An Overview of Australia’s Updated Privacy Act and Its Impact on Data Protection

With the constantly evolving nature of technology and its impacts on privacy, it should come as no surprise that privacy laws have to evolve as well constantly.

For example, this year, six new privacy laws are going into effect – the California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act, Utah Consumer Privacy Act (UCPA), Connecticut SB6, and Quebec Bill 64.

With over a dozen proposed privacy bills in the United States and potential updates to privacy laws in the United Kingdom, Australia is the latest country to propose updates to its privacy law, Australia Privacy Act 1988.

In this article, we will discuss the most salient points of the Australian Attorney General Department’s Privacy Act Review Report and its proposed reforms so that you can adequately prepare for any upcoming changes.

Are you collecting personal information?

For Australia Privacy Act 1988 to apply to you, you first need to collect the personal information of residents of Australia. The law, as it’s currently written, defines personal information as information or an opinion about an identified individual or an individual who is reasonably identifiable.

Examples of personal information include:

• An individual’s name, signature, address, phone number, or date of birth;
• Employee record information;
• Photographs;
• IP addresses;
• Location information from a mobile device; or
• Sensitive information, which includes race or ethnic origin, political opinions or associations, religious or philosophical beliefs, trade union memberships or associations, sexual orientation or practices, criminal record, health or genetic information, and some aspects of biometric information.

The Privacy Act Review Report states that the definition of personal information should be broadened by changing the word “about” to “relates to.”

In addition, the Report also amends the definition of de-identified information and broadens the definition of sensitive information.

Lastly, the Report states that the Act should be amended to recognize and include the collection, use, and disclosure of geolocation information.

These proposed changes would mean that more information would be included in the definition of “personal information,” thereby providing protections for pieces of personal information that did not previously enjoy such protection.

Are you a small business?

Currently, the Australia Privacy Act 1988 applies to Australian organizations with an annual turnover of more than AUD $3,000,000 and to the following organizations regardless of their turnover:

• Private sector healthcare providers;
• Businesses that sell or purchase personal information;
• Credit reporting bodies;
• Contracted service providers for Australian government contracts;
• Businesses that have opted in to comply with the law;
• Businesses that are related to a business covered by the law;
• Businesses prescribed by the Privacy Regulation 2013;
• Employee associations registered or recognized under the Fair Work (Registered Organisations) Act 2009.

In addition, organizations formed outside of Australia will need to comply with this law if they have an Australian link (carrying on business in Australia and collecting and holding personal information in Australia).

While many Australian businesses have enjoyed exemption from the Australia Privacy Act due to their annual turnover, the Report recommends removing this small business exemption, which would subject thousands of small businesses to the Act.

Do you have a Privacy Policy?

If you currently have a Privacy Policy that complies with the Act, the Report recommends that Privacy Policies must be clear, up-to-date, concise, and understandable.

In addition, the Report recommends the following new disclosures to be added to Privacy Policies:

• If the entity collects, uses, or discloses personal information for a high-risk privacy activity – the circumstances of that collection, use, or disclosure;
• Details on how individuals can exercise their privacy rights; and
• The types of personal information that may be disclosed to overseas recipients.

The second recommendation is to develop standardized templates and layouts for Privacy Policies and collection notices. Thus, the Report would require companies that need to comply with the Act to update their Privacy Policies.

How do you obtain consent?

Australia Privacy Act 1988 states that consent must be obtained for the collection and use of personal information. The Report recommends amending the definition of consent to provide that it must be voluntary, informed, current, specific, and unambiguous.

In addition, the Report recommends that guidance be provided to businesses on how to design consent requests. Finally, the Report recommends that the ability to withdraw consent be expressly recognized.

While many organizations already have cookie consent banners, the Report would lead to changes in the layouts of those consent banners, such as requiring consent banners to have an “accept” and a “deny” button and allowing individuals to withdraw their consent.

What privacy rights do you offer to individuals?

Currently, Australia Privacy Act 1988 provides the following privacy rights to individuals residing in Australia:

• Know their personal information is being collected, how it will be used, and to who it will be disclosed;
• Have the option of not identifying oneself or of using a pseudonym in certain circumstances;
• Ask for access to their personal information;
• Stop receiving unwanted direct marketing;
• Ask for their personal information that is incorrect to be corrected;
• Make a complaint about an organization that the Act covers.

The Report found that these privacy rights are not sufficient to adequately protect the privacy and recommended that the following privacy rights be added:

• Provide individuals with the right to access additional information and explanation about their personal information;
• Introduce the right to object to the collection, use, or disclosure of personal information;
• Introduce the right to erasure;
• Amend the Act to extend the right of correction to generally available publications;
• Introduce a right to de-index online search results containing certain personal information;

The proposed changes to the Act would also include new exceptions to the ability to exercise privacy rights.

Organizations that currently need to comply with the Australia Privacy Act should start getting ready for these additional privacy rights requests that would be implemented if the recommendations in the Report are adopted.

Do you engage in targeted advertising?

While the current version of the Act includes the right to stop unwanted direct marketing, the recommendations state that such rights should be extended to targeted advertising.

In addition, the recommendations also require entities to provide information about targeting, including clear information about the use of algorithms and profiling to recommend content to individuals.

Companies that need to comply with the Act that engages in targeted advertising should ensure that they have a clear opt-out mechanism in place and that opt-outs are respected.

Are you a data processor or a controller?

The Report recommends that the concepts of processor and controller are introduced into the Act. This means that entities that do not themselves need to comply with the law but instead process personal information for other entities would be brought under the Act’s compliance requirements.

If your clients need to comply with the law, but you were previously exempt, you should start researching compliance requirements now, as the odds are that you will no longer be exempt under these recommendations.

Do you transfer personal information outside of Australia?

If you are located outside of Australia or use vendors outside of Australia, such data transfers will come under increased scrutiny due to these recommendations.

Increased scrutiny will come in the form of a strengthening of the informed consent exception, updates to Privacy Policy disclosures, and increased requirements of measures such as standard contractual clauses.

How will the Australia Privacy Act be enforced?

Currently, the Australia Privacy Act can impose penalties of up to AUD $2,100,000 for serious or repeated privacy breaches.

The recommendations would introduce new mid-tier civil penalty provisions and a low-level civil penalty provision. In addition, the definition of “serious” would be expanded to cover actions that were not previously considered “serious or repeated”.

This means that lower-level violations of the Act would be prosecuted, and fines would be applied where normally they would not have been in the past.

What’s next?

The purpose of the Report is to provide recommendations to strengthen the existing law and provide additional protections for individuals residing in Australia.

The next step will be a public commenting period, after which a bill will be brought to the Parliament in 2023 or 2024 to implement these proposed changes.

Entities should be aware of these changes and track their development closely, as well as prepare for potential overhauls of their compliance programs.