Australian privacy overhaul on the horizon

Comprehensive Update

On 25 October 2021, the Attorney-General released an exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (the Online Privacy Bill) (setting out some interim reforms). Immediate changes include broadening the scope of the Privacy Act to cover further practices of overseas entities operating in Australia, an online privacy code for social media and platforms and certain others, together with penalties of up to potentially AU$10,000,000 or more for some companies. The exposure draft of the Bill was released in tandem with an extensive discussion paper published as part of a broader review of the Privacy Act, which seeks submissions on further reform proposals by 10 January 2022.

Both the exposure draft Online Privacy Bill and the Discussion Paper can be viewed at the following link: https://consultations.ag.gov.au/rights-and-protections/privacy-act-review-discussion-paper/

Online Privacy Bill reforms

The Online Privacy Bill addresses 4 broad categories of reform:

• the OP code;
• enforcement of the Privacy Act;
• OAIC information-sharing powers; and
• amendments to the extra-territorial provisions.

Each of these categories is described in further detail below.

OP Code

Development of an OP Code is a key reform sought to be implemented by the Online Privacy Bill. As with the APP and CR Codes able to be developed under the Privacy Act, the OP Code is to be developed by the relevant industry, although the OAIC will have the discretion to develop the OP code itself in certain circumstances, for example where no suitable OP Code developer could be found. After the Online Privacy Bill receives royal assent, the OP Code will need to be developed and registered within 12 months.

The OP code is set to apply to the following categories of private sector organisation (OP organisations):

1. Organisations that provide social media services;
2. Organisations that provide data brokerage services; and
3. Large online platforms (being those organisations not falling within the above 2 categories that collect personal information about an individual in the course of or in connection with providing access to information, goods or services by use of an electronic service and that have had over 2,500,000 end-users in Australia in the past year). This does not include customer loyalty schemes, which are being separately considered as part of the broader Privacy Act review.

OP organisations will need to meet the requirements of the OP code, as well as the ordinary provisions of the Privacy Act. The OP code requirements are set to include the following:

• entities must ensure that their privacy policy clearly and simply explains the purposes for which they collect, hold, use and disclose personal information;
• all notices provided, including those issued in accordance with APP 5, must be clear and understandable, current, and provided in a timely manner;
• organisations must ensure that, when they seek consent from individuals, the consent is voluntary, informed, unambiguous, specific and current. In respect of sensitive information, organisations will also need to seek renewed consent periodically or when circumstances change;
• organisations must take reasonable steps to not use or disclose, or to not further use or disclose, an individual’s personal information upon request from that individual; and
• elevated protections will apply for children and vulnerable groups. For example social media organisations will be required to take all reasonable steps to verify the age of individuals who use the service, to only collect, use and disclosure of personal information is fair and reasonable and must obtain parental or guardian consents for those under the age of 16.

The OP code may also provide for the following:

• how one or more of the APPs are to be applied or complied with by the OP organisations;
• additional (but not contrary or inconsistent) requirements to the APPs;
• mechanisms to deal with the internal handling of complaints; and/or
• the reporting of complaints or number of end-users in Australia to the OAIC.

The OAIC will have the power to investigate potential breaches of the OP code, either following a complaint or on its own initiative. If the OAIC finds that a breach has occurred, its full range of enforcement powers, including those set out below, will be available to it.

Privacy Act Enforcement

Section 13G of the Privacy Act prohibits entities from committing serious or repeated interferences with the privacy of an individual. The Online Privacy Bill seeks to increase the penalty applicable for a contravention of this section by a body corporate from AU$2.22 million to the greater of the following:

a) AU$10,000,000;
b) (if able to be determined) 3 times the value of the benefit that the body corporate (and, if applicable its related body corporate) obtained from the conduct constituting the contravention; or
c) if the court cannot determine the value of that benefit derived from the conduct, 10% of the body annual corporate’s turnover from the year before the conduct commenced.

In addition to increasing the applicable maximum penalty for interferences with privacy, the Online Privacy Bill also seeks to strengthen the OAIC’s enforcement powers as follows:

• introducing a new infringement notice provision for failing to give information or providing a document or record when required to do so as part of an investigation (with associated additional civil penalty provisions);
• creating a new criminal penalty for multiple instances of non-compliance with the above requirements;
• expanding the types of declarations the OAIC can make in a determination following an investigation; and
• enhancing the OAIC’s capacity to conduct assessments.

OAIC information-sharing powers

The Online Privacy Bill also seeks to provide the OAIC with the ability to share information or documents it acquires in the course of exercising its powers with law enforcement bodies, alternative complaint bodies (defined to include: the Australian Human Rights Commission, the Ombudsman, the Postal Industry Ombudsman, the Australian Public Service Commissioner, the Inspector General of Intelligence and Security, the eSafety Commissioner or another recognised external dispute resolution scheme) and State, Territory or foreign privacy regulators. However this is only permitted where the OAIC is satisfied that the receiving authority has satisfactory arrangements in place for maintaining the security of the information or documents provided. This may be particularly significant for organisations who are subject to data breaches or other privacy-related incidents in multiple jurisdictions.

The OAIC will also be permitted to disclose such information or documents (including, in certain circumstances, those obtained through use of the notifiable data breach scheme) where it is satisfied that it is in the public interest to do so.

Extra-territorial provisions

Currently the extra-territorial application of the Privacy Act only extends to organisations not incorporated in Australia that carry on business in Australia where “the personal information was collected or held by the organisation ... in Australia or an external Territory, either before or at the time of the act or practice”.

The Online Privacy Bill seeks to remove the condition that the relevant personal information be held or collected from sources inside of Australia. This will have the effect of requiring foreign organisations who carry on a business in Australia to meet the obligations under the Privacy Act, even if they do not collect or hold Australians’ information directly from a source in Australia.

Discussion Paper

The discussion paper released by the Attorney-General sets out a wider tranche of ideas and proposals, ahead of the release of the Privacy Review’s Final Report to be considered by government. This includes:

• broadening the definition of personal information, for example to include technical information and inferred information;
• removal/modification of the employee records exemption;
• modification of the journalism exception, for example by introducing a public interest requirement into the journalism exemption;
• amendment of the matters required to be included as part of an organisation’s privacy policy (in respect of direct marketing);
• amendment of the matters required to be notified as part of a collection notice issued under APP 5.2;
• additional requirements for information handling, notices and consent in respect of the personal information of children;
• an additional requirement in respect of collection, use and disclosure of personal information, namely that it be fair and reasonable in the circumstances;
• an additional requirement that risk-mitigation steps be taken in respect of particular privacy risks in respect of direct marketing;
• new requirements for pro-privacy default settings on websites, for example requiring opt-in as opposed to opt-out;
• changed rules for cross-border flows of data;
• introduction of penalties for re-identification of de-identified information released by Commonwealth agencies;
• replacement of the ‘de-identification’ requirements with the higher standard of anonymisation;
• additional requirements for mandatory notification following a eligible data breach occurring; and
• increased individual rights, such as a right of erasure, a direct right of action, and a tort of privacy.

The Attorney-General’s department is accepting submissions on the above until 10 January 2022.

Other ongoing reviews

Separately, the federal Australian government is currently conducting reviews into:

• regulation of adtech practices;
• cybersecurity regulation, for example by way of minimum standards;
• online harm and digital platforms generally; and
• security incidents affecting critical infrastructure (which will be broadened to include sectors such as the communications and data storage or processing sectors).

Look out for further detailed analysis of these important proposed reforms from our Australian privacy team over the coming months.