On 28 September 2023 the Commonwealth Government released its response to the Privacy Act Review Report (Report) which had been published earlier this year (Response).

The Government “agrees in-principle” with many of the proposals from the Report, which indicates that the proposals will be subject to discussion with stakeholders before they are enacted. However, other proposals which the Government specifically “agrees” with are more likely to be implemented promptly without substantial discussion. The Government “notes” other proposals from the Report, which are less likely to be enacted.

In the Response, the Government’s key focus areas for privacy reform are to:

1. bring the Privacy Act into the digital age;
2. uplift protections;
3. increase clarity and simplicity for entities and individuals;
4. improve control and transparency for individuals over their personal information; and
5. strengthen enforcement. 

While it is unlikely that a bill to amend the Privacy Act will be released for some time, Australian businesses should consider the Report as they change their existing  processes, procedures, technologies, or enter into new contracts, in order to future proof against potential changes to minimise disruption and ensure a smooth transition to the new regime. 

The Fair and Reasonable Test 

The Government agrees in principle that a new test should be enacted which requires that collection, use, and disclosure of personal information is fair and reasonable in the circumstances. [1] This test would apply even if consent has been given.  

The Government has said that “this new requirement will help protect individuals when their personal information is used in complex data processing activities which have emerged through technological advancement, such as screen scraping and AI”.[2] 

As the Government notes, what is fair and reasonable will depend on guidance from the Office of the Australian Information Commissioner (OAIC) and enforcement actions, as well as the view of judicial bodies.[3] Once this new requirement is enacted, we expect businesses to err on the side of caution as it is unlikely that clear judicial guidelines on this requirement will emerge until significantly after the test becomes law. 

Removal of Small Business Excemption 

The Government agrees in principle that the Privacy Act’s small business exception should be removed after sufficient consultation and a transition period.[4] 

However, the Government also agree in principle that small businesses which pose a significant privacy risk (e.g. businesses which collect biometric information), or trade in personal information should not be able to rely on the small business exception.[5] 

Small businesses will need to assess their data hygiene practices and ensure that they are compliant before the obligations to comply with the Privacy Act take effect. 

Specific guidelines for high risk activities 

The Government agrees in principle that entities should be required to complete a privacy impact assessment for high privacy risk projects that “identifies the impact that a project might have on the privacy of individuals and sets out recommendations for managing, minimising, or eliminating that impact”.[6] This mirrors an existing requirement for Government agencies. 

Individual rights 

The Government agrees in principle that individuals should be able to:

1. request an explanation from an entity of what personal information the entity holds and what the entity is doing with it;
2. challenge the information handling practices of an entity and require an explanation of how such practices comply with the Privacy Act;
3. require an entity to delete or de-identify personal information held by the entity;
4. request correction of online publications that an entity controls; and
5. require search engines to de-identify particular online search results;

subject to prescribed exceptions (e.g., where the right is contrary to public interest, or if the request is frivolous or vexatious).[7] 

In the short term, businesses in the process of making changes to internal software which stores or processes personal information should consider future proofing to ensure that if the above rights are enacted, the day-to-day compliance burden is limited. Being across this now and making changes today will help eliminate having to potentially incur further time and cost, modifying processes or procedures to become compliant in the future. 

Causes of action for interferences of privacy 

The Government agrees in principle that individuals who have suffered loss or damage because of an interference to their privacy should be able to bring a right of action after lodging a complaint with the OAIC or a recognised external dispute resolution scheme.[8] 

The Government also agrees in principle that there should be a statutory tort for serious invasions of privacy, with the proposed elements of such cause of action being:

1. the privacy invasion was serious;
2. they had a reasonable expectation of privacy;
3. that the invasion was committed intentionally or recklessly (not merely negligently); and
4. the public interest in privacy outweighs any countervailing public interest.[9] 

The Government gives two examples of where an action may be brought under this tort:

1. an “individual taking a video of a person where they had a reasonable expectation of privacy (such as in a public bathroom)”;
2. “an employee misusing sensitive facts about another employee obtained by virtue of their position”.[10] 

New enforcement powers 

The Government agrees that:

1. a new civil penalty provision should be created to penalise interferences with privacy which are below the standard of being “serious”;
2. a new civil penalty provision should be created to penalise certain administrative breaches of the Privacy Act, with the OAIC to hold infringement notice powers with set penalties;
3. the Federal Court and the Federal Circuit and Family Court of Australia should be able to make any order after a civil penalty relating to a privacy interference has been made out; and
4. entities must identify, mitigate and make good actual or foreseeable loss suffered by individuals.[11] 

The Government also agrees that the OAIC should recieve:

1. additional powers to investigate provisions which carry a civil penalty, and
2. the ability to undertake inquiries and reviews into specified matters subject to the approval or direction of the Attorney-General.[12] 

Other proposals 

Other key insights from the response include the Government agreeing in principle to the following: 

1. That entities should be required to establish their own maximum and minimum retention periods for personal information they hold and disclose these periods in privacy policies.
2. That entities should be required to take reasonable steps to ensure personal information collected by third parties was collected lawfully.
3. A number of additional privacy protections for persons under the age of 18, including that trading in their personal information should be prohibited.
4. That individuals should be expressly able to withdraw consent that they had previously given and that way should be easily accessible.
5. That entities should take reasonable steps to ensure personal information collected by third parties was collected legally. 

Hillhouse Legal Partners can advise you on all privacy issues. Please feel free to contact us on (07) 3220 1144 or email the writer at john@hillhouse.com.au.

[1] Response, p 8.

[2] Response, p 8.

[3] Response, p 8

[4] Response, p 6.

[5] Response, p 6.

[6] Response, p 10.

[7] Response, p 18.

[8] Response, p 19.

[9] Response, p 19.

[10] Response, p 19.

[11] Response, p 20.

[12] Response, p 20.