Legal Insights

Dramatic changes proposed to the Privacy Act – what should you do now to prepare?

By Sonia Sharma & Tara Dhanushkoti

• 01 March 2023 • 7 min read
  • Share

The highly anticipated Privacy Act Review Report (Report) has been released by the Federal Attorney-General, which sets out significant proposals to amend the Privacy Act 1988 (Cth) (Privacy Act), including the Australian Privacy Principles (APPs). If implemented, these changes will have far-reaching implications for all organisations.

In this article, our privacy experts, Partner Sonia Sharma and Lawyer Tara Dhanushkoti outline some of the key proposals from the Report, along with the main impacts on organisations and the key steps that organisations should be taking now to prepare.

Following two of Australia’s largest data breaches last year, everyone from the parliament to the pub has been talking about privacy. However, the proposed reforms set out in the Report are considered by many as long overdue. The proposed changes aim to bring Australia’s privacy regime in line with other global jurisdictions and to address gaps in the regime due to the rapid and evolving changes in the digital landscape (such as the use of online behavioural advertising and facial recognition technologies).

Broadly speaking, the reforms dramatically increase:

  • the types of information governed by the Privacy Act
  • the application of the Privacy Act
  • the number of obligations and steps entities need to take when handling personal information, and
  • rights of individuals with respect to privacy and enforcement powers under the Privacy Act.

"Diving into the Report, it’s absolutely critical that organisations start taking action now to prepare for these sweeping reforms,” states Sonia, who, along with her team, advises clients routinely on navigating privacy issues and key areas of risk, especially given the rapid change in technology.

“Put simply, without a current baseline understanding, entities will struggle to be in a position to comply with any changes to the privacy laws that result from this review. Organisations can’t afford to sleep on this issue. The stakes are higher than ever before, with the increased powers and penalties that recently came into force following the Optus and Medibank data breaches, along with the constant and increased threat of cyber-attacks and the need to foster community trust. The key message is that privacy is complex, and organisations need to be proactive in preparing for these potential changes"

Lawyer Tara Dhanushkoti adds,

Because of the implications, we strongly recommend that all organisations, regardless of size, urgently conduct a data mapping exercise to understand what personal information and other data they currently handle, how they handle and store this data, what consents and notices they currently provide, and what policies, procedures and other organisational measures are currently in place. We still find many organisations have a poor understanding of basic issues or are still very much developing their privacy posture.”

What’s happened, and what’s next?

The Report has been long awaited and follows a two-year review of Australia’s privacy laws. The Report contains 116 specific proposed changes to be made to the Privacy Act. If implemented, these proposals will drastically change the privacy landscape in Australia, aligning our regime with global standards and replacing our outdated privacy laws with a more fit-for-purpose regime.

The Federal Government has invited feedback on this Report in order to inform its response. You have until 31 March 2023 to provide a response, and this is your last chance to have a say before the Government decides its next steps with respect to the reforms, including before any draft legislation is prepared.

What are the key changes proposed?

For those who have been following along over the last couple of years, most of these proposed changes will not come as a surprise. There are some significant proposals included in the Report which will fundamentally:

A. Broaden the application of the Privacy Act

Broaden the application of the Privacy Act, both with respect to entities which may need to comply with the Privacy Act and the types of information captured by the Privacy Act.

B. Increase obligations

Increase obligations on entities seeking to collect, use, store and disclose personal information, including in relation to steps an entity will need to take before collecting personal information and additional measures if an entity wants to use or disclose information for certain purposes.

C. Expand the rights of individuals

Expand the rights of individuals with respect to their privacy and increase the enforcement powers under the Privacy Act.

Below are some of the key proposals we have identified, which we consider will have significant implications for organisations, both big and small.

A. Broader application of the Privacy Act: High-level summary of proposals
  • 1. Expanded definitions of personal information and sensitive information
    • Broadening the definition of ‘personal information’ to include information ‘relating to’ an individual instead of simply information ‘about’ an individual.
    • Including a non-exhaustive list of information that may be personal information, which may include information such as location data, inferred information, and technical or behavioural data.
    • Replacing ‘about’ with ‘relating to’ with respect to the definition of sensitive information and clarifying that sensitive information can be inferred from information that is not sensitive.

    What this means in practice is that types of data that were not previously regulated as ‘personal’ information may potentially be captured by the Privacy Act. We see this having potential impacts on those providing consumer electronics, those operating in the digital advertising and AI space and entities in the automotive sector.

  • 2. Introduction of obligations with respect to de-identified information
    • Requiring entities to take steps to protect de-identified information in accordance with APP 11.1.
    • Requiring entities to take steps to ensure overseas recipients of de-identified information do not breach the APPs (similar to the obligations in APP 8.1), including to ensure the recipient does not re-identify the information.
    • Requiring entities to comply with the targeting proposals (see Item 11) with respect to de-identified information.
    • Prohibiting re-identifying de-identified information when the APP entity does not collect the information from the individual (subject to exceptions).

    We see these changes having massive impacts on those in online marketing and digital advertising, the health and research sector and SaaS providers who routinely handle large amounts of de-identified data. The reality is most organisations use de-identified information so that this reform will have major implications for many organisations’ data handling practices.

