Business Insight

Australia's blueprint for privacy reform–what you need to do today

Insight Hero Image

    Watch the webinar: Our panel of legal and risk experts examined the Government's response to the Privacy Act Review Report, and what organisations can do to now prepare. A recording of the webinar is available here.

    What you need to know

    • On 28 September 2023, the Australian Government set out a blueprint for a generational change to privacy regulation in Australia by releasing its response to the Privacy Act Review Report.
    • Privacy reforms are part of a broader agenda to improve digital safety and cyber resilience. Recent moves include an updated digital ID bill, a spotlight on cyber security and a renewed focus on artificial intelligence and automated decision-making. Strong public expectations for greater digital regulation underpin this political commitment for legislative change.
    • Of the original 116 recommendations, the Government has agreed with 38 and agreed in-principle with 68. With draft legislation to implement reforms due in 2024, stakeholders need to prepare now for tight and targeted consultations to shape and refine the proposed changes.
    • Organisations will need to do more than just update policies – work needs to begin now to plan and build the systems and capabilities to thrive in a more transparent, more user-centric, and more tightly regulated data economy.
    • In this publication, we explore firstly the practical steps you need to take now to prepare for coming reforms (and why), and secondly we take a deep dive into some of the key reforms that will transform Australia's digital landscape.

    What you need to do

    • Preparation starts now – don't wait for legislation – start working now on understanding where uplifts are required, where gaps may exist, and what steps you need to take to ensure you are ready to respond to the reforms. Change programs will for many organisations involve multi-year modernisation programs with significant technology and business impacts, which means kicking off capability analysis and discovery work as soon as possible.
    • Understand how you use, or will use, automated decision-making in your organisation – likely to be an early focus.
    • Get ready for a tougher enforcement and litigation environment – with increased penalties already in play and enhanced capabilities, resourcing and powers on the way, expect more engagement from the privacy regulator, as well as increased focus on data and privacy from other regulators. There is a spotlight on recent privacy class actions and representative actions, a risk that will only increase with direct rights of action and a statutory tort of invasion of privacy. A structured and planned litigation, regulatory engagement and response strategy can help your organisation remain focussed on core business.
    • Health check your privacy governance – Organisations will be expected to already have adequate processes, procedures and systems in place. With a tougher regulatory enforcement environment expected in the short term, and an acceleration in reforms, address pain points and gaps sooner rather than later.
    • Focus on capability, not just compliance – and communicate the value of investment – Reforms are coming thick and fast on all fronts. Support business cases for investment by investing in capabilities that help solve multiple risk, compliance, reputation and business challenges.
    • Build regulatory reform into your tech roadmap – Legacy systems accrue technical debt over time, becoming more complex and inflexible. Review your digitalisation or modernisation programs against the reform agenda – should some systems be retired or upgraded earlier or later than planned?
    • Plan your talent pool – Organisations across Australia will be looking to do the same work in the same timeframes, with the same labour and service provider pool. Start planning now for how you will recruit and retain privacy and tech talent, or find the right partners to help get your organisation where it needs to be. Consider skills development programs, succession planning and embedding data and privacy capabilities throughout the business.
    • Prepare for consultation – Be prepared to help the Government understand or quantify impacts of reforms, with the Government flagging the importance of stakeholder consultation and impact analysis in finalising laws. In order to do this, start considering the cost and complexity of implementing the reforms. Important issues are increasingly considered in Senate committee inquiries after bills have been introduced, providing additional opportunities to have your voice heard.

    A blueprint for privacy in the digital age

    The Australian Government has released its eagerly anticipated Response to the Privacy Act Review Report, looking to make Australia's privacy laws fit for purpose in the digital age.

    The Government has agreed or agreed in-principle with the vast majority of the Privacy Act Review Report's 116 recommendations – read more about the report and recommendations in our previous article. While the proposals have already been the subject of extensive consultation, the Government's response makes it clear that there is still significant scope for most proposals to be shaped and refined through further consultation – be prepared for quick and targeted engagement, however, as legislation is expected to be introduced in 2024.

