introduction of a statutory tort will add  further fuel to the fire;
              • An online Children’s Online Privacy Code, to be developed by the Information Commissioner, which will apply to social media and other internet services which are likely to be accessed by children;
              • Tiered sanctions for less serious privacy breaches.  The power to seek civil penalties of up to the greater of AUD 50 million, three times the benefit of a contravention, or 30% of annual turnover for serious interferences with the privacy of individuals will not be impacted.  However, a lower civil penalty of up to AUD 3.3 million (using current penalty units) will apply for non-serious interferences with privacy, and infringement notices and penalties of up to AUD 330,000 may be issued for certain more technical breaches, including deficient privacy policies;
              • A requirement to include details of the use of personal information for “automated decision making” in privacy policies, with “automated decision making” including decisions which are wholly or substantially automated;
              • Eligible data breach declarations, to allow the sharing of personal information following notifiable data breaches for the purpose of preventing or reducing the risk of harm to individuals.  This would allow, for example, details of individuals impacted by an eligible data breach to be shared with banks so that the necessary protective measures could be applied to their accounts;
              • A mechanism to allow for declarations of equivalency to be issued, for the purpose of overseas transfers of personal information.  Currently, the law recognises that personal information can be shared with recipients which are subject to an equivalent law or binding scheme, however no formal declarations of equivalency have been made by the regulator to date; and 
              • A criminal offence of doxxing, which will sit under the Criminal Code 1995 rather than privacy law. 

              The Bill follows the Privacy Act Review Report issued by the Attorney-General’s Department in February 2023, which identified 89 proposals directed at legislative change.  In its response in September 2023, the Australian Government accepted the majority of these recommendations.  However, its response differentiated between changes which could be accepted with minimal consultation, and those areas where more extensive engagement was required.

              This Bill introduces 23 out of 25 of these expected changes, with the Attorney-General stating that “It begins the much-needed work of updating our privacy laws to be fit-for-purpose for the digital age… It implements a first tranche of agreed recommendations of the Privacy Act Review, ahead of consultation on a second tranche of reforms“.  The Government has committed to developing the next tranche of reforms for targeted consolation over “the coming months“, to ensure “genuine privacy reform in Australia“.

              Cyber regulation is changing in Australia. As governments globally grapple with the everchanging and increasingly challenging cyber landscape, Australia is poised to implement new laws and update existing regulation in order to enhance Australia’s cyber security and resilience. These changes fall within the framework established by the 2023-2030 Australian Cyber Security Strategy, which aims to make Australia a world leader in cyber security by 2030.

              Scam Code Act

              In light of the 601,000 scams reported by Australians in 2023 accounting for an estimated $1.3 billion in losses, it has been reported this week that the Government will introducing a new Scam Code Act.

              This will require digital communications platforms, telecommunications carriers and banks to report scams as soon as they are detected, or face fines of up to AUD 50 million. The Australian Consumer & Competition Commission will be granted powers to draft mandatory codes across the three sectors, and also for individual business and platforms. It is expected that the new regime will also include requirements for:

              • platforms to verify their advertisers;
              • banks to warn customers if they attempt to make a transfer to an account that is identified as fraudulent;
              • carriers to take certain measures to prevent scams being spread by SMS;
              • companies designated by the ACCC to establish internal dispute resolution processes to hear complaints from customers and consider refunds; and
              • all companies to maintain a “scams defence plan” to assist customers.

              It is expected that the legislation will be tabled in parliament later this year, and we will keep you updated as more information is released about the proposed legislation.  

              Other cyber security measures  

              As a further rollout of the 2023-2030 Australian Cyber Security Strategy, the Australian Government has consulted on a range of proposed new cyber security legislation. In order to combat existing gaps in regulation, consultation was sought on the following proposed measures:

              • mandating a security standard for consumer-grade smart devices, to incorporate basic security features by design and help prevent cyber attacks on Australian consumers;
              • creating a no-fault, no-liability ransomware reporting obligation to improve collective understanding of ransomware incidents across Australia,in order to counteract the limited visibility over the amount of ransoms paid by Australian organisations. The laws are proposed to apply to businesses with an annual turnover of more than $3 million and include fines for failure to disclose;
              • creating a ‘limited use’ obligation to clarify how the Australian Signals Directorate and the Cyber Coordinator may use information voluntarily disclosed to them during a cyber incident, in order to encourage industry to collaborate with the Government as part of an incident response; and
              • establishing Cyber Incident Review Board to conduct no-fault incident reviews and share lessons learned to improve Australia’s national cyber resilience.

