Viewing entries tagged
Privacy Act review

Key takeaways from the Privacy Amendment Bill 2024

Comment

Key takeaways from the Privacy Amendment Bill 2024

By Chong Shao

The Australian Government has introduced the Privacy and Other Legislation Amendment Bill 2024, as part of the first tranche of its long-awaited response to the Privacy Act Review. We knew that progress would be measured in years, and so far this is proving out.

The headline changes touted by the government include:

  • A new statutory tort to address serious invasions of privacy.

  • Development of a Children’s Online Privacy Code to better protect children from online harms (accompanied by further funding to support the OAIC in development the code).

  • Greater transparency for individuals regarding automated decisions that affect them.

  • Streamlined and protected sharing of personal information (PI) in situations of a declared emergency or eligible data breach.

  • Stronger enforcement powers for the Australian Information Commissioner.

  • A new criminal offence to outlaw doxxing (i.e., the malicious release of personal data online that could enable individuals to be identified, contacted, or located).

For many, these reforms are modest and therefore disappointing, given the scope and duration of the Privacy Act Review.

Notably missing from the Bill is:

  • Any update to the definition of Pl.

  • Inclusion in the Bill of the four elements along EU GDPR lines that make a consent valid.

  • The introduction of a ‘fair and reasonable test’ for the handling of PI.

  • A requirement for APP entities to conduct a Privacy Impact Assessment for activities with high privacy risks.

  • The right for individuals to request erasure of their PI.

Also missing is one of the more contentious recommendations, the gradual removal of the small business exemption.

On the other hand, the changes represent a moderate progression from the status quo, which needs to be monitored closely and will likely have bigger implications over time.

Some key takeaways:

1. Privacy as a major intersection point

The Bill confirms that privacy sits at the intersection of the major technological and societal issues of our time.

For example:

  • The statutory tort introduces a cause of action for individuals against another person or organisation where there is a serious invasion of privacy – organisations should be aware of this provision (no small business exemption here!); although it should not be an issue if they are focused on “doing the right thing”.

  • A Children’s Online Privacy Code will be developed alongside other initiatives in the online safety space, including Online Safety Codes and the eSafety Commissioner’s research and work on age assurance.

  • Greater transparency regarding automated decision-making comes as part of a broader push by the government around promoting safe and responsible AI.

  • The streamlining of PI sharing in emergency and eligible data breach scenarios is a welcome move but will have to be considered alongside notification requirements in other laws and schemes such as the Security of Critical Infrastructure Act 2018, Data Availability and Transparency Act 2022, and APRA’s Prudential Standard CPS 234 Information Security.

The Bill is a microcosm of the complex privacy, cyber security, and digital regulatory landscape that is taking shape in Australia. The picture is getting (understandably!) complicated, and the Bill contributes to this.

2. Enforcement will matter more

The government’s touting of ‘stronger enforcement powers’ for the Australian Information Commissioner is a bigger deal than it appears on the surface.

On closer inspection, the Bill provides a series of changes that enable more flexible and effective enforcement of the Privacy Act:

  • A civil penalty provision for interference with privacy of individuals (not just ‘serious’ interference).

  • Separately, the civil penalty for serious interference with privacy of individuals is retained, with better elaboration of factors that may be considered in determining if the interference is serious.

  • The Commissioner may seek civil penalty orders and issue infringement notices for breaches of certain Privacy Act provisions and certain Australian Privacy Principles (APPs).

  • Additional monitoring and investigation powers.

One of the biggest issues with compliance and enforcement of the Privacy Act has been the relative lack of flexibility with the existing law, where there is a (recently strengthened) civil penalty provision for ‘serious and repeated interferences with privacy’. OAIC enforcement actions have been few and far between, typically reserved for ‘high profile’ cases such as Meta (Facebook), Medibank, and Australian Clinical Labs.

These changes to the Privacy Act, especially in relation to civil penalty orders and infringement notices, provide the OAIC with a bigger ‘toolkit’ to enforce breaches of the Privacy Act and the APPs.

Privacy Commissioner Carly Kind, in a Privacy Awareness Week Sydney event earlier this year, spoke of the ‘exciting opportunity for the OAIC to become a more enforcement-based regulator’. During the Q&A, she noted that for the first time in a decade there are three dedicated commissioners, and that they would be thinking a lot more about how to conduct proactive and proportionate enforcement.

This was confirmed by the OAIC’s Corporate plan 2024-25, which commits the OAIC to a ‘risk-based, education and enforcement-focused’ posture.