    What will these reforms mean?

    Reforms in the pipeline require much greater transparency, traceability and risk management. Organisations will need to understand more about their operations and data, and be able to explain it to customers and regulators. And they will need the technology and governance in place to make it happen.

    Proposed reforms, together with last year's privacy reforms, which increased the maximum penalties under the Privacy Act, bring a much more empowered and capable Office of the Australian Information Commissioner (OAIC), with a much more flexible investigation and enforcement toolkit. A promised strategic review may bring new resourcing, an industry funding model, contingency funds for litigation costs orders and an enforcement special account to fund high cost litigation. Organisations will be under pressure to demonstrate compliance with existing obligations while building capacity to comply with new obligations in the pipeline.

    And more regulators are weighing in on cyber and privacy risks – from the Australian Securities and Investments Commission (ASIC) targeting directors managing cyber risks and continuous disclosure during a cyber attack, to the Australian Prudential Regulation Authority using the new operational risk management standard CPS 230 to "light a fire" under regulated entities, to an increasing Australian Competition and Consumer Commission (ACCC) focus on privacy as a consumer protection issue.

    This may place organisations at the centre of a change management storm, balancing evolving customer expectations, an activist and enabled regulatory enforcement environment, competing demands and a rapidly tightening market for data, privacy and security talent. The talent squeeze will become more acute as the reforms progress – organisations across Australia will be looking to do the same work in the same timeframes, with the same labour and service provider pool.

    Getting up to speed on your current compliance obligations

    While there is a temptation to wait for draft legislation before taking action, it is clear that reform proposals are built on the assumption that processes, procedures and systems are already in place to support current compliance.

    Organisations that do not have this foundation in place prior to the reforms being enacted will struggle to demonstrate compliance with existing obligations, let alone meet new ones.

    The work programs required to uplift visibility, control and governance of data practices will for many organisations involve multi-year modernisation programs with significant technology and business impacts – the changes will mean doing business differently, not just doing compliance differently.

    See below for practical steps to take to get ready for the reforms, followed by a deep-dive into some of the key areas.

    Part 1: Practical steps to take today

    The first step is to baseline today's organisational capabilities. This means asking the right questions to identify gaps and capability uplift opportunities, and to understand which of those capabilities matter the most.

    There are five critical questions you should be asking today.

    1. Is your governance framework up to the challenge?

    An operational privacy risk management framework is essential for larger organisations. Hallmarks of an adequate framework include:

    • Clearly delineated risk management roles and responsibilities (including those assigned to process owners, privacy/risk teams, and an internal audit function);
    • Privacy risk reporting that ensures privacy risks are accurately communicated and escalated to senior stakeholders;
    • Clear and actionable internal policies and standards that guide operational staff in their daily roles; and
    • Compulsory privacy training for all operational staff, with a consistent evaluation of completion rates as a crucial performance indicator.

    Privacy cross-collaboration is critical in bolstering strategic alignment and in operationalising a privacy risk management framework. This can be achieved through cross-collaboration forums and dedicated Management Committees. Such initiatives will enhance strategic alignment and coordinated privacy risk management efforts when chaired by cross-disciplinary stakeholders (including your CISO, CRO, GC, and Head of Privacy).

    2. Is risk assessment built in?

    Make sure that specific milestones or points within the project management lifecycle are designated for assessing risk and integrating Privacy by Design advice – don't assume it will just happen. This ensures that privacy is a core aspect of project development and execution, and reduces the risk of costly remediation.

    Similarly, it’s crucial to verify whether this approach is consistently applied in areas such as Privacy Impact Assessment (PIA), Cyber Security, and Third-Party Risk Assessment, ensuring a comprehensive and integrated risk management strategy across all organisational projects and initiatives.

