Below are some of the key proposals we have identified, which we consider will have significant implications for organisations, both big and small.

A. Broader application of the Privacy Act: High-level summary of proposals

• 1. Expanded definitions of personal information and sensitive information
  • Broadening the definition of ‘personal information’ to include information ‘relating to’ an individual instead of simply information ‘about’ an individual.
  • Including a non-exhaustive list of information that may be personal information, which may include information such as location data, inferred information, and technical or behavioural data.
  • Replacing ‘about’ with ‘relating to’ with respect to the definition of sensitive information and clarifying that sensitive information can be inferred from information that is not sensitive.

  What this means in practice is that types of data that were not previously regulated as ‘personal’ information may potentially be captured by the Privacy Act. We see this having potential impacts on those providing consumer electronics, those operating in the digital advertising and AI space and entities in the automotive sector.

• 2. Introduction of obligations with respect to de-identified information
  • Requiring entities to take steps to protect de-identified information in accordance with APP 11.1.
  • Requiring entities to take steps to ensure overseas recipients of de-identified information do not breach the APPs (similar to the obligations in APP 8.1), including to ensure the recipient does not re-identify the information.
  • Requiring entities to comply with the targeting proposals (see Item 11) with respect to de-identified information.
  • Prohibiting re-identifying de-identified information when the APP entity does not collect the information from the individual (subject to exceptions).

  We see these changes having massive impacts on those in online marketing and digital advertising, the health and research sector and SaaS providers who routinely handle large amounts of de-identified data. The reality is most organisations use de-identified information so that this reform will have major implications for many organisations’ data handling practices.

• 3. Removal of the small business exemption
  • Following impact analysis and consultation with stakeholders, removing the small business exemption, which currently applies to organisations with an annual turnover of AUD $3 million or less, meaning all organisations would be required to comply with the Privacy Act.
  • In the interim, including further carve-outs to the small business exemption (e.g., requiring small businesses who collect biometric information for use in facial recognition technology or who trade in personal information (irrespective of whether consent has been obtained), to comply with the Privacy Act).
• 4. Narrowing the employee records exemption
  • Following consultation with stakeholders and consideration of how the Privacy Act and workplace relations laws should interact, narrowing the employee records exemption, which exempts organisations from complying with the Privacy Act in relation to employee records in certain circumstances.
  • These modifications to the exemption would be designed to ensure that employees understand how their personal information (including sensitive information) will be handled, and that employees' personal information is appropriately protected (with any breach of this information would be subject to data breach notification requirements).

  We think this one does not go far enough. In one view, the employee records exemption should be abolished altogether (no such exemption exists under the GDPR). The existence of Australia’s current employee records exemption is thought to be one reason Australia has not achieved GDPR adequacy status, so we are somewhat surprised the exemption is hanging on in some form.

• 5. Introduction of ‘controllers’ and ‘processors’
  • In line with other global privacy regimes (such as the GDPR), pending removal of the small business exemption (Item 3) and consultation with small businesses, introducing the concept of ‘controllers’ and ‘processors’.
  • This means that a non-APP entity that processes information (processor) on behalf of an APP entity (controller) would need to comply with the Privacy Act with respect to the processor’s handling of personal information for the controller.

  We regularly advise clients on complying with both the GDPR and the Privacy Act and we expect some organisations will be pleased to see some greater alignment between the two regimes, including the introduction of GDPR terminology. However, the two regimes will still have significant differences which need to be managed and accounted for by those caught by both regimes.

• 6. Clarification of application of the Privacy Act to foreign entities
  • The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Cth) which came into force in December 2022, expanded the extraterritorial application of the Privacy Act by limiting the threshold question of whether the Privacy Act applies to whether the entity carries on business in Australia, and removing the requirement that the entity collects or hold personal information in Australia.

  As a result of the above changes, considering clarifying the need for an ‘Australian link’ which means that foreign organisations will only be regulated by the Privacy Act to the extent that their handling of personal information has a connection to Australia.

B. Increased obligations in relation to handling personal information: High-level summary of proposals

• 7. Introduction of fair and reasonable handling of personal information
  • Introducing a requirement for any collection, use or disclosure of personal information to be fair and reasonable in the circumstances, which is an objective test that is assessed from the perspective of a reasonable person.
  • Some of the considerations as to what is ‘fair and reasonable’ may include what the individual would reasonably expect, the kind, sensitivity and amount of personal information concerned, and the impact on privacy is proportionate to the benefit.
• 8. Requirement to obtain consent to handle location data
  • Requiring consent to collect, use, disclose and store precise geolocation data.

  We are not surprised by this one, given the intense scrutiny of location data, including in the ACCC vs Google decision. We have seen a dramatic increase in clients needing advice on handling location data.

• 9. Requirement to conduct Privacy Impact Assessments and other processes
  • Requiring all APP entities to conduct a Privacy Impact Assessment (PIA) for activities with high privacy risks, which is one that is ‘likely to have a significant impact on the privacy of individuals’. Such PIAs should be undertaken prior to the commencement of the high-risk activity.
  • Requiring all APP entities to appoint or designate a senior employee responsible for privacy within the entity.
  • Including enhanced risk assessment requirements for facial recognition technology and other uses of biometric information as part of the PIA process.

  The reality is that the OAIC already expects organisations to have processes for conducting PIAs and senior stakeholders responsible for privacy. If you are not doing these things already, you need to play catch-up with current regulatory expectations even if they are not yet enshrined by express legal obligations. We consider PIAs and senior oversight critical to managing current privacy risks.