The true effectiveness of the regulator will depend on the extent to which it is sufficiently resourced. We have been advocating for greater funding for the OAIC for over a decade in speeches, forums and submissions. We eagerly await the next budget to see if the government will put its money where its mouth is and that they are indeed serious about ‘ensuring the Privacy Act works for all Australians and is fit for purpose in the digital age’.

Nevertheless, the Bill and the OAIC’s recently publicised posture demonstrate a clear intent and capability for the regulator to conduct more enforcement. Organisations should take note.

3. Keep sticking to the basics

The Privacy Act Review was flagged five years ago, as part of the ACCC’s 2019 Digital platforms inquiry. In the meantime, organisations are facing an increasingly challenging environment:

  • Cyber security incidents (including data breaches and the sophistication of bad actors) continue to increase in size and scale.

  • The growing data economy and technologies like AI heighten business pressures to collect and use personal information, while exposing organisations to greater data governance risks.

  • Australians care more than ever about privacy – according to the OAIC’s Australian Community Attitudes to Privacy Survey 2023, 82% of respondents care enough about protecting their PI to do something about it, and 84% want more control and choice over the collection and use of their PI.

It has been a slow and winding journey to reach the first tranche of changes to the Privacy Act. 

Our key takeaway is not to get over-excited, nor complacent. Not over-excited, because in many ways these are modest changes that will take time to realise their full effects. Not complacent, because the Bill heralds a new era of enforcement for the OAIC, including compliance with the existing Privacy Act and its APPs.

Instead, we think it is best to keep calm and stick to the basics. This means:

  • Assess your privacy practices against the existing APPs with a focus on Pl collection and handling practices and ensure you are taking ‘reasonable steps’ (including technical and organisational measures) in securing and protecting personal information. [1]

  • Know what PI (including sensitive information) you have now, where it is, whether you should still have it and the ways in which you are using it.

  • Assess cyber security risks and controls and consider certification against relevant standards.

  • Establish an improvement and remediation plan based on the findings of points 1, 2 and 3.

Putting the foundations in place now will give you a simpler path to compliance and good practice for both the current legislative requirements and the new requirements to come, including whatever Tranche Two will bring.

IIS can help

IIS and our subsidiary TrustWorks 360 can help you:

  • Navigate the complexity of the privacy, cyber security, and digital regulatory landscape.

  • Get the basics right and help you comply with current and incoming requirements, to satisfy customer expectations and to avoid regulator scrutiny and enforcement.

  • Move beyond compliance to performance and resilience that builds trust and achieves business objectives in a fast-changing world.

Why? Because as we have said at IIS for two decades, “It is just good business.”

Please contact us if you have any questions about the Privacy Act reforms and how it may affect your organisation. You can also subscribe to receive regular updates from us about key developments in the privacy and security space.

[1] In a separate interview, Commissioner Kind discussed the OAIC’s enforcement action against Medibank, for activities leading up to the data breach. The OAIC is making the case that Medibank didn’t take ‘reasonable steps’ to protect the personal information they collected and held. Reasonable steps are described as:

  • State of the art security

  • Good governance

  • Organisational responsibilities.

Comment

Privacy Act review: A closer look at children's privacy

Privacy Act review: A closer look at children's privacy

By Natasha Roberts

In this post, we take a closer look at proposals related to children’s privacy contained in the recent Privacy Act Review Report (the Review) – proposals to which the Government has agreed or agreed in principle.

What was the problem the Review was trying to address?

There is growing recognition that children and young people may be vulnerable in relation to privacy, particularly online. The Review noted that in the digital age kids are increasingly ‘datafied’ and that personal information about children can be used to build profiles and identify moments that children may be particularly vulnerable or receptive to online targeting and marketing (including in relation to harmful products and messaging). As the Report observed, this may affect children and young people’s autonomy and capacity to freely develop their identity.

How did the review propose to address this problem?

The Review took a multifaceted approach to addressing children’s privacy including the following…

Define ‘child’ and restrict marketing, targeting and trading in personal information

Currently the Privacy Act does not define ‘child’ and there are no specific provisions applying to children’s privacy (though organisations are expected to consider an individual’s capacity to consent which may include considerations of age or maturity). The Report proposed reforming the Privacy Act to define a child as an individual under 18 years of age.

In formally defining the meaning of child, the Privacy Act would then provide for certain specific provisions that apply only to children. These include proposals to prohibit the ‘trading’ of personal information of children and restrictions on ‘direct marketing’ and ‘targeting’ of children, other than marketing or targeting that is in the best interests of the child (for example, targeted marketing for essential child support, counselling and community services).

