Privacy Changes in 2024: What You Need to Know to Get Your Business Ready

On 28 September 2023, the Australian Government released its response (Response) to the Privacy Act Review Report. The Privacy Act Review Report, published in February 2023 after more than two years of extensive consultation, made 116 proposals to strengthen Australia’s privacy laws. In its Response, the Government agreed to 38 proposals, agreed in-principle to 68 proposals and noted 10 proposals. Although the legislation to bring the reforms into law is not set to be tabled until 2024, it is prudent for businesses to take certain practical steps to ensure that they are ready for the incoming changes, and demonstrate to customers and other stakeholders that they take seriously the personal information with which they are entrusted.

Why are these changes required?

The Response reflects the Government’s aim to overhaul Australia’s privacy laws, dating back to the late 1980s, to bring them into line with community expectations and make them fit for purpose for the digital age. While the proposals do not mirror the more stringent requirements of GDPR jurisdictions, they would bring the Privacy Act 1988 (Cth) (the Privacy Act) significantly closer to such global benchmarks.

The proposed reforms seek to strike the right balance between a raft of competing considerations – balancing the regulatory burden on organisations, encouraging innovation and enterprise, protecting Australians’ personal data from cyber-attacks and other data breaches (and resultant identity theft, scams and other misuse), increasing clarity, simplicity, transparency and control of personal information, building security, trust and confidence in Australia’s digital ecosystems and strengthening enforcement in cases of wrongdoing.

Timeline

Where proposals have been ‘agreed’, draft legislation will now be prepared and released for targeted consultation. Those ‘agreed in-principle’ will be subject to a further process of stakeholder engagement and impact analysis, ahead of a final decision as to their implementation. Some of those simply ‘noted’ are subject to further Government consideration of how to best achieve policy objectives.

The Government has committed to introducing legislation to reform the Privacy Act in 2024.  It can be expected that legislation will be rolled out in stages, with transitional periods to enable organisations to ready themselves. The privacy law changes will be complemented by parallel reforms focussed on cyber-security, digital identities and responsible use of artificial intelligence.

Key proposals to note

We highlight in this article those proposals most likely to impact businesses.[1] Although legislation to reform the Privacy Act is not expected until 2024, businesses can and should take steps now to prepare for these reforms, as we suggest further below.

Clarity and flexibility: The Government has agreed to amend the objects of the Privacy Act to recognise the public interest in protecting privacy and clarify its focus on information privacy.

The flexibility of the privacy regime will be enhanced through the making of APP codes and emergency declarations. Reflecting the types of information that require protection in the digital age, the Government has agreed in-principle that (among other things):

• ‘personal information’ is an expansive concept that includes technical and inferred information (such as IP addresses) if it can be used to identify individuals, and should be more broadly defined as information that ‘relates to’ (cf. ‘about’) an individual;
• non-exhaustive lists are required to aid understanding of what is ‘personal information’ and when an individual will be ‘reasonably identifiable’ (that is, distinguishable from all others, even if their specific identity is not known);
• ‘collection’ should be defined to expressly cover information obtained from any source and by any means, including inferred or generated information;
• ‘de-identified’ should be defined as a process applied to personal information such that no individual is identified or reasonably identifiable in the current context (the Government has also agreed to further consultation on the criminalisation of malicious re-identification);
• ‘disclosure’ should be defined as making information accessible or visible outside the entity and releasing its subsequent handling from the entity’s effective control;
• ‘sensitive information’ should be defined to include genomic (genetic) information and to clarify that it can be inferred from information that is not itself sensitive information;
• geolocation tracking data should be defined, and require consent for its collection and handling (possibly as a new sub-category of sensitive information); and
• in a shift towards alignment with GDPR concepts, a distinction between controllers and processors of personal information will be introduced.

Consent and privacy default settings: To avoid ‘consent fatigue’ and undue compliance burdens, consent remains a requirement only in high privacy risk situations (such as collection of sensitive information, disclosure of information overseas, and use / disclosure for secondary purposes). The Government agreed in-principle to a clarification in the Privacy Act that consent (where it is required) should be voluntary, informed, current, specific and unambiguous. To that end, it also agreed in-principle that individuals should have the express right to withdraw consent, as easily as it is given – with guidance to be provided on the form and content of online consent requests, and online privacy settings to reflect the privacy-by-default framework of the Privacy Act.

