On 12 December 2019, the Australian Government announced that it would conduct a review of the Privacy Act 1988 as part of its response to the Australian Competition and Consumer Commission’s (ACCC) Digital Platforms Inquiry report. It has now published an issues paper outlining and seeking feedback on the Act as well as other Australian laws protecting personal information, with submissions on a series of 68 questions due by 29 November 2020.
The consultation seeks to outline options for implementing privacy-specific recommendations that will protect data subjects, empower consumers, and support the Australian digital economy. The Government will release a discussion paper based on the submissions received early next year, outlining possible options for reform. An expansive review of the Privacy Law is expected to be completed in 2021.
The Privacy Act 1988
The Privacy Act was first introduced in 1988 to promote and protect the privacy of individuals and to determine how Australian Government agencies and organizations with an annual turnover of more than AU$3 million, handle personal information. It also regulates the privacy component of the consumer credit reporting system, tax file numbers, and health and medical research data.
The Act was amended to include 13 Australian Privacy Principles (APPs) in 2012. The APPs, which have been in force since 12 March 2014, cover both Australian Government agencies and organizations covered by the Privacy Act.
In November 2017, the Notifiable Data Breaches (NDB) scheme introduced mandatory data breach notifications into the Privacy Act, putting organizations under the obligation to notify individuals and the Office of the Australian Information Commissioner (OAIC) in case a data breach has occurred that is likely to result in serious harm.
The Act allows Australian data subjects to know why their personal information is being collected, how it will be used, and who it will be disclosed to. They can request to stop receiving unwanted direct marketing and to access their personal information.
They can submit complaints against organizations when they believe their personal information has been mishandled as long as the organization falls under the incidence of the Act. Australian data subjects can also ask that their personal information be corrected when they find errors in it and are allowed to use pseudonyms under certain circumstances without having to identify themselves.
Question raised in the issues paper
There are several key questions the Government’s issues paper focuses on. One of them is whether the threshold for the applicability of the Privacy Act, currently set at AU$3 million, should be lowered or scrapped altogether. A number of small businesses still need to comply with the Privacy Act at the moment, if they meet one of several criteria such as being a health service provider, a business that sells or purchases personal information, or a contracted service provider for the Australian Government.
Another issue on the table is consent. Based on the ACCC’s recommendations, the paper asks whether organizations should implement opt-in mechanisms that would allow them to request consent from individuals for each purpose, and each time their information is collected.
Adopting stricter requirements for the destruction or de-identification of personal information held by organizations is also being debated. As is the possibility of granting Australian data subjects the right to erasure. One key point that could have a fundamental impact on data protection in Australia is the possibility of individuals being granted the right to initiate court action to seek compensation from privacy breaches. At this time, they can only directly apply for an injunction.
The Privacy Act Review and GDPR
Australia has yet to seek an adequacy decision from the European Commission since the EU’s General Data Protection Regulation (GDPR) came into force. The reason behind it is the current discrepancies between the Privacy Act and GDPR.
One of the big hurdles preventing Australia from seeking an adequacy decision is the exemption threshold of AU$3 million which has spared most small businesses from compliance. The GDPR meanwhile does not have a threshold of applicability. The Privacy Act also does not cover data otherwise protected under the GDPR such as employee records.
While compliance with the GDPR was raised in the Government’s issues paper, the fact that the EU accounts for only 13.5% of international trade with Australia was also highlighted. The bulk of Australian international trade, 72%, is with Asia-Pacific economies. However, as countries from Japan to Thailand have recently moved to update their own privacy laws to bring them closer to the GDPR, Australia will likely not be able to avoid bringing its Privacy Law in line with the European regulation.
As the Government awaits submissions to its consultation, it is clear Australia will see an update of its Privacy Act next year. Whether it will be a complete overhaul or bring just minor changes remains to be seen.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.