    3. Do you have visibility across your data estate

    In evaluating your organisation’s data management, it is essential to determine whether there is a centralised view of the location, volume, and types of personal information held. This overview should encompass visibility of how data is managed across its entire lifecycle, from the point of collection or generation, through to its deletion, enabling you to identify and remediate current risks and track changes in risk over time.

    Without visibility of your data estate, it is impossible to govern your data effectively.

    4. Are you prepared for a data breach?

    Data breach preparation is a key component of a mature privacy risk management framework. Without adequate preparation, an extra layer of complexity is unnecessarily added to the already difficult task of data breach response and recovery.

    Key to this preparation is codifying clear roles and responsibilities within a comprehensive data breach response plan. Such a plan should detail processes for each stage of the breach response, including detection and identification, containment, recovery, notification, as well as review and improvement stages.

    Practising response processes in crisis simulated crisis scenarios for leadership teams and boards is another critical, yet often overlooked, part of data breach response preparation. Implementing these components in your privacy risk framework ensures a well-orchestrated and robust response to any data breach occurrences.

    5. Do you understand your automated decision-making?

    Knowing how and where automated decision-making is used (and keeping this information current) will be a new challenge for many organisations – requiring strong organisational transparency and traceability in data flows and business processes.

    It will be impossible to explain automated decision-making to a customer or regulator unless you have detailed and current knowledge about your data and business operations – adopting a risk-based approach to identifying the areas that matter most.

    Ask:

    • Have you implemented robust risk management practices relating to automated decision-making processes to ensure security, transparency, and responsible data handling?
    • Are the automated decision-making processes within your organisation opaque or potentially harmful?

    We take a closer look at the Government's reform agenda below.

    Part 2: A deep dive into the reforms

    Few of the 116 proposals in the Privacy Act Review Report are "off the table" – although the Government has made it clear that there is still significant scope for proposals to be shaped and refined.

    The Government:

    • agreed to 38 proposals: including important changes to make regulatory investigation and enforcement simpler, and to bring transparency to automated decision-making. These changes are likely to become law faster – potentially with more limited "targeted" stakeholder consultation. Expanded regulator powers will likely become effective quickly, without transition periods.
    • agreed in-principle to 68 proposals: the bulk of the proposals, which will require further stakeholder consultation and impact analysis – including in the development of guidance and transition periods.
    • noted (and did not agree) 10 proposals: some of these may be addressed by other means – for example, we may see targeted codes or standards implemented faster than would occur for broader economy-wide law reforms.

    Language used in the Government response often differs from the original Privacy Act Review Report. In some cases, this might be simply to make the response easier to read. However, differences may signal how the Government will take proposals forward, explaining why so many proposals are "agreed in-principle" (rather than "agreed").

    We explore some key proposals and overall themes we are seeing below.

    Agreed: Regulatory flexibility, enforcement and penalties

    The Government has agreed to give the regulator more flexibility and a stronger regulatory toolkit – likely to drive more investigation and enforcement action.

    As last year's reforms demonstrated, changes to regulatory and enforcement powers can happen quickly, without further consultation or transition periods.

    The expanded regulatory toolkit includes a binding codes and standards framework similar to those of the eSafety Commissioner, broader powers around emergency declarations, broader investigative powers, the ability to conduct public inquiries and reviews, and broader information sharing powers following data breaches.

    The Government has also agreed broader consequences for non-compliance – including:

    • Penalties: clarifying how last year's massive new penalties for serious interferences with privacy will apply, and introducing mid and lower tier penalties for less serious or administrative non-compliances.
    • Broad new orders and declarations: allowing courts to make any order they see fit once a civil penalty for interference with privacy is established, and for the OAIC to direct entities to identify, mitigate and redress actual or foreseeable loss or damage.

    We may see an increase in very high value penalties, as well as more capability to pursue a broader range of smaller targets. The OAIC has been challenged recently in Senate budget estimates on whether it will pursue penalties for data breaches. We may also see civil penalties used to drive compliance with the OAIC's investigation and information gathering activities.

