Overhaul of the Australian Privacy Act

Australia is a great country to work with, as it is highly digitalized, developed, and English-speaking. Thus, selling services to or establishing a company is a good jurisdiction. With this regard, it is essential to know about the privacy legislation of this country since, nowadays, most internet businesses process the personal data of their clients, and they should do it in compliance with data protection laws.

So, let’s look at Australian privacy legislation, its recent changes and what to expect in the near future. 

Privacy legislation in Australia

The main privacy regulation is the Federal Privacy Act 1988. It also contains Australian Privacy Principles (“APPs”) applied to private and public sector entities with some exemptions. 

The Privacy Act aims to regulate how mentioned entities should protect personal information. There is a supervisory authority: the Office of the Australian Information Commissioner (OAIC) may conduct investigations, enforce the provisions of the Privacy Act, and impose financial sanctions for violations. 

Changes to the Privacy Act

The last significant change since passing the Privacy Amendment (Notifiable Data Breaches) Act 2017 has become the Privacy Legislation Amendment Bill 2022, the final passage of which was approved on November 28 of November 2022, by the Parliament of Australia. Australian Information Commissioner and Privacy Commissioner Angelene Falk said: “The updated penalties will bring Australian privacy law closer into alignment with competition and consumer and international remedies under Europe’s General Data Protection Regulation.” Thus, the Australian Privacy Act also aims to have a GDPR level of data protection. 

Extraterritorial application of the Privacy Act

The Privacy Act will have an extraterritorial application with an “Australian link.” Surely, all entities incorporated in Australia or citizens who work in Australia have an Australian link in their data processing processes. Also, an entity or small business operator will have an Australian link if all of the following conditions apply: 

• the organization or operator is not an Australian citizen, or a partnership formed in Australia or a company incorporated in Australia.
• the organization or operator carries on business in Australia or an external Territory; 
• the personal information was collected or held by the organization or operator in Australia or an external Territory, either before or at the time of the act or practice.

Therefore, this amendment makes Australian privacy laws applicable to all organizations doing business in Australia, whether or not they collect personal information directly in Australia. This change was made to make companies that collect data from Australians from foreign servers comply with the Privacy Act.

However, there is uncertainty that brings multinational or global companies into the scope of the Privacy Act, as they now may process any personal data, not only the personal data of Australians. So, if different branches of a global company share data with one another, it may render an entire group subject to the Privacy Act if one of the groups carries on business in Australia. 

Additional powers of the Australian Information Commissioner

Shortly speaking, the Commissioner will have more powers to compel entities to provide it with the necessary information; namely, if the Commissioner has a suspicion that an individual or entity has information about an actual or suspected security incident, it may require such individual or entity to give information, produce documents and/or answer questions. Also, the Commissioner will be able to penalize entities failing to comply with its requests to disclose information. 

Despite requiring a respondent to take steps to ensure infringing conduct is not repeated or continued, the Commissioner will have the power to require an independent and suitably qualified adviser to conduct a review and provide a report to the Commissioner. The OAIC will be able to coordinate its various internal functions better by sharing information and by delegating Information Commissioner functions and powers to OAIC staff. Thus, it increases the speed of the investigation and coordination process. 

Penalties for the breach have increased

If an individual interferes with the privacy of one or more individuals (or repeatedly interferes), they may be liable for a maximum penalty of 2.5 million AUD (previously, the maximum penalty for an individual was $444,000 AUD). In turn, the maximum penalty for the body corporate was set at the amount that is greater of $50 million AUD (the previous maximum penalty’s amount was $2,22 million AUD), 3 times the value of the benefit derived by the company (or its related entities) either directly or indirectly from the serious or repeated interference of the privacy of individuals, or if a court is unable to determine the value of that benefit, 30% of the adjusted turnover of the body corporate during the breach turnover period for the contravention.