Removal of the small business exemption: Businesses with an annual turnover of $3 million or less are currently exempt from the Privacy Act (subject to exemptions such as health service providers). The Government has agreed in-principle that the small business exemption should be removed, given the privacy risks now inherent across the digital environment. While this heralds a major change for small businesses and their compliance obligations, it will not occur without (a) an impact analysis, (b) further consultation on how to switch on obligations, proportionate to risks (possibly through a code), (c) the development of small business supports, and (d) a transition period to enable small businesses to ready themselves to comply. In the shorter term, it is intended that the small business exemption will be revoked for the collection of biometric information for use in facial recognition technology and those that trade in personal information.

Employee records: Employee records for both current and former private sector employees are presently exempt from the provisions of the Privacy Act. Further consultation on enhanced privacy protections for these employees (including employee data breach notifications) has been agreed in-principle.

‘Fair and reasonable’ test: The Government has recognised that, currently, the burden of managing privacy still falls largely on individuals to decipher complex privacy policies and collection notices. To address this imbalance (by shifting the burden to organisations), it has agreed in-principle to a new requirement that the collection, use and disclosure of personal information be fair and reasonable. This requirement would apply irrespective of whether or not consent has been obtained.

While the wording of the ‘fair and reasonable’ test is still to be developed (and its interpretation would evolve through enforcement determinations and case law over time), the question of whether this test is met in the circumstances will likely include legislated factors (agreed in-principle) such as:

• whether an individual would reasonably expect the personal information to be collected, used or disclosed in the circumstances (an objective assessment);
• the kind, sensitivity and amount of the personal information;
• whether the collection, use or disclosure is reasonably necessary for the organisation’s functions and activities;
• the risk of unjustified adverse impact or harm; and
• whether the impact on privacy is proportionate to the benefit.

Privacy policies and collection notices: To address concerns that privacy policies and collection notices can be too complex, lengthy, legalistic and vague, a requirement that collection notices be clear, up-to-date, concise and understandable with appropriate accessibility measures has been agreed in-principle. The Government also agreed in-principle that collection notices should specify whether information is collected, used or disclosed for high privacy risk activities, how to exercise individual rights, and the types of personal information that may be disclosed to overseas recipients. The development of standardised templates, layouts, terminology and icons for privacy policies and collection notices has been agreed in-principle to facilitate the new requirements.

Data retention: It has been agreed in-principle that entities should be required to establish their own maximum and minimum retention periods – with such periods to be specified in their privacy policies and periodically reviewed. More broadly, the Government has agreed-in principle to review all legal provisions across different regimes which require the retention of personal information, to determine if they appropriately balance policy objectives with the privacy and cyber-security risks of holding significant volumes of such information.

Data security: The significant data breaches of the past year, and their sometimes devastating impact on individuals, have highlighted the need to enhance the Privacy Act’s existing data security obligations. To this end, the Government has:

• agreed that the ‘reasonable steps’ required to be undertaken to protect personal information include both technical and organisational measures;
• agreed that the Office of the Australian Information Commissioner (OAIC) should provide clearer guidance to entities on which reasonable steps to take in order to keep personal information secure (and to destroy or de-identify personal information); and
• agreed in-principle that entities should be required to comply with a set of baseline privacy outcomes, aligned with the soon-to-be released 2023-2030 Australian Cyber Security Strategy.

Notifiable Data Breaches scheme: The Notifiable Data Breaches scheme sets out requirements for entities where they become aware that there are reasonable grounds to believe that there has been an eligible data breach. Heightened requirements to ensure more rapid responses in such circumstances have been agreed in-principle. These include requirements to:

• notify the Information Commissioner as soon as practicable, and not later than 72 hours, after becoming aware of reasonable grounds to believe that there has been an eligible data breach;
• notify individuals as soon as practicable, which may take place in phases;
• take reasonable steps to implement practices, procedures and systems to respond to a data breach; and
• set out the steps that an entity has taken or intends to take in response to the breach, including to reduce any adverse impacts on individuals (and, possibly, a requirement for entities to take reasonable steps to prevent or reduce harm likely to arise for individuals resulting from the breach).