              The Government received 130 submissions as part of the consultation, which closed on 1 March 2024. We will keep you updated on the outcome of the consultation.

              On 1 July 2024, Australia’s spam regulator, the Australian Communications and Media Authority (AMCA), released a Statement of Expectations setting out its requirements for customer consent in the context of direct marketing.

              The ACMA has consistently demonstrated a clear intolerance for breaches of the spam requirements, penalising business with over AUD 15 million in spam and telemarketing fines over the past 18 months.

              Under the Spam Act 2003 (Cth), businesses must obtain consent from customers (including business customers) before sending any direct marketing communications via email, SMS or other electronic means. Consent can be express or inferred, but should only be inferred where there is an existing commercial relationship between the sender and the customer which relates to the subject matter of the marketing communication.  

              ACMA recommends using express consent as it represents a clear and unambiguous decision by a customer to receive direct marketing. Customers can give express consent via filling in a form, ticking a box on a website, over the phone, or face to face.

              Records of consent should be maintained and include details such as the method by which consent was obtained, the terms applied to the consent and the date/time of collection. Outsourced providers of marketing services should maintain appropriate consent records on behalf of their customers, and businesses remain responsible for meeting their consent obligations regardless of whether they outsource e-marketing or consent gathering to third parties. 

              Based on the ACMA’s expectations regarding the spam laws, best practice includes the following:

              • Obtain express consent based on clear terms and conditions which are accessible to the customer at the time of seeking consent. Avoid embedding the references to consent in fine print or long privacy policies.
              • Consent terms and conditions should clearly explain what the consent is for, who it is being provided to, for how long, and how a customer may withdraw their consent.
              • Make sure that only current consents are relied upon – consent should be refreshed regularly.
              • Consider a double opt-in approach to obtaining consent. For example, asking customers via email to confirm their consent by clicking on the link provided (which also helps to identify genuine email addresses).
              • Do not use pre-ticked boxes.
              • If seeking to relying on inferred consent, carefully evaluate whether there is a clear, current or ongoing relationship with the customer, and that the goods or services being marketed are directly related to that relationship. Consent should not be inferred from a one-off purchase by a customer (even where they have provided a phone number or email to receive a receipt).
              • Ensure all electronic messages contain easy to use and functional unsubscribe facilities. Avoid asking customers to log in to accounts or charging customers a fee to unsubscribe.
              • Ensure that customers are given the option to unsubscribe from all marketing messages (and not only certain types of messages).
              • Ensure to action unsubscribe requests as quickly as possible and within 5 business days.
              • Do not continue sending marketing messages after an unsubscribe request has been received, or re-contact consumers encouraging them to resubscribe.

              Please reach out to us if you require any further guidance about your obligations under the Spam Act 2003 (Cth).

              The next steps in Australia’s long bubbling reform of the privacy regime has been announced, with draft legislation expected to be tabled by August 2024. The reform is being presented as part of the Federal Government’s efforts to improve online safety, particularly for women, but it’s not clear how broad its remit will be at this stage.

              Of the 116 recommendations for reform made by the Attorney-General’s Department in 2023, 38 were accepted in full by the Federal Government, and a further 68 accepted in principle, where more extensive consultation is required.

              We are expecting all 38 of the “accepted in full” changes to be implemented in the August bill, which includes:

              • changes to the civil penalty regime, to introduce low, medium and high tiers, based on the severity of the breach, to allow for more targeted enforcement;
              • a requirement for privacy policies to include details of any personal information used in substantially automated decisions with legal or other significant effects;
              • a right for individuals to request meaningful information about how substantially automated decisions with legal or other significant effects are made; and
              • a Children’s Online Privacy Code, for online services likely to be accessed by individuals under the age of 18.

              We don’t know at this stage how many of the “agree in-principle” reforms will be tabled in August, however in its messaging regarding the issue of online safety and the link with privacy reform the Federal Government has highlighted:

              • the introduction of a statutory tort for serious invasions of privacy; and
              • expanding data subject rights beyond access and correction, to include a right of erasure, and a right to de-index certain online search results.

