Australian Privacy Reform: The Future of Data Protection

Authored by Andrew Truswell and Casper Xiao

In the dynamic realm of technology and innovation, Biztech Lawyers is your unwavering partner. We are dedicated to simplifying complexities, offering precise legal support, and ensuring you're well-prepared to navigate the ever-evolving landscape. Today, we bring to your attention the first steps in a pivotal development that has the potential to redefine data privacy standards in Australia. The Australian Government has unveiled its response to the Attorney General's Privacy Act Review Report, signifying significant changes designed to align Australia more closely with international GDPR standards. 

Join us as we delve into these pivotal proposals and their implications. The Government's stance falls into two categories: 'Agreed' (indicating likely inclusion in the next draft legislation) and 'Agreed-in-principle' (acknowledging conceptual agreement with a need for further consultation).

Working with data, launching a platform, or expanding globally? Our Cyber and Data Privacy lawyers can help you stay compliant and thoughtful about privacy from the start.

Proposals the Australian Government Has Agreed to:

1. Empowering the OAIC (Proposals 5.1, 5.2, 5.3, 5.4, 5.5)

These proposals entail reinforcing the powers of the Office of the Australian Information Commissioner (OAIC). The OAIC will be given the authority to independently introduce new Australian Privacy Principle (APP) codes and issue Emergency Declarations for specific entities, classes of entities, or categories of personal information. Furthermore, this initiative permits the sharing of personal information with state or territory authorities during times of disasters or emergencies. 

• Potential Impact: This significant shift necessitates businesses to stay alert and be responsive to evolving obligations that may not be explicitly outlined in the Data Privacy Act but may be introduced as part of new APP Codes. For instance, it paves the way for the development of Codes such as the Children's Online Privacy Code, and other Codes that focus on aspects like opting out of online advertising.

2. Clarifying Types of Data and Rights Related to Automated Decision Making (Proposals 19.1, 19.2, and 19.3)

This proposal suggests that privacy policies should set out the types of personal information used in decisions which are substantially automated that will have a significant effect on individuals, and that individuals should have a right to request meaningful information about how such decisions are made.

• Potential Impact: While this is a significant stride toward addressing unjust arbitrary decisions made through automated or AI-based processes (for example, see the Robo-debt fiasco), it's essential to note that the current proposal does not fully align with the existing GDPR standards. Unlike the GDPR, which provides individuals with the right not to be subject to decisions based on automated processing, including profiling, the Australian proposal falls short of granting such extensive rights.

3. Standardizing Overseas Data Flow (Proposal 23.2)

This particular proposal aims to introduce an adequacy mechanism that simplifies compliance for entities engaged in cross-border data transfers. It does so by prescribing countries that possess substantially similar privacy laws to Australia, using a 'white-list' style mechanism.

• Potential Impact: This proposed mechanism promises to streamline compliance obligations for entities involved in transferring data to jurisdictions with privacy laws resembling Australia's, such as the UK and EU. At present, the process is considerably burdensome, requiring entities to conduct their own assessments of the adequacy of foreign data protection laws.

Proposals where the Australian Government Has Agreed-in-Principle:

4. Expanding 'Personal Information' and clarification on what is 'Reasonably Identifiable' (Proposals 4.2 and 4.4)

In these proposals, the government seeks to amend the definition of 'personal information,' extending it to include elements such as IP addresses, device identifiers (like cookies), and establishing a non-exhaustive list. Further, the government aims to clarify the criteria for determining what is 'reasonably identifiable,' broadening its scope to encompass scenarios where individuals can be distinguished from others, even if their identity remains unknown.

• Potential Impact: While these changes are indeed welcome, they may not substantially alter practical implications, as many privacy policies already encompass these elements. 

However, the expansion of 'reasonably identifiable' to include data where the individual's identity is unknown can have far-reaching consequences, especially for online advertising businesses that rely on anonymous identifiers.

5. Phasing Out Small Business Exemption (Proposals 6.1 and 6.2)

The government has signaled its intent to phase out the small business exemption to the Privacy Act, currently applicable to businesses with an annual turnover of $3 million or less. 

• Potential Impact: If rolled out, this change will affect approximately 2.3 million small businesses, which will have to fully comply with the Privacy Act, obligating them to maintain the security of personal data and notify affected individuals in case of data breaches. 

While the government indicates a reasonable transition period, we strongly recommend that small businesses initiate compliance with the Privacy Act promptly. This proactive approach not only demonstrates commitment but also enhances brand trust.

6. Implementing "Privacy-by-Default" (Proposal 11.4)

In line with international standards, the Australian Government supports measures to establish a 'privacy-by-default' framework for online services. 

• Potential Impact: Under this proposal, organizations will be mandated to ensure their privacy settings are clear and readily accessible to users. Although the exact requirements remain unspecified, we can anticipate an alignment with GDPR standards, where data protection is set as the highest level by default, and users have the autonomy to adjust privacy settings (for example, a social media account user setting their profile from private to public).

7. Amending Employee Records Exemption (Proposal 7.1)

Currently, private sector employees, both current and former, are exempt from the Privacy Act and regulated under workplace relations laws. The Government has proposed further consultation on further developing this interplay between data privacy laws and workplace relations laws.

• Potential Impact: The proposed amendment aims to enhance these exemptions legislatively, raising questions about how privacy and workplace relations laws will intersect in the future. While the specifics are yet to be defined, we may see a more rigid approach towards employee data protection.

8. Reducing Notifiable Data Breach Timeframe to 72 Hours (Proposal 28.2)

The government's proposal to notify the OAIC within 72 hours of becoming aware of eligible data breaches 

• Potential Impact: This proposed change will see Australia aligning with the timeframe standards set under GDPR as well as the SOCI Act for non-critical cyber breaches.

9. Reviewing Data Retention Periods (Proposals 21.6, 21.7, and Proposal 21.8)

Under these proposals, entities will be able to set their own minimum and maximum data retention periods, but will be required to do so and specify these in their privacy policies.

• Potential Impact: The comprehensive review of data retention periods across different legislations The government acknowledges the pressing need to update data privacy regulations, bringing them in line with the modern digital landscape, and that for it to be effective, a comprehensive review of data retention periods across all different legislations is necessary.

10. Mandating the Appointment of Data Protection Officers (Proposal 15.2)

This proposal mandates the appointment of a senior employee responsible for all privacy matters within an entity, a move that aligns Australia with international standards like the GDPR. Entities complying with international standards already have roles such as "privacy compliance officer," "data privacy officer," or "data protection officer."

• Potential Impact: This is a welcome change that brings Australia closer in line with GDPR standards.

Partner with Biztech Lawyers

These ten proposed changes are amongst hundreds of other proposed changes that signify a watershed moment in Australia’s pursuit of robust data protection standards, drawing the nation closer to international benchmarks like the GDPR. As your dedicated legal partner, Biztech Lawyers stands poised to simplify complexities, offering precise legal guidance to navigate these changes seamlessly. Contact us today to embark on your journey of innovation and growth with the legal experts who share your tech vision.

Concerned about complying with the relevant data protection laws? Check out our cheat sheet on global data protection and stay ahead of the game.

Meanwhile, on the other side of the globe, the UK’s legislation appears to be moving in the opposite direction, with proposed legislation aiming to lighten compliance burdens for businesses. ‍