    Agreed: Automated decision-making

    Government has agreed to all proposals on substantially automated decision-making (SADM), sending an extremely strong signal that the issue is high on the legislative agenda, and that legislation is likely to closely reflect the Privacy Act Review Report positions.

    Automated decision-making in some form is widely used including to bring efficiencies, or to allow personalised or tailored services. Although it is often discussed alongside artificial intelligence, they are not the same: automated decision-making can include business rules or processes used to make decisions, as well as more complex artificial intelligence models.

    The reforms will require:

    • Transparency: making it clear what personal information is used in automated decision-making – which might include collected, inferred or generated information.
    • Explanation: giving individuals meaningful information about the decision.

    The reforms apply to decisions that are substantially automated, framed this way to prevent entities from simply including a negligible human approval or rubber-stamp in the process to avoid the requirements.

    Those decisions must have a legal or similarly significant effect on an individual's rights. The Government has said the new laws could extend to denial of consequential services or support, such as financial and lending services, housing, insurance, education enrolment, criminal justice, employment opportunities and health care services, or access to basic necessities such as food and water. However, in Europe, decisions in ride-sharing apps have been found to meet this threshold – including assigning rides; calculating prices; rating drivers; and calculating fraud probability scores.

    The Government has also clarified that information provided to individuals should not reveal commercially sensitive information – a key concern under Europe's current automated decision-making transparency rules and more extensive proposals for the regulation of artificial intelligence.

    The SADM proposals do not extend to specific rights to object or request human review of a decision. However, we may see further reforms as part of the Government's response to the Supporting Responsible AI consultation or the Royal Commission into the Robodebt Scheme. For example, the Royal Commission into the Robodebt Scheme includes recommendations, in relation to government automated decision-making processes, for review of automated decisions, making business rules and algorithms available for expert scrutiny, and granting powers to a body to audit those processes.

    Complying with the new rules proposed under the Privacy Act will require:

    • a strong understanding of how automated decisions are used throughout the business;
    • an active and engaged risk assessment program that assesses potential impacts of SADM on individuals;
    • traceability of data used for automated decision-making; and
    • the ability to explain SADM practices to customers – and to keep that information current as business and technology evolves.

    Automated decision-making will be significantly impacted by a broad range of other proposals – from changes around permitted uses of information, to more granular consents, to new requirements for privacy impact assessments for high-risk activities.

    Generally agreed: Cyber security

    In response to consumer concern around several high- profile data breaches, the reforms took a predictable aim at security of personal information.

    The Government has agreed to enhance current obligations to take reasonable steps to protect personal information to include both technical and organisational measures (adopting language from Europe's GDPR), largely a codification of current OAIC guidance. The Government has also agreed in-principle to new requirements to implement practices, procedures and systems to respond to a data breach.

    Entities will need to reconsider their cyber security practices, procedures and systems (including organisational practices, hardware, software, networks and suppliers) to make sure they meet the "reasonable steps" requirement in a rapidly evolving cyber security environment – and be able to prove it to the regulator.

    The occurrence of a cyber attack does not necessarily mean a breach privacy laws – but investigations often reveal compliance problems in "business as usual" management of information – failure to take reasonable steps to secure it, or not having adequate practices, procedures and systems in place. Increasingly, regulators are looking to pro-actively investigate privacy and security capabilities before a data breach occurs – emphasising the need for formal, documented and accurately maintained risk management and incident response frameworks.

    The Government has also agreed in-principle to review all legal provisions requiring retention of personal information, reflecting a similar commitment in the National Strategy for Identity Resilience. Read more about data retention and data minimisation strategies you can pursue in our article on identity resilience and digital identity, and in our submission to Australia's 2023-2030 Cyber Security Strategy.

    Agreed in-principle: Notifiable Data Breaches

    Currently, an organisation must notify the OAIC as soon as practicable after it becomes aware that there are reasonable grounds to believe an eligible data breach has occurred. The Government has agreed in-principle that notification should happen within 72 hours at the latest, with the ability to notify further information progressively as details emerge, aligned to cyber incident notifications for critical infrastructure.

