Last Friday, the Attorney General's office kick-started its review into whether the Privacy Act 1988 (Cth) (Privacy Act) is fit for the digital age. This drive for change reflects the global push towards consumer data privacy, with the department highlighting that its main concern is to discover their options to “better empower consumers, protect their data and best serve the Australian economy”.
In a nutshell, the review will consider whether the emergence of new technologies means Australian privacy law is no longer “fit for purpose”. There a raft of potential changes including those proposed by the Australian Competition and Consumer Commission's landmark digital platforms inquiry in July 2019 which recommended an overhaul of Australia's privacy laws to provide greater transparency about the collection and use of consumer data by companies.
Change to extend consumer protections and streamline global compliance policy
The review has a dual purpose - to strengthen privacy protections for consumers and to streamline privacy law compliance for global businesses (which some might argue are competing priorities). This does present an important opportunity to shift towards a more consumer-centric framework. In fact, experts have commented that the proposed makeover has a very similar feel to European Union’s General Data Protection Regulation (GDPR). Considering the more user-centric approach, using the GDPR as a muse for better privacy policy would be a prudent move for Australia and avoid the current gaps between the two approaches.
In explaining the context of the review, the issues paper says:
A business's capability to interact with consumers online is vital to economic growth and prosperity. As Australians spend more online, and new technologies like artificial intelligence appear, more personal information about individuals is being captured and processed raising questions as to whether “the Privacy Act and its enforcement mechanisms remain fit for purpose.”
At the same time, businesses that are trying to do the right thing are faced with an increasingly complex regulatory environment with respect to managing personal information. This is particularly true for businesses who work across international borders where complying with information protection standards can be a requirement for access to overseas markets.
To properly deal with the situation at hand, the department outlined a number of matters for its considerations detailed below.
Matters to be considered by the review
Recommendations by the ACCC
Drawing on a range of resources including submissions, stakeholder interviews and previous research and reports, the review will examine a slew of potential changes to privacy law.
The first round of changes to be considered with be those recommended by the ACCC, including:
Updating the definition of personal information to include identifiers such as IP addresses and location data;
requesting companies to notify consumers in clear language when their data is being collected;
Changing to an opt-in regime for the collection of consumer data;
Allowing consumers to bring lawsuits, including class actions, for privacy violations, and
Introducing a statutory tort for serious invasions of privacy.
Enforcement measures - current and potential
Considering fines for violations of the Australian Consumer Law (ACL) were increased in 2018, the review will assess whether the privacy law, as it stands, provides for adequate enforcement. This is not the only area of regulation that will be assessed for its effectiveness, as the review mentions a number of other changes it will consider including the notifiable data breach scheme that took effect in February 2018.
Even then, the ACCC’s digital platforms report has already recommended the introduction of the prohibition on certain unfair practices that, although not covered under the ACL, are relevant to the privacy realm including;
collecting or disclosing consumer data without express informed consent;
failing to provide adequate data security;
unilaterally changing the terms on which goods and services are provided without reasonable notice;
inducing consumer consent to data collection by relying on long, complex contracts or nothing-click wrap agreements; and
seeking to dissuade consumers from exercising their contractual or other legal rights.
Though this particular recommendation is not mentioned in the review, the government has proclaimed it would consider policy recommendations in relation to it - something which this review provides a fitting opportunity for.
EU law
In the spirit of rising to meet the high water mark set by the GDPR, the Attorney General will also consult on whether to implement an European style right to be forgotten and a framework for regulating cross-border data flows.
Looking into the crystal ball
The cut off for the submissions on the review paper is 29 November, with the discussion paper set to be released next year. Although there's no way to predict the kind of preliminary outcomes it will present, the review offers an important chance to review privacy law in the current digital climate and ensure it serves its purpose into the future.