Binding Online Privacy Code, personal right to sue and more enforcement all proposed by Privacy Act reform process

26 Oct 2021

The Attorney General's Department has commenced the second stage of its review of the Privacy Act 1988 (Cth), releasing a Discussion Paper putting forward possible proposals for reforms to address issues identified with the current operation of the Privacy Act and seeking further feedback.

This will occur in parallel with the consultation on the exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Online Privacy Bill), which would introduce a binding online privacy code for social media and certain other online platforms, and increases penalties and enforcement measures.

The Government is inviting submissions to the Online Privacy Bill until 6 December 2021, while the consultation on the Discussion Paper closes on 10 January 2022.

Proposed reforms to the Privacy Act

The 217-page Discussion Paper contains several proposed amendments to the Privacy Act, including:

  • allowing the Office of the Australian Information Commissioner (OAIC) to make an APP code (including an urgent temporary code) on the direction or approval of the Attorney-General where it is in the public interest to do so without first having to seek an industry code developer and where there is unlikely to be an appropriate industry representative to develop the code;
  • the creation of a new Federal Privacy Ombudsman (FPO) or establishment of a Deputy Information Commissioner with a focus on enforcement;
  • the creation of a direct right of action available to any individual or group of individual whose privacy has been interfered with by an APP entity, provided that the individual(s) have first made a complaint to the OAIC or FPO and had that complaint assessed as being unsuitable for conciliation;
  • the introduction of a statutory tort of privacy;
  • mid- and low-level tiers of civil penalty provisions to give the OAIC enforcement options in relation to conduct that falls short of the current "serious or repeated interference with privacy" threshold;
  • new rights to object or withdraw consent to the handling of one's personal information, and a right of erasure of personal information in certain circumstances;
  • changes to the objects of the Privacy Act, including the inclusion of a public interest requirement on APP entities;
  • changes to the definition of “personal information” to clarify that it includes technical and inferred personal information;
  • requirements for obtaining express consent, including via an unambiguous indication through clear action (eg. such as the use of an opt-in mechanism), supplemented by a requirement that entities implement pro-privacy settings by default and make it easy for individuals to access their privacy settings; and
  • the introduction of standard contractual clauses to facilitate overseas disclosures by APP entities.

The Government is seeking further views and feedback about the benefits and risks of, among others, amending the definition of "sensitive information" to include other types of information such as location, financial and transactional data; changing the small business exemption; changing the employee records exemption; introducing a fair and reasonable requirement and whether that should be overarching or apply only for the purposes of using and disclosing personal information; and proscribing certain prohibited practices.

The Government is also seeking feedback on the exposure draft of the Online Privacy Bill. The key aspects of that draft legislation are as follows:

  • the creation of a binding Online Privacy Code for organisations that provide social media services, data brokerage services and other large online platforms that collect personal information in the course of providing information, goods or services;
  • the Online Privacy Code would, among other things, require these entities to take reasonable steps to, upon request, stop using or disclosing an individual’s personal information, strengthen requirements for organisations to be transparent about data sharing, and follow stricter rules about handling the personal information of children and other vulnerable groups, with specific rules for social media services; and
  • strengthen the OAIC's enforcement functions by increasing the maximum penalty for serious and/or repeated interferences with privacy, and including a new criminal penalty for multiple instances of non-compliance and a new infringement notice provision. It also expands the OAIC's capacity to conduct assessments, make declarations and share information with relevant enforcement authorities.

Both the Discussion Paper and the Online Privacy Bill are early expressions of the Government's policy intentions, meaning that there remains scope for revision prior to the changes being legislated.

Making a submission

The proposed changes constitute a significant ramping up of privacy regulation in Australia, and there will no doubt be concerns as to how to properly and efficiently manage compliance. If you are interested in responding to the Discussion Paper or the Online Privacy Bill, or would like further information, please contact us.

Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.