Australia: Privacy Act Review

The Terms of Reference (ToR) and Issues Paper for the long-awaited review (Review) of the Privacy Act 1988 Cth (Act) has finally been released by the Government (AG’s Department).

A commitment to review the Act was first announced by the Government following the ACCC’s Digital Platform Enquiry in 2018/19, and it is good to see proposals for this Review finally taking shape, notwithstanding COVID priorities.

Public submissions are being requested to respond on the ToR and the 68+ other questions in the Issues Paper, accompanying the ToR. The closing date for submissions is 29 November 2020. A second consultation on specific outcomes from the preliminary review will take place in early 2021, including any possible options for reform.

What exactly is being reviewed?

This Review builds on reforms already announced by the Government in March 2019, to increase the maximum civil penalties under the Act (to align with those applicable to breaches of the Australian Consumer Law (ACL)), and to develop a binding privacy code for social media / online platforms that trade in personal information.

But this Review goes broader than solely targeting online platform providers. It involves a wholesale review and proposed update to key provisions of the Act, including strengthening of consumer consents and notification requirements, revising overseas data flow arrangements and broadening the definition of personal information to include online identifiers and other technical data.

The small business exemption under the Act is also being reviewed; it is likely that we will see some changes here, particularly as this has always been a stumbling block in discussions around Australian’s ‘adequacy’ under EU law regimes, including EU/UK GDPR.

Statutory rights of redress for consumers?

Recommendations for a statutory tort for serious invasions of privacy, direct rights of actions for consumers to enforce privacy obligations, and whether the Privacy Act should include a ‘right to erasure’ (similar to that prescribed in the EU/UK GDPR) are also being considered.

The increased focus in recent times on the need for a direct statutory cause of action for consumers under Australian privacy laws, is compelling. Although current Australian laws do not provide individuals with specific statutory rights for a breach of privacy, and there is currently no recognised tort of invasion of privacy, there is increasing pressure to make remedies of this kind available to consumers in Australia. Such remedies could be modelled on the statutory right to privacy currently enjoyed by UK and/or US consumers – locations where privacy class action claims are becoming par for the course – or they may take a different form. But the increased litigation-funding industry and heightened awareness of privacy issues among consumers here, herald that inevitable change is on its way. This is echoed also by a tougher approach to enforcement that is being taken by more active regulators, including the recent Facebook/Cambridge Analytica court proceedings initiated by the OAIC; their handling of the ‘class action’ complaint lodged against Optus earlier this year, and the recent ACCC cases against a leading US search engine and internet-services company for various privacy breaches.

Combine this with the newly introduced direct right of actions for consumers under the Consumer Data Right (for breaches of the Privacy Safeguards), in the banking sector at least, it would appear that change has already taken shape.

What should I do now?

Businesses operating in every sector – and of every size – would therefore be well advised to review their existing data processes, policies and procedures to determine their current level of maturity and compliance with the Act – and to prepare for any newly introduced reforms likely to arise out of this Review in early 2021. Increasing your defences and ‘battening down the hatches’ now is more advantageous than dealing with the costly and brand-damaging outcomes that can arise from any direct breach claims.

For more information, or if you would like support in making a submission to the AG’s Department on this Review, please contact Sinead Lynch (Senior Foreign Legal Counsel, Sydney). Information on the Review and details about making a submission can be found at www.ag.gov.au/integrity/consultations/review-privacy-act-1988