The term “breach turnover period” is quite vague and may be a huge risk for the companies, as this period may be more than 1 year, as prescribed by the GDPR. For example, a company that has been processing personal information without valid consent for three years will be charged for the three-year “breach turnover period,” and the amount of the fine may be tremendous. 

What to expect in 2024?

It is worth noting that in February 2023, the Privacy Act Review Report by the Attorney General was released, which made 116 wide-ranging proposals for reform and called for further consultations. Seven months later, on September 28, 2023, the Federal Government provided its much anticipated formal position on each of the 116 recommendations, with the enormous response being positive: 106 of the 116 were “agreed” or “agreed in principle either.”

The above-mentioned Australian Information Commissioner and Privacy Commissioner Angelene Falk said:

This is the most significant change to the Privacy Act in decades, and will require organizations to ensure that practices are fair and in the first place.

Thus, which main “agreed” proposals can be immediately implemented?

• Individuals’ additional protection. There are 2 new features that have been introduced: 1) Individuals have the right to request meaningful, jargon-free, and clear information about the decision-making process for automated decisions that impact their rights; 2) privacy policies should specify the types of personal information utilized in these decisions (e. g. regarding access to basic necessities). 
• More sophisticated enforcement. One of the main complaints levelled against the present system is that financial penalties may only be imposed for “serious or repeated” interferences, which causes problems with enforcement since it’s not clear what constitutes an “interference of privacy.” If the proposal is approved, two lower levels of infringement will be established, which will make it easier for the OAIC to provide notices of low-level infringement (like those available under consumer protection law), lower the bar for wrongdoing and pursue compliance behaviour that is both more timely and broader. 

So, what “agreed in principle” proposals are worth paying attention to?

• The “personal information” definition is amended. The current definition of personal information requires the information to be “about” an individual who is either identified or reasonably identifiable. This proposal would amend the definition to capture information that “relates to” an individual and include express forms of digital identifier, capturing those digital data points to make the Privacy Act fit for digital purposes and bringing Australia into line with other jurisdictions.
• The controller and processor distinction. The fact that Australia does not differentiate between data controllers and data processors is another issue that often catches people off guard. If the change is implemented, it will resolve many practical problems, as well as provide conceptual consistency between regimes and practical consistency, making either inbound or outbound overseas transfers easier.
• Expanded rights for individuals. Similarly, the Response is in favour of more individual rights comparable to those guaranteed by the General Data Protection Regulation (GDPR). Among them are: 1) the right to access and explanation; 2) the right to object to the collection, use, and disclosure of personal information; 3) the right to de-index search results; 4) the right to erasure. Also, the government has given its preliminary approval to plans that would enable private enforcement of privacy breaches. This is not yet accessible in Australia, but it would certainly speed up the emerging trend of data breach class action litigation and encourage more private enforcement.
• Overarching proportionality requirement. The introduction of a comprehensive “fair and reasonable” standard for the acquisition, use, or disclosure of personal data is a significant and potentially game-changing suggestion that has been “agreed in principle” in the Response. It is currently up to the APP organizations to decide whether data collection, usage, and disclosure are reasonably essential for their business activities. The Response argues that people shouldn’t be required to read and comprehend policies and notices, provide their agreement to invasive collection methods in order to use services, or have information gathered from them that they wouldn’t reasonably anticipate. 

Although the Government’s general approach to revising the Privacy Act has been clarified in the Response to the Report, the majority of the suggestions are still up for another round of public discussions. Nevertheless, we will still keep our finger on the pulse of the current situation and future legislation changes. 

What to do now? 

Companies to whom Privacy Legislation Amendment Bill 2022 might be applicable must begin to work on their compliance with Australian data protection laws. First, it is important to document all of your dataflows to understand whether the Privacy Act applies to you or your company. It might be done by performing a regular privacy audit as a part of your business processes and risk management strategies. Be ready to cooperate with supervisory authorities, as now they have a broader range of powers.

Make sure you have the processes in place to assess and provide timely and accurate responses to requests for information from regulators.

In case you need any help with privacy issues, do not hesitate to write us an email ☺