In Australia, extensive privacy reforms have now been canvassed in more detail than previously, and a Bill proposing a privacy code for certain online businesses has been released. If implemented, these changes will have a fundamental impact on the reach, enforcement risk and effect of Australian privacy laws. It is important for entities which carry on business in Australia to consider the proposed changes carefully so that any unacceptable practical implications can be addressed before the laws are finalised and implemented. Submissions will be accepted until 10 January 2022.
On 25 October 2021, the Attorney-General released an exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (the Online Privacy Bill) (setting out some interim reforms). Immediate changes include broadening the scope of the Privacy Act to cover further practices of overseas entities operating in Australia, an online privacy code for social media and platforms and certain others, together with penalties of up to potentially AU$10,000,000 or more for some companies. The exposure draft of the Bill was released in tandem with an extensive discussion paper published as part of a broader review of the Privacy Act, which seeks submissions on further reform proposals by 10 January 2022.
Both the exposure draft Online Privacy Bill and the Discussion Paper can be viewed at the following link: https://consultations.ag.gov.au/rights-and-protections/privacy-act-review-discussion-paper/
The Online Privacy Bill addresses 4 broad categories of reform:
Each of these categories is described in further detail below.
Development of an OP Code is a key reform sought to be implemented by the Online Privacy Bill. As with the APP and CR Codes able to be developed under the Privacy Act, the OP Code is to be developed by the relevant industry, although the OAIC will have the discretion to develop the OP code itself in certain circumstances, for example where no suitable OP Code developer could be found. After the Online Privacy Bill receives royal assent, the OP Code will need to be developed and registered within 12 months.
The OP code is set to apply to the following categories of private sector organisation (OP organisations):
OP organisations will need to meet the requirements of the OP code, as well as the ordinary provisions of the Privacy Act. The OP code requirements are set to include the following:
The OP code may also provide for the following:
The OAIC will have the power to investigate potential breaches of the OP code, either following a complaint or on its own initiative. If the OAIC finds that a breach has occurred, its full range of enforcement powers, including those set out below, will be available to it.
Section 13G of the Privacy Act prohibits entities from committing serious or repeated interferences with the privacy of an individual. The Online Privacy Bill seeks to increase the penalty applicable for a contravention of this section by a body corporate from AU$2.22 million to the greater of the following:
a) AU$10,000,000;
b) (if able to be determined) 3 times the value of the benefit that the body corporate (and, if applicable its related body corporate) obtained from the conduct constituting the contravention; or
c) if the court cannot determine the value of that benefit derived from the conduct, 10% of the body annual corporate’s turnover from the year before the conduct commenced.
In addition to increasing the applicable maximum penalty for interferences with privacy, the Online Privacy Bill also seeks to strengthen the OAIC’s enforcement powers as follows:
The Online Privacy Bill also seeks to provide the OAIC with the ability to share information or documents it acquires in the course of exercising its powers with law enforcement bodies, alternative complaint bodies (defined to include: the Australian Human Rights Commission, the Ombudsman, the Postal Industry Ombudsman, the Australian Public Service Commissioner, the Inspector General of Intelligence and Security, the eSafety Commissioner or another recognised external dispute resolution scheme) and State, Territory or foreign privacy regulators. However this is only permitted where the OAIC is satisfied that the receiving authority has satisfactory arrangements in place for maintaining the security of the information or documents provided. This may be particularly significant for organisations who are subject to data breaches or other privacy-related incidents in multiple jurisdictions.
The OAIC will also be permitted to disclose such information or documents (including, in certain circumstances, those obtained through use of the notifiable data breach scheme) where it is satisfied that it is in the public interest to do so.
Currently the extra-territorial application of the Privacy Act only extends to organisations not incorporated in Australia that carry on business in Australia where “the personal information was collected or held by the organisation ... in Australia or an external Territory, either before or at the time of the act or practice”.
The Online Privacy Bill seeks to remove the condition that the relevant personal information be held or collected from sources inside of Australia. This will have the effect of requiring foreign organisations who carry on a business in Australia to meet the obligations under the Privacy Act, even if they do not collect or hold Australians’ information directly from a source in Australia.
The discussion paper released by the Attorney-General sets out a wider tranche of ideas and proposals, ahead of the release of the Privacy Review’s Final Report to be considered by government. This includes:
The Attorney-General’s department is accepting submissions on the above until 10 January 2022.
Separately, the federal Australian government is currently conducting reviews into:
Look out for further detailed analysis of these important proposed reforms from our Australian privacy team over the coming months.