On 16 February 2023 the Attorney-General’s Department released its Privacy Report, which has reviewed the adequacy of Australia’s privacy laws. Feedback is invited to inform the Government’s response to the 116 proposals contained in the 320 page Privacy Report.
We have previously provided updates on the Privacy Act review, including our comments on the Discussion Paper and a Discussion Paper Update, as well penalty increases. 16 key takeaways from the Privacy Report include as follows: Expansion of what constitutes “personal information” and “sensitive information”. Consequently, an expansion of obligations, including regarding IP addresses, device IDs, genomic information, location data, financial and transaction data Reducing or removing the $3 million threshold, meaning more (smaller) businesses and more sole traders will become “APP Entities” and be required to comply with the Privacy Act and Australian Privacy Principles (APPs) Standardisation of privacy policies (or parts of them) and collection notices. This is a strategy to require the use of familiar, consistent terminology and to create efficiencies Expressly requiring APP Entities to appoint or designate a senior employee responsible for privacy Enhanced requirements to obtain consent, meaning a clear affirmative act, that is voluntary, informed, unambiguous, specific and current Enhanced collection obligations, including to expand collection to include information obtained from any source and by any means including inferred or generated information Legislated factors relevant to whether a collection, use or disclosure of personal information is fair and reasonable in the circumstances The employee records exemption to be amended to provide enhanced protections for employees. This means greater obligations on employers as to how employee information is managed Privacy by design – increased requirements to facilitate “opt in” instead of “opt out”, increased rights to objection, erasure, correction and de-indexing online search results Strengthening transparency requirements for cross border disclosures Undertaking Privacy Impact Assessments (PIAs) for activities with high privacy risks (for example implementing new processes, software that accesses personal and sensitive information), and to provide those PIAs to the Information Commissioner (OAIC) on request Notifiable/ Eligible data breaches to be notified to the OAIC within 72 hours, instead of 30 days Expanded enforcement powers for the OAIC, similar to ACCC and ASIC Broader powers for the Federal Court to impose penalties Creating direct rights of action for privacy breaches. This will facilitate class actions against APP Entities, including for widespread data breaches Creating a statutory tort of invasion of privacy, covering the misuse of private information, and which is not in the public interest. This is broad and potentially covers the sharing and publication of intimate images, doxxing, and unwarranted surveillance. It would have broad and general application (and would not be limited to APP Entities) Conclusion The Attorney-General’s Department is seeking feedback to inform the government response to the Privacy Report. The deadline for feedback is 31 March 2023. Should you wish to discuss the Privacy Report, your privacy rights and obligations, please do not hesitate to contact Bill Fragos, Special Counsel or your usual contact at Moray & Agnew. We also deliver presentations and training to our clients on privacy laws and the implications of the Privacy Report.
The content of this publication is intended to provide a summary and commentary only. It is not intended to be comprehensive nor does it constitute legal advice, and has been prepared based on applicable legislation at the date of publication. You should seek legal advice on specific circumstances before taking any action.