  • 3. Removal of the small business exemption
    • Following impact analysis and consultation with stakeholders, removing the small business exemption, which currently applies to organisations with an annual turnover of AUD $3 million or less, meaning all organisations would be required to comply with the Privacy Act.
    • In the interim, including further carve-outs to the small business exemption (e.g., requiring small businesses who collect biometric information for use in facial recognition technology or who trade in personal information (irrespective of whether consent has been obtained), to comply with the Privacy Act).
  • 4. Narrowing the employee records exemption
    • Following consultation with stakeholders and consideration of how the Privacy Act and workplace relations laws should interact, narrowing the employee records exemption, which exempts organisations from complying with the Privacy Act in relation to employee records in certain circumstances.
    • These modifications to the exemption would be designed to ensure that employees understand how their personal information (including sensitive information) will be handled, and that employees' personal information is appropriately protected (with any breach of this information would be subject to data breach notification requirements).

    We think this one does not go far enough. In one view, the employee records exemption should be abolished altogether (no such exemption exists under the GDPR). The existence of Australia’s current employee records exemption is thought to be one reason Australia has not achieved GDPR adequacy status, so we are somewhat surprised the exemption is hanging on in some form.

  • 5. Introduction of ‘controllers’ and ‘processors’
    • In line with other global privacy regimes (such as the GDPR), pending removal of the small business exemption (Item 3) and consultation with small businesses, introducing the concept of ‘controllers’ and ‘processors’.
    • This means that a non-APP entity that processes information (processor) on behalf of an APP entity (controller) would need to comply with the Privacy Act with respect to the processor’s handling of personal information for the controller.

    We regularly advise clients on complying with both the GDPR and the Privacy Act and we expect some organisations will be pleased to see some greater alignment between the two regimes, including the introduction of GDPR terminology. However, the two regimes will still have significant differences which need to be managed and accounted for by those caught by both regimes.

  • 6. Clarification of application of the Privacy Act to foreign entities
    • The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Cth) which came into force in December 2022, expanded the extraterritorial application of the Privacy Act by limiting the threshold question of whether the Privacy Act applies to whether the entity carries on business in Australia, and removing the requirement that the entity collects or hold personal information in Australia.

    As a result of the above changes, considering clarifying the need for an ‘Australian link’ which means that foreign organisations will only be regulated by the Privacy Act to the extent that their handling of personal information has a connection to Australia.

B. Increased obligations in relation to handling personal information: High-level summary of proposals
  • 7. Introduction of fair and reasonable handling of personal information
    • Introducing a requirement for any collection, use or disclosure of personal information to be fair and reasonable in the circumstances, which is an objective test that is assessed from the perspective of a reasonable person.
    • Some of the considerations as to what is ‘fair and reasonable’ may include what the individual would reasonably expect, the kind, sensitivity and amount of personal information concerned, and the impact on privacy is proportionate to the benefit.
  • 8. Requirement to obtain consent to handle location data
    • Requiring consent to collect, use, disclose and store precise geolocation data.

    We are not surprised by this one, given the intense scrutiny of location data, including in the ACCC vs Google decision. We have seen a dramatic increase in clients needing advice on handling location data.

  • 9. Requirement to conduct Privacy Impact Assessments and other processes
    • Requiring all APP entities to conduct a Privacy Impact Assessment (PIA) for activities with high privacy risks, which is one that is ‘likely to have a significant impact on the privacy of individuals’. Such PIAs should be undertaken prior to the commencement of the high-risk activity.
    • Requiring all APP entities to appoint or designate a senior employee responsible for privacy within the entity.
    • Including enhanced risk assessment requirements for facial recognition technology and other uses of biometric information as part of the PIA process.

    The reality is that the OAIC already expects organisations to have processes for conducting PIAs and senior stakeholders responsible for privacy. If you are not doing these things already, you need to play catch-up with current regulatory expectations even if they are not yet enshrined by express legal obligations. We consider PIAs and senior oversight critical to managing current privacy risks.

  • 10. Amendments to requirements for Privacy Policies (APP 1), Collection Notices (APP 5) and consent
    • Requiring Collection Notices to be clear, up-to-date, concise and understandable, including with respect to information addressed specifically to a child, and with guidance making it clear that such Notices should only include matters (in APP 5.2) which serve the purpose of informing the individuals in the circumstances.
    • Expanding matters to be included in Collection Notices to also address matters such as handling of personal information for high privacy risk activities, the individual’s rights, (including those set out in Section C below), and the types of personal information that may be shared with overseas recipients.
    • Requiring Privacy Policies to specify the types of personal information that will be used in substantially automated decisions, the data retention periods for personal information (per Item 13) and the APP entity’s procedures for responding to the rights of individuals (per Section C below).
    • Specifying that consent must be voluntary, informed, current, specific and unambiguous, and expressly requiring the ability for individuals to withdraw their consent easily.

    How can you prepare for these changes if you don’t know what notices and consents you currently have in place? All will likely need some form of updating.