Codify ‘capacity’ in relation to consent

The Privacy Act contains several exceptions that allow certain information handling with the consent of the individual. However, deciding when children have ‘capacity’ to consent can be difficult, in recognition of varying levels of maturity at different ages. Up until now, the Privacy Act has not specified a particular age at which children may consent on their own behalf and guidelines issued by the Information Commissioner have stated that an organisation must decide on a case-by-case basis if an individual under the age of 18 has the capacity to consent. Where that is not practical, the Information Commissioner advises that an organisation may assume an individual over the age of 15 has capacity, unless there is something to suggest otherwise.

The Review recommended retaining this ‘middle path’ between individualisation and practicality, noting that over-reliance on parental consent was impractical and undesirable. The Review did however propose that the Privacy Act codify the principle that valid consent must be given with capacity. While this would result in a change to the Act, it should not result in a major change of approach for organisations given that it formalises what is already contained in the Information Commissioner’s guidelines and what should already be occurring in practice.

Build consideration of ‘best interests of the child’ into fair and reasonable test

Elsewhere we have discussed the proposal for the introduction of a fair and reasonable test to the Privacy Act. The Review further proposes that any such test require organisations to have regard to the best interests of the child as part of considering whether a collection, use or disclosure is fair and reasonable in the circumstances. In our view, this is the most far-reaching of the children’s privacy reforms as it puts the best interests of the child at the heart of decisions about information handling.

Introduce a Children’s Online Privacy Code

Other jurisdictions (notably the UK) have promulgated codes to regulate the privacy of young people online. The Review considered models adopted in those other jurisdictions and came to the view that Australia should introduce a Children’s Online Privacy Code that applies to online services that are ‘likely to be accessed by children’ and which aligns with the UK Age Appropriate Design Code, to the extent possible. According to the Review, a code could address:

  • Whether specific requirements are needed for assessing capacity

  • Whether certain collections, uses and disclosures of children’s personal information should be limited

  • Which default privacy settings should be in place

  • Whether entities should be required to ‘establish age with a level of certainty that is appropriate to the risks’ or apply the standards in the Children’s Code to all users instead

  • How privacy information (including collection notices and privacy policies) and tools that enable children to exercise privacy rights (including erasure requests) should be designed to improve accessibility for children, and

  • If parental controls are provided, how to balance the protection of the child with a child’s right to autonomy and privacy from their parents in certain circumstances.

The Review also proposed amending the Privacy Act to require that collection notices and privacy policies be clear and understandable, in particular for any information addressed specifically to a child. In the context of online services, these requirements are to be specified in the Children’s Online Privacy Code. Specifically, the Code could provide guidance on the format, timing and readability of collection notices and privacy policies.

What are the key takeaways for my organisation?

Privacy law reform is still ongoing, therefore this in an area on which to maintain a watching brief. That said, there is nothing to stop you from reviewing the bullets listed above and assessing your personal information handling activities against those standards. We suggest:

  • Identifying whether you handle children’s personal information and in what circumstances (for example, in person, online etc) to determine how you may be affected by reforms

  • Maintaining a watching brief on privacy law reform to see how proposals related to children’s privacy are implemented in practice

  • Engaging in consultation – the Government has committed to further consultation on children’s privacy and there are likely to be opportunities to comment on bill exposure drafts and the draft code, as its developed

  • Reviewing the UK’s Age Appropriate Design Code to gain insight on the possible scope and approach of the proposed Children’s Online Privacy Code, noting that the Review specifically called for the proposed code to align with the UK’s Age Appropriate Design Code to the extent possible, and

  • Considering whether your organisation’s handling of children’s personal information meets the ‘best interests of the child’ test, which is likely to form part of the proposed ‘fair and reasonable test.’ This may require consideration of whether, throughout the handling of a child’s personal information, a child’s physical, psychological and emotional wellbeing is protected.

Privacy Act review: A closer look at the fair and reasonable test

Privacy Act review: A closer look at the fair and reasonable test

By Natasha Roberts

In this post, we take a closer look at the ‘fair and reasonable test’ – a proposal in the recent review of the Privacy Act 1988 (Cth) (Privacy Act) which the Government ‘accepted in principle’. In our view, the introduction of a fair and reasonable test to the Privacy Act is welcome and has the potential to rebalance the Privacy Act away from personal responsibility (‘Well, you consented so it’s on you if your privacy was impacted’) and towards organisational responsibility (‘We, the organisation, agree to handle this personal information fairly and reasonably’).

What was the problem the Review was trying to address?