    Organisations must also notify affected individuals as soon as practicable. Again, the Government has agreed in-principle that information can be notified progressively. This may in practice mean organisations will be under pressure to give more limited notifications earlier, before full details are understood.

    As noted below under Other changes of note, the Government has agreed in-principle to the introduction of a controller/processor distinction similar to the concepts used under the GDPR. One implication of this change may be that only the controller (and not the processor) is required to undertake data breach notifications, potentially simplifying circumstances where a data breach relates to multiple entities.

    A tighter focus on reporting timeframes may increase the risk of adverse public relations and customer outcomes for entities in having to publicly disclose data breaches before they have been fully investigated – as recent incidents have demonstrated, knowing a data breach has occurred can be very different from understanding exactly what data or individuals are impacted, to what degree, and what should be done in response.

    To navigate these risks, organisations need incident response plans that include the ability to stand up and execute strong and secure decision-making, approval and regulator engagement processes. Organisations will also have to ensure they have a comprehensive oversight of their data estate before an incident occurs – incident responses become significantly delayed when organisations first have to discover the types of data stored in an affected asset.

    You can read more practical tips on managing incident notification obligations in our article on recently commenced cyber incident reporting obligations for critical infrastructure sectors.

    Agreed to consult: When Australian privacy laws apply to overseas activities

    The Government has agreed to consult on clarifying last year's amendments, which meant that collecting personal information in Australia was no longer a requirement for Australian privacy law to apply. These amendments gave rise to concerns that so long as an organisation is doing business in Australia, all of the personal information which it collects, regardless of its geographical source, is regulated by the Privacy Act (as noted in Clearview AI Inc v Australian Information Commissioner [2023] AATA 1069). Traditional notions of what it means to be "doing business in Australia" in the context of the Privacy Act in a digital age are also coming into question.

    In passing last year's amendments, the Government accepted the Senate Legal and Constitutional Affairs Committee recommendation to examine this issue further. The Government will be under pressure to clarify this uncertainty sooner rather than later.

    In any event, multi-national company groups should carefully consider how data from different jurisdictions is managed, by what group companies – and which group companies might be "doing business in Australia" (including by providing services to other group companies). Multi-national organisations will need to make strategic decisions about whether to harmonise global business practices to comply with a pastiche of jurisdiction-specific data privacy regulations, or if business and data operations can be structured so that only local group companies need to manage local laws.

    Agreed in-principle: Fair and reasonable – a new keystone of the Australian privacy framework

    In welcoming the Privacy Act Review Report, the OAIC pointed to the new "fair and reasonable" requirement as shifting the burden of safeguarding privacy from individuals to organisations, describing it as a "new keystone of the Australian privacy framework".

    The proposal will require any collection, use and disclosure of information to be fair and reasonable in the circumstances – even where an organisation has obtained consent.

    The Government has described the test it terms of a balancing act – making sure impacts on individuals and the public interest in protecting privacy are considered alongside an organisation's interest in carrying out its activities or functions. This balancing of interests is similar to the ability to use information for a "legitimate interest" under European privacy law – with the important difference that the Australian "fair and reasonable" test will apply to all handling of personal information, including with consent.

    This new test will apply another overlay to existing principles-based rules, and will likely add further uncertainty and complexity. Organisations will need good visibility of their data handling practices, an active assessment and review process, and transparency in policies and collection notices to ensure the "fair and reasonable" test is actively applied in their business, and have comfort that data handling practices and new innovations are not open to challenge.

    New: Personal information of unknown individuals

    In a key departure from the Privacy Act Review Report recommendations, the Government has flagged that it will expand the scope of personal information governed by the Privacy Act to include information that relates to an individual, “even if the identity of the individual is unknown” – for example, tracking shopping or internet browsing by the user's IP address, mobile device or using cookies. This concept refers to the ability to single out a person even if identity details (such as their name) are not known.

