Privacy laws in Australia are set for a shake up, with a review underway that could see further protections for individuals.
On 12 December 2019, it was announced that the Australian Government would be conducting a review of the Privacy Act 1988 (Cth) (Privacy Act) to ensure that the regulatory framework can be adapted to the new and current challenges in the digital age. On 30 October 2020, the Attorney-General’s Department released its Terms of Reference and timeline for review, along with an Issues Paper. Public submissions are open until 29 November 2020, however a further opportunity to comment will be available impending the release of a discussion paper in 2021.
Earlier this year, the Government conducted an Australian Community Attitudes to Privacy Survey 2020, the results of which provided a comprehensive look into Australians’ beliefs and concerns about protecting personal information. The results of the survey revealed extensive support for protecting personal information and placing restrictions on businesses and devices to protect data privacy. Interestingly, respondents indicated a lack of knowledge and time as the primary reasons for not doing more to safeguard their privacy. Whilst the Review is intended to respond to these consumer concerns, it will nevertheless need to strike a balance with legitimate business interests and the growing digital economy.
The Terms of Reference state that the object of the Review is to consider the scope of the Privacy Act and to determine whether its enforcement mechanisms are fit for purpose. Though listed in broad terms, the matters to be considered by the Review will include:
- the scope and application of the Privacy Act;
- whether the Privacy Act effectively protects personal information;
- whether individuals should have a direct right of action to enforce privacy obligations under the Privacy Act;
- whether a statutory tort for serious invasions of privacy should be introduced;
- the effectiveness of the notifiable data breach scheme;
- the effectiveness of enforcement powers under the Privacy Act; and
- the desirability and feasibility of an independent certification scheme to monitor compliance with Australian privacy laws.
The range of matters listed for review take account of, and build upon the findings of, the Australian Competition and Consumer Commission’s Digital Platforms Inquiry Final Report, published in July 2019. The report detailed broad recommendations for reform as well as several specific changes such as enabling the erasure of personal information and the introduction of a statutory tort for serious invasions of privacy.
The Office of the Australian Information’s Commission (OAIC) has welcomed the review, regarding it as a landmark opportunity to respond to new challenges in the digital environment. The OAIC indicates that there are four key elements which they consider vital to implementing and maintaining effective privacy regulations:
- global interoperability – ensuring laws continue to connect around the world, so that data is protected wherever it flows;
- enabling privacy self-management – allowing individuals to exercise meaningful choice and control;
- organisational accountability – ensuring there are sufficient obligations built into the privacy system; and
- contemporary approach to regulation – holding the right tools to regulate in line with community expectations.
In light of these objectives and the contents of the Issues Paper, a number of potential reforms are worth discussing.
Of particular focus will be the scope and meaning of the term ‘personal information’, as defined under subsection 6(1) of the Privacy Act. It is likely that the definition will be amended to reflect the position under EU Law, under which technical data such as cookies, IP addresses and device fingerprints constitute personal information. At present there is a lack of clarity in respect of the application of the definition to informational traces left behind when active online. It is therefore probable that the scope of ‘personal information’ will be updated to reflect contemporary modes of data collection.
The Issues Paper also noted the vague status of ‘inferred personal information’ derived from an individuals likes, purchases and interactions online. Though a growing body of data, it will likely prove conceptually difficult to determine at what point the accumulation of inferred information amounts to personal information.
It can also be anticipated that the Review will consider reforms to current notification requirements. In the 2020 ACAP survey, 63% of respondents indicated that they did not read privacy policies, and of those who did, only 5% felt that they confidently understood its terms. It is therefore foreseeable that the Review will suggest reconceptualising notice requirements in a way that makes privacy policies more accessible. This may entail the use of standardised icons or phrases to improve consumer comprehension of privacy policies and facilitate informed decision making.
Statutory Tort for Serious Invasions of Privacy
An additional matter for review that remains a topic of contention, is whether a statutory tort for serious invasions of privacy should be introduced. In Australian Broadcasting Corporation v Lenah Game Meats  208 CLF 199, the court declined to recognise a cause of action for a breach of privacy, however suggested that it may be receptive to arguments in favour of a right to privacy in the future. An invasion of privacy tort would enable individuals to apply for injunctions to prevent the misuse of personal information or alternatively grant victims a right to damages, which could include for emotional distress.
However despite repeated and well-informed recommendations to do so, the Government has proven reluctant over the past decade to enact such a tort. Following recent developments, such as the Enhancing Online Safety (Non-consensual Sharing of Intimate Images) Act 2018 (Cth), there are grounds to suggest that the matter is adequately dealt with under criminal law. An invasion of privacy tort is also likely to come into conflict with the constitutionally enshrined doctrine of freedom of press and expose media outlets to unnecessary liability. The findings of the Review may well prove critical in deciding whether Australia alters its position to reflect that of New Zealand, Canada, the UK and the US, all of which have established a civil cause of action for the invasion of privacy.
Impending the release of a final report, businesses should review their privacy systems, procedures and policies and prepare to adapt to newly imposed requirements in the near future. If you would like to learn more about the Privacy Act Review and its potential implications please contact our team.
Andrea Beatty is a commercial Partner at Piper Alderman focusing on financial services. She is a leading financial services lawyer who has been listed in Australia’s Best Lawyers every year since 2012 in the areas of financial institutions and regulatory practice. She has written six editions of the leading consumer law text ‘Annotated National Code’ published by LexisNexis. Andrea advises and represents clients including start-ups, Australian financial services licensees (AFSL) and Australian credit licensees (ACL) on all aspects of financial services regulation and corporate finance including licence applications, regulatory compliance projects and audits, regulatory enforcement defences, and regulator investigations and disputes. Andrea’s experience includes advising clients on financial products and channels, including peer to peer lending platforms, crowd funding, payment systems, crypto currency, reward programs, gift cards and financial services acquisitions, disposals and alliances. Andrea also has in-depth knowledge of privacy laws and regularly advises clients on data and privacy security and breach remediation. Andrea’s financial services blog and published articles can be found at www.andreabeatty.com.au. You may connect with Andrea via email: [email protected] or LinkedIn