• 10. Amendments to requirements for Privacy Policies (APP 1), Collection Notices (APP 5) and consent
  • Requiring Collection Notices to be clear, up-to-date, concise and understandable, including with respect to information addressed specifically to a child, and with guidance making it clear that such Notices should only include matters (in APP 5.2) which serve the purpose of informing the individuals in the circumstances.
  • Expanding matters to be included in Collection Notices to also address matters such as handling of personal information for high privacy risk activities, the individual’s rights, (including those set out in Section C below), and the types of personal information that may be shared with overseas recipients.
  • Requiring Privacy Policies to specify the types of personal information that will be used in substantially automated decisions, the data retention periods for personal information (per Item 13) and the APP entity’s procedures for responding to the rights of individuals (per Section C below).
  • Specifying that consent must be voluntary, informed, current, specific and unambiguous, and expressly requiring the ability for individuals to withdraw their consent easily.

  How can you prepare for these changes if you don’t know what notices and consents you currently have in place? All will likely need some form of updating.

• 11. Increased obligations on handling of personal information for direct marketing, targeting and trading purposes
  • Introducing definitions for direct marketing (handling of personal information to communicate directly with an individual to promote advertising or marketing material), targeting (handling of information which includes personal information, de-identified information, unidentified information (for example, internet history) for tailoring services, content advertisements or offers), and trading disclosure of personal information for a benefit, service or advantage).
  • Introducing an unqualified right for individuals to opt out: (a) of their personal information being used or disclosed for direct marketing purposes, and (b) of receiving targeted advertising.
  • Requiring consent to trade an individual’s personal information and including limitations qualifications on targeting individuals.
• 12. Increased measures for offshore disclosures
  • Providing standard contractual clauses for any offshore disclosures in line with other global privacy regimes.
  • Specifying countries and certification schemes that provide substantially similar protection to the APPs (under APP 8.2(a), in line with other global privacy regimes).
  • Increasing obligations on entities if relying on consent (under APP 8.2(b)).
• 13. Additional security measures and data breach notification requirements
  • Clarifying that security measures (under APP 11) include technical and organisational measures and specifying baseline privacy outcomes with respect to security.
  • Requiring entities to establish their own maximum and minimum retention periods in relation to the personal information they hold (with such retention periods being annually reviewed and the information being subject to destruction or de-identification after it is no longer required).
  • Tightening notification timeframes to notify the OAIC of eligible data breaches to 72 hours (similar to the GDPR).
  • Requiring entities to take reasonable steps to implement practices, procedures and systems to enable it to respond to a data breach and requiring statements about an eligible data breach to set out the steps the APP entity has taken or intends to take in response to the breach.

  The mandatory data breach reporting regime is now five years old, yet we still see entities that do not have a data breach response plan, let alone one that has been tested and rehearsed. Both are vital to meet the proposed 72-hour reporting timeframe to the OAIC. Given the risks posed by over-retention, stricter retention rules are overdue. Still, these new rules will be a significant compliance burden if document retention policies and procedures are not already in place.

C. Expansion of rights of individuals: High-level summary of proposals

• 14. Introduction of direct right of action regarding interference with privacy
  • Providing individuals with a direct right of action in order to permit individuals to apply to the courts for relief if they have suffered loss or damage as a result of privacy interference by an APP entity, following the individual participating in the OAIC’s complaints-handling processes.

  These proposed direct rights to individuals represent a fundamental paradigm shift in the laws.

• 15. Introduction of statutory tort for serious invasions of privacy
  • Introducing a statutory tort for serious invasions of privacy, following consultation with States and Territories.
• 16. Introduction of right to erasure or a ‘right to be forgotten’
  • Introducing a right to erasure in relation to any personal information of an individual, subject to certain exceptions.
  • If an APP entity has collected the personal information from a third party, or disclosed the information to a third party, they must inform the individual about the third party and notify the third party of the erasure request.

What should you be doing now?

In order to prepare for these proposed reforms, we strongly recommend you take the following steps. The reality is, even if the reforms take some time to pass, all of these steps should be done anyway to manage current privacy risks:

	To do:
	Conduct a threshold assessment to determine if the Privacy Act will apply to you, or apply to you in different ways under the proposed reforms. For example, if you are a small business and handle biometric information for facial recognition purposes.
	Conduct a data mapping exercise to understand and record: the information your organisation actually holds, including personal, sensitive, technical and de-identified information how this information is collected, used, and disclosed, including from what sources you are collecting this information; and what systems store the different types of information.
	Review and identify existing collection notices and privacy policies - you need to know what you have in place to be in a position to review and update these for incoming changes. At a minimum, these should comply with current requirements under the Privacy Act and reflect your current data handling practices. Be prepared to undertake a rewrite of these and also overhaul the 'user experience' or 'user journey' if proposed changes are passed.
	Adopt a privacy by design approach to any new or changed ways of handling personal information and undertake a privacy impact assessment (PIA) to identify and appropriately mitigate any privacy risks associated with the project. Organisations should be conducting PIAs already, in line with current APP guidance and expectations, as they allow them to consider privacy at the start of the project and embed privacy controls early on. However, if the proposed reforms are implemented, it will be a legal requirement to conduct PIAs for high-risk activities.
	Appoint a senior employee as your privacy officer who is responsible for privacy, which is critical to embed a culture of privacy within your organisation. This employee should be at a senior level within your organisation and should report to the highest management level.

In addition, off the back of recent high-profile data breaches and the changes passed by Government in December 2022 to significantly increase the maximum penalties under the Privacy Act, which are the greater of:

• $50 million
• three times the value of the benefit obtained attributable to the breach, if this can be determined by the court, or
• 30% of the entity’s and its related bodies corporates’ adjusted turnover during the breach turnover period.

Organisations need to be taking steps now to identify risks and gaps in their privacy posture. We strongly recommend that organisations follow the checklist in this article when assessing their privacy health check.