Australia’s Attorney General has announced a review of the Australian Privacy Act.
The review has come about as a consequence of the Government’s response to the ACCC’s Digital Platforms Inquiry where the Treasurer agreed to a comprehensive review of the Act.
Cross-border flow of information is an increasingly important component of international trade and digital service models. By some estimates, cross-border data flows contribute $2.8 trillion (USD) to global economic activity. There is growing uncertainty from individuals about how their personal information is being used. The 2020 ACAP (Australian Community Attitudes to Privacy) survey results showed that 92 per cent of respondents were concerned about their personal information being sent overseas and 41 per cent thought that sending personal information overseas was one of the biggest privacy risks.
There is currently no single global standard to regulate cross-border data flows. The EU and the APEC have adopted frameworks aimed at facilitating the cross-border flow of information between members while upholding privacy protections. It appears from the Issues Paper that the Australian Government is considering implementing the APEC Cross-Border Privacy Rules (CBPR) system. The EU GDPR aims to give individuals’ control of their personal data and to simplify the regulatory environment for businesses offering goods or services or monitoring the behaviour of persons in the EU.
Here is a summary of what the review will examine and, if needed, consider options for reform on:
- The scope and application of the Privacy Act including in relation to:
- the definition of ‘personal information’
- current exemptions, and
- general permitted situations for the collection, use and disclosure of personal information.
- Whether the Privacy Act effectively protects personal information and provides a practical and proportionate framework for promoting good privacy practices including in relation to:
- notification requirements
- consent requirements including default privacy settings
- overseas data flows, and
- erasure of personal information.
- Whether individuals should have direct rights of action to enforce privacy obligations under the Privacy Act.
- Whether a statutory tort for serious invasions of privacy should be introduced into Australian law.
- The impact of the notifiable data breach scheme and its effectiveness in meeting its objectives.
- The effectiveness of enforcement powers and mechanisms under the Privacy Act and the interaction with other Commonwealth regulatory frameworks.
- The desirability and feasibility of an independent certification scheme to monitor and demonstrate compliance with Australian privacy laws.
The review builds on reforms announced in March 2019 to increase the maximum civil penalties under the Privacy Act and develop a binding privacy code to apply to social media platforms and other online platforms that trade in personal information. To learn more read the Issues Paper here.