Notice and consent have become less effective over time

Notice and consent are often held up as critical elements of privacy law. They are there to ensure transparency and individual choice when it comes to the handling of personal information. Under Australian Privacy Principle (APP) 5, individuals must be told certain information when their personal information is collected including the purpose of collection (notice) and must, in most cases, under APP 6 be asked for permission before the information is used or disclosed for secondary or unrelated purposes (consent).

There’s no doubt that notice and consent will continue to play an important role in the Privacy Act. Indeed, privacy laws the world over include notice and consent as baseline principles. The problem is that over time, notice and consent have become less effective to about the same degree that personal information handling has become more complex and privacy-invasive.

Information handling has become more invasive over time

When the Privacy Act was first introduced in 1988, we lived in a largely paper-based world in which data handling was constrained by practical limitations like the inability to make use of large amounts of hardcopy information and the expense of storing it. There was no information economy in the sense we understand today. And there was no incentive for organisations to collect excess amounts of personal information or to repurpose the information for other (profit-raising) activities. It is possibly for this reason that the Privacy Act contains virtually no restriction on the ‘primary purposes’ for which organisations may use and disclose personal information.

You can see how today – in an environment that rewards data innovation, accumulation and reuse – personal information handling may expand into increasingly privacy-invasive areas – areas that were unanticipated in 1988 or indeed even in 2012 when the APPs were introduced to replace earlier principles.

This creates two pain points for privacy law

The first pain point is that the legislation has inadequate brakes available for unethical or privacy-invasive data handling activities. It simply did not need those brakes before. If an organisation collects personal information for the primary purpose of profiling children and selling such information to other businesses, for example, APP 6 would seem to permit this. Submissions to the Privacy Act review also pointed out that organisations have significant discretion in determining whether a collection is ‘reasonably necessary’ for their functions and activities under APP 3.

The second pain point is that data handling has become much more complex in recent decades and this has significant implications for the operation of informed consent. How can an individual be adequately informed if you need a degree in data science to fully grasp what is going to happen to your information? In other comparable settings, we do not expect individuals to have subject-matter expertise. We do not, for example, demand that airline passengers read lengthy statements about aeronautics and safety testing and then ‘consent’ to fly on a certain type of aircraft. Of course, passengers should not have to bear risk or responsibility for aircraft safety. Nor should they have the ‘choice’ to fly on risky, poorly-maintained aircraft. We are at a point now where the same principles should apply to data handling.

You might think that the difficulty of obtaining informed consent in these circumstances would cause a natural shift away from reliance on consent for data processing. Well, you would be wrong. As data processing has become more complex, consent notices have become prevalent, along with being longer and more technical.

Thankfully the Privacy Act Review Report recognised this, noting that ‘where digital innovation is exponentially increasing the amount of personal information and sources from which it is collected, it is not reasonable that individuals should bear primary responsibility for ensuring that they do not experience harm as a result of an entity’s information-handling practices.’ It also noted that ‘the diversity, change and novelty in digital information-handling practices may mean that individuals do not appreciate the scale, or even the existence, of privacy risks.’

How did the Review propose to address this problem?

Enter the fair and reasonable test

To address these obvious shortcomings in the current regulatory approach, the Review Report proposed that the Privacy Act be amended to introduce a requirement that the collection, use and disclosure of personal information be fair and reasonable in the circumstances. In applying this ‘fair and reasonable test,’ the Review Report proposed that certain matters be taken into account, including:

  • Whether an individual would reasonably expect the personal information to be collected, used or disclosed in the circumstances

  • The kind, sensitivity and amount of personal information being collected, used or disclosed

  • Whether the collection, use or disclosure is reasonably necessary for the functions and activities of the organisation or is reasonably necessary or directly related for the functions and activities of the agency

  • The risk of unjustified adverse impact or harm

  • Whether the impact on privacy is proportionate to the benefit

  • If the personal information relates to a child, whether the collection, use or disclosure of the personal information is in the best interests of the child, and

  • The objects of the Act.

Perhaps, most importantly, the Review Report specifically proposed that the fair and reasonable test apply irrespective of whether consent has been obtained. Our hope is that, in the future, it will be harder for individuals to ‘consent away’ their rights to fair and reasonable information handling.

What are the key takeaways for my organisation?

Privacy law reform is still ongoing, therefore this in an area on which to maintain a watching brief. That said, there is nothing to stop you from reviewing the bullets listed above and assessing your personal information handling activities against those standards. We suggest:

  • Maintaining a watching brief on privacy law reform to see how the fair and reasonable test is implemented in practice.

  • Engaging in consultation processes associated with Privacy Act reform – the Government has committed to further consultation on the fair and reasonable test and there is likely to be opportunities to comment on bill exposure drafts.