    The Privacy Act Review Report concluded this information should not be covered by the definition of personal information, and instead that limited additional protections should apply to de-identified information (a proposal that the Government noted, but did not agree with).

    Instead, in its response to the Privacy Act Review Report, the Government stated that it considers that information will be personal information regulated by the Act if it (by itself, or in combination with other information):

    • presents a risk of identification or re-identification that is higher than low or remote; or
    • is sufficient to be linked to an individual (distinguishable from all others), even if their identity is not known.

    This change could have significant implications for what data is regulated. Data sets used and traded by businesses and researchers might currently be de-identified to the point that there is a low or no risk of re-identification, but that data might still contain enough information to distinguish an individual from all others – there's a very real risk that this data may be covered by Privacy Act protections in the future.

    This is a significant change to the scope of Australian privacy law. We expect the Government will consult further on this issue, and consider how the protection of de-identified data should be protected through other mechanisms. However, organisations should prepare for the very real risk that much more of their data will be covered by the Act – even outside of this concept, the Government has also agreed in-principle to clarify that personal information is an expansive concept that includes technical, inferred or generated information.

    Agreed in-principle (mainly): Direct marketing, targeting and trading

    We will likely see a much stricter regime for all of these activities, ensuring the individual has some degree of control over them.

    • Targeted advertising? While the Government "noted" (and did not agree) to an unqualified right to opt out of targeted advertising, digital businesses shouldn't breathe a sigh of relief just yet. The Government has said that it will consider how to give individuals more choice and control – for example through layered opt-outs or industry specific codes. Targeted interventions might come into play faster than would occur for broader economy-wide law reform.
    • Opt-outs for direct marketing – but what is marketing? The Government has agreed in-principle that individuals should have an unqualified right to opt out of direct marketing – but flagged the need to refine the definition. Changes should be harmonised with the Spam Act and Do Not Call Register. Organisations will not only need stronger mechanisms to track direct marketing consents and opt-outs, but streamlined processes to identify which activities will be considered direct marketing, targeting, or spam.
    • Consent for data trading: Trading includes the disclosure of personal information for a benefit, service or advantage. This would seem to have significant scope to affect legitimate disclosures of personal information which would not fall within the normal conception of 'trading'.

    Applying these rules to information about individuals who are not known (as discussed above) may be extremely complex – for example, managing opt-outs or consents of unknown individuals. Further consultation on exactly what "marketing", "targeting" and "trading" covers will have significant implications for who is more tightly regulated, and who is not.

    Agreed in-principle: Employee records and small business

    The Government has emphasised that changes affecting employee records and small business will need significant further consultation to manage impacts.

    The proposals stop short of calling for complete removal of the employee records exemption. Instead, the Government agreed in-principle to consider how enhanced privacy protections for private sector employees may be implemented in legislation, including how workplace and privacy laws should interact. Areas of note from the Privacy Act Review Report include transparency, protecting the security of employee records, and requirements for consents in collecting sensitive information, all while maintaining adequate flexibility.

    While consent and similar requirements have driven a level of traceability and systematic management of customer records, the broad range of often unstructured information collected about employees can be practically much more difficult to manage. To get ahead of likely reforms, as well as to protect the security of employee data, uplift programs should include a focus on ensuring robust collection, security, retention and destruction policies for employee records.

    Whether employee records protections are progressed or not, organisations must bear in mind that the current exemption is not bullet proof – for example, the Privacy Act applies to collecting information before it is added to an employee record, or to use or disclosure not directly related to the employee relationship.

    Agreed in-principle: Transparency and control

    The Government has agreed in-principle that consent must be voluntary, current, specific and unambiguous – a codification of current OAIC guidance. These requirements will have far-reaching implications in practice.

