A major step in the overhaul of Australia’s outdated national data privacy law has been completed, as the attorney general’s office has released its Privacy Act review with a number of new proposals.
Among the 116 proposals included in the report are calls for safeguards similar to those provided by the EU’s General Data Protection Regulation (GDPR). Small businesses will likely be upset at seeing previously proposed exemptions wiped away, however, while political parties are facing only limited new restrictions on how they target voters.
Privacy Act review looks to update 1988 Rules
The Privacy Act review is part of a years-long process of addressing Australia’s current set of national-level data privacy rules, which were put in place in 1988 with only a handful of amendments and updates bolted on to them over the years. The process is thought to have been spurred along by the rash of major data breaches in the country in recent months, as irate citizens have had to go so far as to get new identity documentation due to compromise by hackers.
The basic structure of the Privacy Act 1988 is retained under the current proposal, but greatly expanded in its protections of specific types of personal information. It also calls for a “right to be forgotten” that would allow data subjects to request removal of certain types of stored information, and rights to private action in the case of serious breaches of personal privacy when data is leaked or stolen in attacks.
Organizations would also be looking at an expansion of privacy risk assessments, and greater regulation in terms of securing against data breaches and limiting the scope of targeted advertising. Other elements include more transparency for the public into how personal information is handled, more special protections for children and vulnerable groups, and guarantees of security in international data transfers.
The Privacy Act review also begins to draw a legal distinction between data processors and data controllers. The present terms do not distinguish between these entities, nor do they do much to address the concept of a legal basis for data processing. This could signal terms similar to those found in the GDPR coming for organizations: mandatory data protection impact assessments and record-keeping, and a requirement to appoint a DPO in at least some circumstances.
The Office of the Australian Information Commissioner (OAIC) would receive some new enforcement powers to go along with this collection of new regulations, to go along with those that it has already been granted by the current administration. In total (and with the approval of the attorney general), the OAIC would ultimately be allowed to undertake public inquiries, conduct reviews, and issue temporary Australian Privacy Principle (APP) codes and emergency declarations. Organizations would also have to report data breaches to the OAIC within 72 hours of awareness of the reasonable possibility of an incident having occurred.
Legislative process may continue for some time; comments on current proposals open until March 31
The Privacy Act review proposals come shortly after the government took proactive measures to strengthen the OAIC and greatly increase data breach fine amounts as major organizations collectively lost millions of sensitive records to close out 2022 and open 2023.
Part of the issue to date has been a loose definition of what personal information is covered by the Privacy Act 1988, and the fact that organizations were only required to demonstrate that personal data collection was “reasonably necessary” for their functions. The Privacy Act review adds a “fairness” test to this standard; organizations would now have to consider what the individual reasonably expects to have to share in the circumstances, whether data minimization principles can be reasonably applied to limit the amount of sensitive data being gathered, and whether the benefit to the consumer at least equals the potential privacy cost of what is being collected.
New cybersecurity measures are also proposed by the Privacy Act review, though the terms are not yet specific beyond prescribing “technical controls” aimed at combating malware and common attack types. The proposals also call for harmonization between these new standards and existing special regulations for particular industries and sectors, such as critical infrastructure companies.
While the prospect of a GDPR equivalent is a positive development for Australian citizens strained by recent data breaches at the likes of Medibank and Optus, small businesses are bound to be unhappy about a previously proposed exemption being lifted. However, discussion over this aspect is far from over: the Privacy Act review calls for an impact analysis to be conducted, “appropriate support” for these businesses to be developed, and consultation with impacted businesses about developing a code that weighs their obligations proportionate to expected risk.