              One issue which has been repeatedly highlighted is the need to offer protection against doxxing (i.e. the release of personal information with an intent to cause harm), as well as the wish to offer women suffering domestic and family violence “greater control and transparency over their personal information.”

              Australia’s Attorney-General recently confirmed his views that the current regime is “woefully outdated and unfit for the digital age,” with “speed of innovation and the rise of artificial intelligence” underlining the need for reform.

              We’ll provide further updates once more information about the August bill is available.

              We (finally) have more clarity as to the next steps in the long-awaited reform of the Australian Privacy Act.

              As we noted back in February this year (see here), the Attorney-General’s Department recommended a number of changes to Australia’s core privacy regime, which saw its last major overhaul in 2014.

              The Australian Government has now formally responded to the report, flagging its intention to adopt the vast majority of the 116 recommendations in the Attorney-General Department’s report. 

              The changes are expected in two phases.

              First up will be the 38 changes accepted in full, where drafting will commence immediately followed only by “targeted” consultation. This includes:

              • Adjustments to the civil penalty regime (which was last updated in December 2022 – see here), with a mid-tier penalty for breaches lacking a serious element, and a low-level civil penalty for administrative breaches;
              • Greater transparency around automated decision making, including a new content requirement for privacy policies and a right for individuals to request “meaningful information” as to how automated decisions with legal / significant effects are made;
              • Enhancements to OAIC guidance, particularly in respect of information security and retention; and
              • Introduction of a Children’s Online Privacy Code.

              Whilst Australian businesses should start preparing, the compliance burden for these changes will be relatively light for most organisations.

              Next up will come those changes which the Government has accepted in principle, subject to further consultation and impact analyses given the likely complexity.  Included in this batch are:

              • Introduction of direct rights of action under the Privacy Act, as well as a statutory tort of privacy (which could have huge ramifications for anyone doing business in Australia);
              • An expansion of data subject rights, including the right to object to collection, use or disclosure, a right of erasure, a right to withdraw consent (which isn’t expressly enshrined as a data subject right at present) and, interestingly, a right to request the de-indexation of certain online search results containing personal information;
              • Removal of the small business exemption (which currently excludes organisations with a turnover of less than AUD 3 million from compliance with the Act);
              • Enhancing protections for employee records (which are currently excluded from the Act entirely), including bring HR data within the scope of the notifiable data breach regime; and
              • The introduction of standard contractual clauses for overseas data transfers.

              No announcements have been made as yet as to when we can expect to see the next steps in the review actioned.

              Author: Sarah Birkett

              Cyber Security Strategy discussion paper launched

              This week saw the launch of a discussion paper for the Australian Government’s 2023-2030 Australian Cyber Security Strategy. The discussion paper refers to the lofty aim of making Australia the most cyber secure nation by 2030.

              The discussion paper, which acknowledges that the Australian Government was “ill-equipped” to respond to the large scale data breaches which occurred in 2022 (namely Medibank and Optus), emphasises the importance of protecting customer data and enduring that Australians can continue to access critical services in the event of a cyber-attack.

              One of the core policy areas that will be addressed in the Strategy is the “enhancement and harmonisation of regulatory frameworks”.  Several options are being considered to give effect to this, including:

              • Development of best practice cyber security standards.
              • New laws, such as a Cyber Security Act, to provide a more explicit specification of cyber security obligations;
              • Expansion of the existing Security of Critical Infrastructure Act to include customer data and systems within the definition of critical assets. This proposal is particularly controversial given the power for the Australian Signals Directorate to “step-in” and control critical assets as a measure of last resort under that Act; and
              • A single reporting portal for all cyber incidents, to harmonise the existing requirements to report separately to multiple regulators.

              Additional policy areas identified for further consideration in the discussion paper include:

              • Developing national frameworks to respond to major incidents, including the development of fit-for-purpose approaches to incident management and coordination and ensuring that post-incident reviews of major incidents are conducted and root cause findings shared.
              • Designing and sustaining security in new technologies, such as quantum computing, IoT and AI, each of which have the potential to significantly impact, and be impacted by, cyber security issues.
              • Supporting Australia’s cyber security workforce and skills pipeline.