  • 11. Increased obligations on handling of personal information for direct marketing, targeting and trading purposes
    • Introducing definitions for direct marketing (handling of personal information to communicate directly with an individual to promote advertising or marketing material), targeting (handling of information which includes personal information, de-identified information, unidentified information (for example, internet history) for tailoring services, content advertisements or offers), and trading disclosure of personal information for a benefit, service or advantage).
    • Introducing an unqualified right for individuals to opt out: (a) of their personal information being used or disclosed for direct marketing purposes, and (b) of receiving targeted advertising.
    • Requiring consent to trade an individual’s personal information and including limitations qualifications on targeting individuals.
  • 12. Increased measures for offshore disclosures
    • Providing standard contractual clauses for any offshore disclosures in line with other global privacy regimes.
    • Specifying countries and certification schemes that provide substantially similar protection to the APPs (under APP 8.2(a), in line with other global privacy regimes).
    • Increasing obligations on entities if relying on consent (under APP 8.2(b)).
  • 13. Additional security measures and data breach notification requirements
    • Clarifying that security measures (under APP 11) include technical and organisational measures and specifying baseline privacy outcomes with respect to security.
    • Requiring entities to establish their own maximum and minimum retention periods in relation to the personal information they hold (with such retention periods being annually reviewed and the information being subject to destruction or de-identification after it is no longer required).
    • Tightening notification timeframes to notify the OAIC of eligible data breaches to 72 hours (similar to the GDPR).
    • Requiring entities to take reasonable steps to implement practices, procedures and systems to enable it to respond to a data breach and requiring statements about an eligible data breach to set out the steps the APP entity has taken or intends to take in response to the breach.

    The mandatory data breach reporting regime is now five years old, yet we still see entities that do not have a data breach response plan, let alone one that has been tested and rehearsed. Both are vital to meet the proposed 72-hour reporting timeframe to the OAIC. Given the risks posed by over-retention, stricter retention rules are overdue. Still, these new rules will be a significant compliance burden if document retention policies and procedures are not already in place.

C. Expansion of rights of individuals: High-level summary of proposals
  • 14. Introduction of direct right of action regarding interference with privacy
    • Providing individuals with a direct right of action in order to permit individuals to apply to the courts for relief if they have suffered loss or damage as a result of privacy interference by an APP entity, following the individual participating in the OAIC’s complaints-handling processes.

    These proposed direct rights to individuals represent a fundamental paradigm shift in the laws.

  • 15. Introduction of statutory tort for serious invasions of privacy
    • Introducing a statutory tort for serious invasions of privacy, following consultation with States and Territories.
  • 16. Introduction of right to erasure or a ‘right to be forgotten’
    • Introducing a right to erasure in relation to any personal information of an individual, subject to certain exceptions.
    • If an APP entity has collected the personal information from a third party, or disclosed the information to a third party, they must inform the individual about the third party and notify the third party of the erasure request.

What should you be doing now?

In order to prepare for these proposed reforms, we strongly recommend you take the following steps. The reality is, even if the reforms take some time to pass, all of these steps should be done anyway to manage current privacy risks:

To do:
tickboxConduct a threshold assessment to determine if the Privacy Act will apply to you, or apply to you in different ways under the proposed reforms. For example, if you are a small business and handle biometric information for facial recognition purposes.
Conduct a data mapping exercise to understand and record:
  • the information your organisation actually holds, including personal, sensitive, technical and de-identified information
  • how this information is collected, used, and disclosed, including from what sources you are collecting this information; and
  • what systems store the different types of information.

Review and identify existing collection notices and privacy policies - you need to know what you have in place to be in a position to review and update these for incoming changes. At a minimum, these should comply with current requirements under the Privacy Act and reflect your current data handling practices.

Be prepared to undertake a rewrite of these and also overhaul the 'user experience' or 'user journey' if proposed changes are passed.

Adopt a privacy by design approach to any new or changed ways of handling personal information and undertake a privacy impact assessment (PIA) to identify and appropriately mitigate any privacy risks associated with the project.

Organisations should be conducting PIAs already, in line with current APP guidance and expectations, as they allow them to consider privacy at the start of the project and embed privacy controls early on. However, if the proposed reforms are implemented, it will be a legal requirement to conduct PIAs for high-risk activities.
Appoint a senior employee as your privacy officer who is responsible for privacy, which is critical to embed a culture of privacy within your organisation. This employee should be at a senior level within your organisation and should report to the highest management level.

In addition, off the back of recent high-profile data breaches and the changes passed by Government in December 2022 to significantly increase the maximum penalties under the Privacy Act, which are the greater of:

  • $50 million
  • three times the value of the benefit obtained attributable to the breach, if this can be determined by the court, or
  • 30% of the entity’s and its related bodies corporates’ adjusted turnover during the breach turnover period.

Organisations need to be taking steps now to identify risks and gaps in their privacy posture. We strongly recommend that organisations follow the checklist in this article when assessing their privacy health check.

Want to know more?

Contact our Privacy team.

By Sonia Sharma & Tara Dhanushkoti

  • Share

Recent articles

Online Access