Proposed amendments to the Privacy Act 1988
Earlier this year, the Attorney-General released a report that reviewed the Privacy Act 1988 (Act) and put forth an extensive list of proposed reforms concerning the information covered by the Act, the organizations bound by its regulations, the expected standards for handling personal information, and the enforcement mechanisms of the Act. This update sets out some of the key proposals:
Expansion of the Privacy Act’s Scope: One significant proposed change is the elimination of the exemption based on annual turnover for organizations impacted by the Act. Currently, businesses with an annual turnover of at least $3 million are primarily required to comply with the Act, with some exceptions for smaller businesses collecting health information. The report suggests gradually removing the turnover exemption while providing support and resources to small businesses. This change would make compliance with the Act, including preparing a privacy policy and securely storing personal information, a universal requirement for all businesses. Ensuring that small and medium-sized businesses have the necessary resources for compliance will be crucial.
Tightening of Exemptions: The proposals include tightening the exemptions granted to registered political parties and journalists, as well as offering some protections for employee records, which are currently largely outside the Act’s scope.
Enhanced Obligations of Organizations: “APP Entities” (entities falling within the Act’s scope) will face expanded privacy obligations, including:
- Requiring clear, up-to-date, concise, and understandable information collection notices.
- Requiring a “Privacy Impact Assessment” for activities with high privacy risks.
- Explicitly mandating the appointment of a privacy officer within APP entities to oversee privacy-related matters.
- Mandating that individuals’ consent regarding their information be voluntary, informed, current, specific, and unambiguous, and prohibiting the use of deceptive design techniques (“dark patterns”) on websites.
Expanded Definition of “Collection” of Personal Information: The definition of “collection” will be broadened to include inferred information. For instance, this would encompass information about an individual that has been deduced by an algorithm based on factors like specific purchases or visited websites.
Increased Privacy Protection for Individuals: Proposed changes aim to grant individuals new or stronger rights concerning their information, such as:
- The right to request access to their personal information held by an organization, along with relevant details regarding its collection.
- The right to object to data collection, with APP entities required to provide a written response to such objections.
- An unconditional right for individuals to opt out of their personal information being used or disclosed for direct marketing purposes.
- The right to request the erasure of their personal information (or its quarantine in cases where retention is necessary for law enforcement purposes).
- The right to request corrections to publications containing their personal information.
Changes to Privacy Act Enforcement: Introducing a civil privacy tort that would enable individuals to sue organizations for privacy-related infringements and seek compensation.
A Direct Right of Act for individuals to seek relief for privacy interference: potential remedies are proposed to include for courts to have broad remedial powers to address non-pecuniary losses and award compensation.
At this stage there is no definitive indication as to which proposals will become law or the timeline for any amendments, however, it is evident that the Australian privacy regime will be undergoing significant changes in the near future.