  • Taking the time to review the fair and reasonable factors listed above to see how they apply to your information handling practices – aside from anything else, they offer a baseline for fair and reasonable collection, use and disclosure of personal information.

  • Considering the fair and reasonable factors listed above in any privacy impact assessment or product development process.

First reaction to the Government's response to the Privacy Act review

First reaction to the Government's response to the Privacy Act review

By Natasha Roberts

Two weeks ago, the Government released the Response to the Privacy Act Review Report. And for many of us, who participated in multiple rounds of consultation, who engaged with critical law reform questions, who offered solutions to challenges created by the digital age, who hoped the Government was ready to take an ambitious leap forward…

First, there was a feeling of disappointment…

…as we came to terms with the fact that the Government had agreed to only 38 of a possible 116 proposals, and ‘agreed-in-principle’ to a further 68. No ambitious leap. More of a reluctant step forward in which the privacy law ‘can’ was kicked down the information superhighway. What ‘agreed-in-principle’ will mean in practice remains unclear. Naturally, many of us are concerned about the potential for serious watering down or backing down. Only time will tell.

…next, we took stock of the missed opportunities…

Perhaps unsurprisingly, the Government decided against taking up proposals to narrow the political exemption. We will leave it to others to point out the double standard inherent in this decision.

But, we in the privacy and security community are a pragmatic bunch and must invest our energies in…

The parts the Government got right

While the ‘agree-in-principle’ (rather than the straight ‘agree’) response to many proposals introduces uncertainty, there is, at least, an opening to work with Government to push those proposals forward. The following reforms have the potential to make a real difference to the privacy rights and protections of everyday Australians:

Updating the definition of personal information to close gaps in protection, particularly online. We particularly commend the Government’s recognition of the privacy impact of individuation. In its response, the Government made clear that it ‘considers that an individual may be reasonably identifiable where they are able to be distinguished from all others, even if their identity is not known’ (p 5). A change to the scope and coverage of the Privacy Act along these lines could mean a significant uplift in privacy protection.

Introducing a ‘fair and reasonable’ test. Currently the Privacy Act offers little direction on the uses an organisation may make of personal information, except that the information must be necessary to a defined use and should not be used for other purposes (except in certain prescribed circumstances). This gives considerable latitude to organisations and leaves open the possibility that information is used for activities that do not meet community expectations.

Which is why the Government’s agreement-in-principle to a ‘fair and reasonable’ test – which would apply irrespective of whether consent has been obtained – is so welcome. The Privacy Act is in serious need of rebalancing. Privacy responsibilities – which are currently borne too heavily by individuals (under the at times deceptive doublespeak of ‘choice’ and ‘consent’) – should be transferred to organisations. Our hope is that, in the future, it will be harder for individuals to ‘consent away’ their rights to fair and reasonable information handling.

Strengthening children’s privacy. The Government has agreed-in-principle to a suite of proposals aimed at protecting children, particularly online. This includes restrictions on targeting of children online and prohibition of trading in children’s personal information. It also includes the development of a Children’s Online Privacy Code to ensure the best interests of the child are upheld in the design of online services, and to provide further guidance on how entities are expected to meet requirements regarding targeting, direct marketing and trading. We applaud this.

Aligning privacy and security. The law reform environment in Australia, broadly, has an information security flavour right now (or at least, one that is cognisant of the deep impacts of advanced persistent threats and cyber-crime and the impact of data breach on individuals), which highlights necessity of digital and data initiatives operating in an environment that is safe-for-work. The set of proposals (21.1-21.8) in the ‘Security, retention and destruction’ chapter are clearly reflective of this.

It is great to see that there will be clarity around securing personal information – with what ‘reasonable steps to secure personal information’ in APP 11 actually means in practice to be embedded in legislation. The Government has also agreed-in-principle to organisations being required to meet baseline privacy outcomes that are aligned with the forthcoming Australia’s Cyber Security Strategy. Given the common goals of the Government’s privacy and information security mandates, we look forward to seeing further developments here.

A final word on the law reform process

Regulating information privacy is notoriously difficult and multifaceted. The challenge is compounded by a rapidly evolving digital environment. The Privacy Act Review could have sat languishing in a backroom of the Attorney-General’s department, un-responded to and un-actioned. Instead, the Government has responded to the review and published its response. For this we are grateful. Yes, there have been some areas of disappointment in the Government response but overall, we’re encouraged to see the Government moving forward, despite the challenges.

Be assured that we will be watching closely to see how the next stage plays out.

Please contact us if you have any questions about the Privacy Act reform process and how it may affect your organisation. You can also subscribe to receive regular updates from us about key developments in the privacy and security space.