*** News Flash ***
Long-awaited changes to Australian privacy laws were due to be tabled on 20th August. Due to legislative priorities this has now been revised to early September and is therefore unlikely to pass before the end of the 2024 legislative year.
In addition, the government will not release the proposed legislation framework prior to tabling. Hence, the first time the public will see it is likely to be in committee referral.
Australia’s first Privacy Act was passed in 1988. There have been minor amendments since then but effectively Australia’s privacy regime has been enacted under legislation that is almost two generations old – during a period of fundamental technological change where digital technologies have encroached on and in many cases, controls our lives. Our PPI (Personal Private Information) has never been more valuable, more sought after and more vulnerable.
In February 2023 the government released the Privacy Act Review Report, which detailed 116 proposals to strengthen and modernise Australia’s outdated privacy laws. Much of the responsibility for managing the Privacy Act changes and for implementing regulations not requiring legislative changes are performed by the Office for Australian Information Commission (OAIC), which is an agency with the Attorney-General’s department.
In December 2023 the government “agreed” to 38 and “agreed in principle” to 68 (total 106 of the 116) proposals put forward. Of the 38 agreed, a few will have real significance:-
- Individuals must be given clear information on how automated systems are handling their personal information (eg. the “robodebt” effect)
- Privacy policies must set out the types of personal information and how that information is to be used in automated systems that have a legal or other significant effect on an individuals’ rights
- Giving the OAIC powers to introduce an Online Privacy Code for Children’s that will apply to applications that are targeted to, or likely to be accessed by, children
- Government is likely to introduce a cross-code dependency regime whereby similar regulatory frameworks to those in Australia are accepted for cross-border transfers of data
- The introduction of lower levels of infringement threshold will be introduced to allow a more nuanced approach and provide for more timely and broader compliance behaviour
The 68 proposals agreed in principle are broadly in these areas:-
- An agreed definition of what is Personal Information – this is currently ambiguous in Australia due to past case law
- Introduce a “fair and reasonable” test for the collection, use and disclosure of PPI
- Removing the exception for compliance with the Privacy Act for businesses with revenue under $3m per annum and stronger requirements with respect to the use of employee data
- To align with many international regulations the Privacy Act will make a distinction between PPI data controllers (ie. the holders or owners of data) and the data processors (ie. the collector or handler of data)
- Some form of agency for individuals with respect to the use of their PPI including the right to be forgotten.
The degree to which the details of these proposals are included in the final legislation will be determined during the committee phase and subsequent negotiations however, up to this point there has been broad bipartisan support for changes to the Act to bring it up to modern societal relevance and therefore time and other priorities may be the only impendence to its final passing.
Background Prior to 2023
To understand the original Privacy Act (1988) legislation, along with amendments made in 2014 and 2017 see this government link:
https://www.ag.gov.au/rights-and-protections/privacy
A notifiable breaches amendment was made to the Act in 2018. This required entities subject to the Privacy Act to notify the OAIC and the subjects of the breach to be notified should a breach likely risk serious harm.
The Privacy Act is supported by Privacy Regulation 2013 and the Privacy (Credit Reporting) Code 2014.