To reduce the considerable reporting burden, the Government has also agreed to consider how best to streamline the multiple reporting processes often faced by entities in the event of a data breach.

Designated employees and organisational accountability: The Government has agreed in-principle to further organisational accountability measures, including:

• appointing / designating a senior employee with specific responsibility for privacy (akin to a Privacy Officer);
• determining and recording the primary and secondary purposes for information handling; and
• where an entity does not collect personal information directly from an individual, taking reasonable steps to ensure that it was collected lawfully by the third party.

Privacy Impact Assessments: While Commonwealth agencies are currently required to complete a Privacy Impact Assessment (PIA) for all high privacy risk projects, entities in the private sector have not been required to do so. This may be set to change with the Government agreeing in-principle that non-government entities be required to conduct a PIA in such circumstances. By undertaking a PIA, it is hoped that a business would be able to identify and assess the impacts of an activity on the privacy of individuals and make an informed decision as to whether or not the impact of the activity was so great that it would contravene the Privacy Act. Examples of high risk activities may include dealing with sensitive information on a large scale, selling personal information, and the use of biometric information (such as facial recognition technology).

Automated decision-making (ADM): The Government has agreed that privacy policies must set out the types of personal information that will be used in substantially automated decisions that have a legal / similarly significant effect on an individual’s rights, and that individuals should have the right to request meaningful information about how such automated decisions are made. In this regard, the Government acknowledged the recommendations of the Royal Commission into the Robodebt Scheme in relation to the use of ADM by Commonwealth agencies.

Direct marketing, targeting and trading: With the increased use of high volumes of data in targeted or personalised advertising and content have come new privacy risks. The Government has agreed in-principle to introduce definitions for direct marketing, targeting and trading in the Privacy Act. It has also agreed-in principle that individuals should have an unqualified right to opt-out of their personal information being used or disclosed for direct marketing purposes (but not, at this stage, the right to opt-out of receiving targeted advertising, which is undergoing further consideration).

To address concerns about harmful targeting, the Government has agreed in-principle that:

• targeting individuals should be fair and reasonable in the circumstances;
• targeting individuals based on sensitive information (other than political opinions and political / trade union memberships) should be prohibited, with an exception for socially beneficially content, such as public health campaigns;
• an individual’s consent should be required in order to trade their personal information; and
• entities should provide information to online users about the use of targeting systems, including clear information about the use of algorithms and profiling to recommend content to individuals.

Cross-border data flows: The proposed reforms seek to address increased concerns about the privacy risk of international data transfers, in an age where the free flow of information across borders is becoming ever important. Significantly, the Government has agreed to introduce an adequacy regime, whereby it will prescribe countries with substantially similar protection to the Australian Privacy Principles (APPs). This will allow businesses to disclose personal information to recipients in those prescribed countries without the need for contractual provisions or other measures.

To facilitate cross-border transfers to non-prescribed countries, the Government has agreed in-principle to provide standard contractual clauses, for voluntary use, requiring that the overseas recipient does not breach the APPs. Where the use of such standard contractual clauses is not appropriate, entities will be able to rely on the existing informed consent exception. The Government has agreed in-principle to strengthen this exception by requiring entities to consider the risks associated with an overseas disclosure of personal information, to consider whether other mechanisms could facilitate the disclosure, and to inform individuals that privacy protections may not apply to their information if they consent to the disclosure.

The Government has also agreed in-principle that entities should also be required to specify the types of personal information that may be disclosed, when specifying the countries in which recipients of overseas disclosures are likely to be located. Further consultation will be undertaken on the scope of the extraterritorial provisions of the Privacy Act.

Individual rights: Currently, an individual has the right to access and request the correction of their personal information.[2] The privacy reforms intend to build on these limited rights, with the Government agreeing in‑principle to new additional individual rights to:

• request an explanation of what has been done with personal information and from where it was sourced;
• object to information handling practices;
• request erasure of personal information;
• request correction of online publications over which an entity has control; and
• require search engines to de-index certain online search results.