              The Strategy is expected to be finalised by the end of 2023.  An Expert Advisory Board has been established to assist with development of the Strategy, and is inviting consultations on the areas outlined in the discussion paper until 15 April 2023.

              Establishment of Cyber Security Coordinator to assist with coordinated responses to cyber attacks

              Since the release of the discussion paper, the Federal Government has announced its intent to establish a national Coordinator for Cyber Security.

              The Coordinator will form part of a broader National Office for Cyber Security and will be responsible for ensuring a “centrally coordinated approach” to cyber security, including coordination of major incidents.

              Latest data breach statistics show that data breaches are on the rise

              The launch of the cyber security discussion paper coincides the with publication of the Office of the Australian Information Commissioner’s latest statistics on the notifiable data breach regime.

              These statistics confirm the commonly held view that data breaches are on the rise in Australia.

              The 6 month period from July – December 2022 saw a 26% increase in the number of data breaches reported against the previous 6 month period.  For breaches caused by criminal or malicious attacks, the increase was 46% for the same period.  Health care and financial services remain the two highest reporting sectors.

              Significantly there were five breaches which impacted more than 1 million Australians –with one impacting more than 10 million. Whilst the high-profile incidents affecting Optus and Medibank account for two of these incidents, these statistics highlight that several major data breaches have gone unreported in Australia.

              Authors: Sarah Birkett, Nicholas Boyle

              The Australian Attorney-General has published the (long-awaited) results of the Privacy Act review.

              The report recommends a number of changes to the Australian privacy framework, including various changes to Australia’s core privacy legislation, the Privacy Act 1988 (Cth).

              The report does not represent official Government policy and there is no guarantee that the proposed changes will eventually make their way into law.  However Australian businesses should start preparing for these changes, particularly given the level of bipartisan support for privacy reform following several large-scale data breaches in 2022.

              What changes are proposed?

              Broadly the structure of the Privacy Act will remain unchanged, despite the number of recommended changes identified.  Notably, the Australian Privacy Principles will not be supplemented with more precise rules governing data processing activities.

              Some of the proposals can be viewed as clarifications rather than substantive changes, including calls for expanded guidance notes from Australia’s privacy regulator, the Office of the Australian Information Commissioner.

              However there are a number of recommendations which, if implemented, will materially change the way in which Australian organisations approach privacy compliance.  For example:

              • A significant expansion of data subject rights, with many concepts borrowed from other regimes such as the GDPR, including the right of erasure, right to withdraw consent, right to object to the collection, use or disclosure of personal information and the right to de-index online search results containing certain categories of personal information.
              • Introduction of a direct right of action for individuals, for a serious interference with privacy, plus a statutory tort of privacy.
              • More structured processes around direct marketing, tracking and trading in personal information, including an unqualified right to opt-out of receiving targeted advertising.
              • A partial removal of the exemption for employee records, with limited obligations applying to HR data such as the requirement to keep data secure and notify staff of relevant data breaches.
              • Greater transparency around privacy policies and collection notices, with additional data points to be included and calls for development of standardised templates and layouts on a sector-by-sector basis, to make it easier for data subjects to understand and compare policies.
              • Updating the basis on which offshore transfers can be made, including where Standard Contractual Clauses are used, where informed consent has been obtained or where an adequacy decision is in place.
              • Removal of the exemption for small businesses (i.e. with an annual turnover of AUD 3 million or less), which will materially increase the number of organisations required to comply with the Privacy Act, although this has been flagged as requiring further consultation.
              • For organisations which process the personal information of minors, a suite of changes including development of a Children’s Online Privacy Code and a prohibition on direct marketing to children unless certain conditions are met.

              What are the next steps?

              It’s yet to be seen how the Australian Government will respond to the review, and whether it will accept the recommendations made.

              The report itself notes that some proposals have not had the benefit of stakeholder feedback and will require further consultation prior to implementation.  Therefore it’s likely to be some time before the changes can be adopted in full (if indeed they are adopted at all).

              In the interim, there are changes which Australian businesses can make to their processes now, to reduce the impact if and when these recommendations are adopted.

              For further information, please contact Sarah Birkett or Nick Boyle.