Government announces response to Privacy Act review report
Attorney-General Mark Dreyfus announced the government’s response to the Privacy Act review report. The government has committed to enacting 38 of the report’s 116 recommendations and agreed in principle to develop policy on another 68. There are some sensible wins for advertisers in that the government has rejected extending all privacy protections to deidentified data or providing an unqualified right to opt-out of receiving targeted advertising.
Key Changes Agreed
The proposals the government has committed to enacting include:
- There will be further consultation around introducing a criminal offence for malicious re-identification of de-identified information (proposal 4.7)
- The Privacy Act’s existing data security obligations will be enhanced by specifying that ‘reasonable steps’ in the context of APP 11 include both technical and organisational measures (proposal 21.1) and the OAIC will be tasked with providing guidance on what reasonable steps an entity should take to keep personal information secure (proposal 21.3), and to destroy or de-identify personal information (proposal 21.5)
- Automated decisions – privacy policies will need set out the types of personal information that will be used in substantially automated decisions (e.g. online credit card or insurance applications) that have a legal, or similarly significant effect on an individual’s rights with the OAIC tasked with providing guidance the types of automated decisions covered by this requirement (proposals 19.1 and 19.2). Individuals will be able to ask how the automated decision was made (proposal 19.3)
- Children will be defined as under 18 years (proposal 16.1)
- Overseas data flows – a mechanism will be introduced to prescribe countries with substantially similar privacy laws (proposal 23.2) to allow businesses to disclose personal information to recipients in prescribed countries without the need for contractual provisions or other measures.
Changes Subject To Further Consultation
The government supports the following proposals but wants to undertake further consultation on how to implement them:
- Fair and reasonable test – The government agrees that relying exclusively on notice and consent to regulate personal information-handling places an unrealistic burden on individuals to decipher complex and lengthy policies and collection notices. The imbalance would be addressed by an overarching fair and reasonable test (proposal 12.1), which will apply regardless of whether or not consent has been obtained.
- Privacy by Default – to address concerns about ‘dark patterns’, privacy settings for online services should reflect the ‘privacy-by-default’ framework of the Privacy Act, as determined by what is fair and reasonable in the circumstances, and be clear and easily accessible for users (proposal 11.4)
- Notification of data breaches – there will be more specific requirements around notification timing and response to data breaches (proposal 28.2 and 28.3)
- Pre-determined Purposes of Data Collection – entities will be required to determine and record the purposes for which they will collect, use and disclose personal information at or before the time they collect it and record secondary purposes at or before the time of undertaking the secondary use or disclosure (proposal 15.1).
- Direct marketing, targeting and trading
- Further consultation will be undertaken to define direct marketing, targeted advertising, targeting and trading (proposal 20.1)
- Direct marketing – individuals should have an unqualified right to opt-out of their personal information being used or disclosed for direct marketing purposes (proposal 20.2)
- Direct marketing to children – should be prohibited unless the personal information used for direct marketing was collected directly from the child and the direct marketing is in the child’s best interests (proposal 20.5)
- Targeting should be subject to the following requirements (proposal 20.8):
- targeting individuals should be fair and reasonable in the circumstances, and
- targeting individuals based on sensitive information should be prohibited, with an exception for socially beneficial content – which will be clarified with further guidance
- Targeting children – targeting to a child should be prohibited, with an exception for targeting that is in the best interests of the child (e.g. preventing children from seeing age-sensitive advertisements) (proposal 20.6).
- Trading – an individual’s consent should be required in order to trade their personal information (proposal 20.4)
- Trading children’s data – trading in the personal information of children should also be prohibited (proposal 20.7).
- Direct right of action and statutory tort – the government will make it easier for individuals to take direct action where their privacy has been breached.
What Won’t Change
The government has rejected the following proposals:
- providing individuals with an unqualified right to opt-out of receiving targeted advertising (proposal 20.3)
- extending specific protections of the Privacy Act to de-identified information
- extending privacy rules to some activities of registered political parties
- limited the journalism exemption – this exemption will continue where the handling of personal information is done ‘in the course of journalism’
Next steps
The Attorney-General’s Department will lead the next stage of implementation which will involve:
- development of legislative proposals which are ‘agreed’, with further targeted consultation to follow
- engagement with entities on proposals which are ‘agreed in-principle’ to explore whether and how they could be implemented so as to proportionately balance privacy safeguards with potential other consequences and additional regulatory burden
- development of a detailed impact analysis, to determine potential compliance costs for regulated entities and other potential economic costs or benefits (including for consumers), and
- progressing further advice to the Government in 2024, including outcomes of further consultation and legislative proposals.
For further information, reach out to us via our contact page.