Since the large scale data breaches suffered by many major Australian companies in 2022, there has been an overwhelming push for tighter and more rigorous privacy laws to protect exposed consumers. Relevantly, the ACCC produced a report in December 2022 recommending stronger privacy regulation on digital platforms, and in response the Commonwealth Government commissioned the Attorney General’s Department to conduct a review. This review has resulted in the publication last week of the Privacy Act Review – Report 2022, which we examine in this post.
Why care?
The Report proposes direct changes for Australian small businesses. You may recall that currently small businesses with an annual turnover under $3 million are not required to comply with the Privacy Act 1989 (Cth), unless they engage in providing particular services such as health services. The Report has proposed the removal of this small business exemption, requiring all Australian businesses to fully comply with the Act in respect to their collection, handling, storage and destruction of customers’ personal information.
Further, the Report recommends amendments to the handling of employee personal information by businesses. Whilst not covered by the provisions of the Act, employee rights would still be bolstered to ensure employee data is only used in a way which is reasonably necessary to administer the employment relationship and would also provide protections in the event of a data breach or misuse of such employee information.
Reform proposals
Alongside the changes in application, the Report proposes a broadening of the scope and understanding of what constitutes personal information for the purposes of the Act. Under the proposals, IP and technical information and inferred information (such as consumer preferences and behaviours) would also be protected fields where connected to a consumer and not too remote. This recommendation is a reflection of the sophistication of current day data collection on social media through the use of algorithms.
Thirdly, the Report reviewed the way de-identified data is handled. Australian Privacy Principle 11.1 governs businesses’ obligations in respect of protecting de-identified data from unauthorised uses and the Report has recommended amendments to prevent the practice of re-identification of de-identified data. Also notable amongst these amendments is a proposal to criminalise the malicious re-identification of personal data with the intention of causing harm or illegitimate benefit, for example identity theft or data ransoms such as those we saw in Australia last year.
Currently individuals with concerns about the use of their personal data may complain to the Office of the Information Commissioner who has discretion in deciding if and what recourse is appropriate such as a fine or corrective action. The Review proposes to establish:
(i) a direct cause of action for affected individuals who suffer loss or damage as a result of an interference with their privacy, with compensation to be made available in the Federal Court in addition to OAIC’s existing complaints process; and
(ii) a statutory tort for the most serious invasions of privacy that are not appropriately recognised or compensated under current law.
The Report also makes recommendations in respect of:
(i) automated decision-making technology such as artificial intelligence;
(ii) clarification around the identification of data handlers as processors or controllers (adopting the language used in the European GDPR legislation;
(iii) improvement of the notifiable data breaches scheme for eligible data breaches, introduces a right of erasure to allow individuals in some circumstances to remove sensitive or inaccurate personal information;
(iv) minimum and maximum retention periods depending on the class of information held;
(v) the introduction of an obligation to act fairly and reasonably in the use of personal information;
(vi) greater protections for data belonging to minors and the use of information to target content toward minors; and
(vii) the introduction of privacy impact assessments for high risk activities.
Penalties
December 2022 saw a substantive increase in the maximum civil penalties for breaches of privacy that are serious or repeated. The penalties are currently the greater of:
(i) $50 million;
(ii) Three times the value of the benefit obtained from the contravention; or
(iii) 30% of the adjusted turnover of the corporate group during the breach period.
The Report recommends the introduction of low and mid tier penalties for less serious breaches and interferences with privacy. To give you an idea of quantum, in line with the current penalty unit regime, such a breach could still result in a penalty of up to $5.5 million.
Next steps
The Attorney General’s Department is accepting submissions in respect of the proposed recommendations until 31 March 2023. Consultation with relevant and affected parties will follow, with legislative changes expected as soon as early 2024. If you run a business that gathers, uses, processes, stores or passes on personal information, now is the time to ensure your privacy policy is up to date and addresses these potential changes. Lang Legal is watching the review process carefully and would be happy to assist you.
Comentários