These new rights would be subject to exceptions, including circumstances involving legal proceedings or obligations or where it would be unreasonable, technically impossible or contrary to the public interest to comply. The new rights would be notified to individuals at the point of collection, and response procedures set out in privacy policies. Reasonable assistance must be provided for the exercise of rights, and reasonable steps must be taken to acknowledge the request and respond, under the proposed reforms.

Rights to litigate for interferences with privacy: At present, individuals have limited avenues to seek redress for interferences with their privacy.  We have previously discussed the liability landscape in Australia under the current privacy framework. Courts in jurisdictions such as New Zealand, the United Kingdom, some Canadian provinces and some states in the United States recognise torts or actions for invasion of privacy, although a notable distinction between these jurisdictions and Australia is that Australia does not have a national human rights framework from which Australian Courts would be able to derive such a tort.

The Government has now agreed in-principle to both:

• a direct right of action for individuals to seek remedies (including damages) for breaches of the Privacy Act; and
• a statutory tort for serious invasions of privacy, extending to circumstances falling outside the scope of the Privacy Act.

The direct right of action would be subject to mechanisms to encourage early resolution of claims, to minimise the potentially large burden on the courts.

To establish the statutory tort, a plaintiff bringing a claim would be required to prove that:

• there was either an intrusion into seclusion or a misuse of private information;
• the privacy invasion was serious;
• they had a reasonable expectation of privacy;
• the invasion was committed intentionally or recklessly (as opposed to merely negligently); and
• the public interest in privacy outweighs any countervailing public interest.

Strengthened OAIC enforcement: Addressing concerns that the OAIC lacks the teeth to effectively deter privacy breaches and non-compliance, the Government has agreed to significantly bolster its enforcement toolkit. This includes amendments to the current civil penalty provision for serious interferences with privacy, a new mid-tier civil penalty provision, and a new low-level civil penalty for administrative breaches (for example, a failure to have a compliant privacy policy).  New remedial powers and powers to undertake investigations, public inquiries and reviews will also be introduced. To resource increased enforcement action, consideration will also be given to an industry funding model, a contingency litigation fund and an enforcement special account to fund high cost litigation by the OAIC.

Checklist: Practical steps that your business can take now

In preparing your business for the coming reforms, ensuring robust privacy and risk mitigation practices and demonstrating to customers and other stakeholders that your business takes seriously the personal information with which it is entrusted, the following steps are recommended:

• undertake an inventory of the data and digital assets (and liabilities) held by your organisation;
• review your organisation’s collection practices – identify the types of personal information that is collected and its purpose (including any secondary purpose);
• consider whether such collection is proportionate to the required purpose, whether there are other ways of achieving that purpose, and whether collected information could satisfy that same purpose if it were de-identified;
• ensure that your business’ systems are capable of easily and quickly retrieving, deleting or de-identifying personal information, and permanently erase personal information that is no longer needed or required by law to be retained (to minimise harm from any data breach);
• ensure that privacy policy and collection notices are clear, up to date and subject to regular review, and implemented and adhered to in practice. If your organisation does business overseas, consider any applicable legislative requirements in other jurisdictions;
• review the extent to which personal information is disclosed outside the organisation, the data protection, cyber-security and privacy practices of third parties with whom it is shared and any required contractual terms (such as minimum security standards to be met by suppliers, and tailored data incident and indemnity clauses);
• keep records to ensure that you can prove compliance with current laws;
• invest in, and regularly review, data governance, cyber-security and incident response frameworks; and
• ensure that relevant roles and responsibilities throughout the organisation are clearly defined and understood, that regular training and drills are undertaken, and that there is appropriate and meaningful oversight and monitoring at board level.

If you would like to discuss these issues further, please contact our team.

[1] The Report contains various other proposals not considered here (addressing, for example, the personal information of children and vulnerable people, research, journalism exemptions and government co-operation, information sharing and review mechanisms).

[2] Privacy Act 1988 (Cth) sch 1 s 12.