Privacy reforms: A balancing Act
The Government is one step closer to implementing reforms to Australia’s privacy standards following its response to the Privacy Act Review Report.
The response follows nearly three years of consultation by the Attorney-General’s Department with the aim of ensuring Australia’s privacy standards remain fit-for-purpose and are more closely aligned with global leaders.
However, the Government has taken a cautious approach, agreeing to legislate only 38 of the 116 proposals presented to it with 68 being agreed to ‘in-principle’, indicating that more engagement and impact analysis would be required before it progressed any further with the bulk of proposals.
The need to strike an appropriate balance between enhanced privacy protections and impacts on regulated entities has not gone unrecognised. The Government has taken heed to concerns expressed in the Governance Institute’s submission, noting that it will further consider reasonable steps entities may take to protect de-identified information. It has also recognised the need for further consultation and assessment of the regulatory burden that the proposed abolition of the exemption granted to small business would have.
The Government’s aim is to meet community expectations for greater control and protection of their personal data, whilst recognising the potential adverse impacts on the international competitiveness of Australian businesses.
And our own recently released 2023 Ethics Index found cybersecurity and privacy breaches were among the top ethical challenges of 2024. with 73% of respondents saying there was an urgent ethical obligation on companies to notify customers of all data breaches.
Government takes a cautious approach to sweeping reforms.
Potential uncertainty with the expanded objectives of the Act
The Privacy Act will be amended to recognise the public interest in protecting privacy and clarifying its focus on information privacy. Broadening the scope of the Act in this way bears the risk of increasing the regulatory burden on businesses with legitimate business models relying on the collection and processing of personal information. The public interest may also shift over time, creating some uncertainty to how the Privacy Act may apply in the future.
Efforts towards harmonisation a step in the right direction
Governance Institute members have experienced firsthand the burden and confusion created by inconsistent legislation, particularly across state and Commonwealth legislation. We are pleased that the Government has recognised this by demonstrating in-principle support of establishing a working group towards harmonising key elements of Commonwealth and state and territory privacy laws subject to agreement with states and territories. We also welcome amendments to the Act to permit organisations to disclose personal information to state and territory authorities under an Emergency Declaration, a proposal supported through our submission.
An expanded scope, powers, and advisory role of the OAIC
The Government also agreed with our views that the OAIC should provide additional guidance to entities about what reasonable steps an entity should take to keep personal information secure and what reasonable steps an entity should take to destroy or de-identify personal information. The OAIC will play an increasingly important role in guidance and awareness, and it is critical that the Commission is sufficiently resourced and funded to provide quality resources in a timely manner.
The OAIC would also be tasked with providing individuals at higher risk of experiencing vulnerability with additional guidance that would be complimented by additional protections for this cohort. However, the Government has fallen short of fully endorsing our calls for the OAIC to develop guidance on consent settings. The Governance Institute also considers it necessary to expand the OAIC to develop standardised templates and layouts for privacy policies and collection notices as a way of maintaining consistency across the economy.
Criminal offences and statutory tort for serious invasion of privacy and rights of the individual will be further considered
The Government has agreed to consult on introducing a criminal offence for malicious re-identification of de-identified information where there is an intention to do harm. But only agreed in principle to a statutory tort for serious invasions of privacy. We are of the view that a robust direct cause of action and a well-resourced Privacy Commission will mitigate against the need for a statutory tort and welcome further engagement with the Government to this end. The Government has agreed in principle to amend the Act to allow for a direct right of action to permit individuals to apply to the courts for relief despite the concerns we expressed on the potential for abuse of processes and unnecessary high case load for the court system.
Notifiable data breaches scheme to be reviewed
We are pleased that the Government has agreed to undertake further work to better facilitate the reporting processes for notifiable data breaches to assist both the OAIC and entities with multiple reporting obligations.
Further consultation
Further consultation will continue with the Governance Institute working with our members to influence government on finalising its position on key proposals alongside other reforms taking place including the Digital ID, 2023-2030 Australian Cyber Security Strategy, the National Strategy for Identity Resilience and Supporting Responsible AI in Australia.
For further information on the Government’s response, you can view the report here.