    • Seeking fresh consent may create customer friction and inadvertently drive away customers – the need to regularly seek fresh consents has been criticised in the Consumer Data Right, with recent amendments allowing business customers to give longer term standing consents.
    • As consent has to be specific, it is unlikely organisations can obtain bundled consents covering broad purposes. We might also see longer and more detailed collection statements/notices, contributing to consent fatigue.
    • Depending on transitional arrangements, organisations might not be able to rely on consents collected in the past including, in particular, implied, bundled or opt-out consents. Even if prior consents can be relied on, many organisations will find it complex or impossible to apply different sets of rules and controls to older data.

    In another codification of OAIC guidance, the Government has agreed in-principle that privacy notices should be clear, up-to-date, concise and understandable, with appropriate accessibility measures in place. Collection notices should also include specific matters (for example, if information is collected, used or disclosed for high privacy risk activities). Balancing accuracy and completeness with keeping information concise and understandable is a growing challenge as business operations become more complex. For many organisations, keeping this information up to date will require active monitoring and near real-time visibility of personal information handling practices.

    Agreed in-principle: New individual rights

    The Government has agreed in-principle a range of new individual rights, and accompanying obligations for organisations to assist individuals to exercise their rights. These rights include:

    • Request an explanation of information held, and what is being done with it.
    • Object to collection, use or disclosure, and require an organisation to justify how its practices comply with the Privacy Act.
    • Right to erasure: The Government response includes the additional possibility that data might be de-identified rather than deleted, a slightly different approach to the original Privacy Act Review Report. Organisations will also need to pass the erasure request to third parties who have received the data, unless the effort to do so is disproportionate.
    • Request correction of online publications: Expanding the existing right to correct personal information to online publications within the control of the entity.
    • Require search engines to de-index certain online search results: an Australian-specific version of the "right to be forgotten".

    These new rights will not be absolute, but instead they will be subject to exceptions to balance the interests of individuals against other countervailing interests such as public interests. They will not apply for requests that are technically impossible, unreasonable, frivolous or vexatious.

    Meeting these requirements requires good visibility of business data operations, including strong traceability of data, purposes of collection and use, and consents. Organisations burdened by legacy systems may face significant compliance costs in simply managing interactions with customers, let alone taking requested actions. Organisations need to have strong governance structures in place to ensure operational staff are aware of their roles and responsibilities in responding to, and providing reasonable assistance to, consumers exercising their rights, with support from privacy subject matter experts in the form of process documents, policies and advice.

    Significant concerns about the potential administrative burden has not gone unnoticed – the Government has confirmed it will further consider the scope and application of these new individual rights in light of feedback about the administrative burden.

    Agreed in-principle: Internal governance and accountability

    Consistent with trends overseas, the Government's response signals more requirements to assess, monitor and record privacy activities and risks – looking to drive better internal governance, and require organisations to create and maintain the records the OAIC will need to investigate non-compliance. New internal accountability measures include:

    • Privacy Impact Assessments for activities with high privacy risks: Assessing risk and impact requires better visibility of data collected, the purposes for which it is collected, what the data may be used and disclosed for, how data is actually used, as well as data governance that links these things together. This brings a requirement that already exists for Commonwealth Government agencies to private sector entities.
    • Record of purpose of collection, use and disclosure at or before the time of collection (or for secondary purposes, before undertaking that secondary use or disclosure). The primary and secondary purposes information can be put to without consent will be significantly narrowed – the primary purpose will be the original purpose of collection from the individual (not the purpose of a later recipient) and secondary purposes must be directly related to that primary purpose.

    These requirements can be seen as the minimum baseline of capability required to comply with other privacy obligations – for example, the ability to respond to an individual's objection to data handling practices requires an organisation to hold the records to explain the data collected; the purpose of collection; the details of any consent (and whether it was voluntary, informed, current, specific, and unambiguous); how the data was actually used or disclosed; the purpose of that use or disclosure (and whether it was a primary or secondary purpose, or covered by a consent) and finally an assessment of whether all of these things were fair and reasonable in the circumstances.

    While at first glance these changes may appear administrative, the complexity they could add to the business processes of an organisation cannot be understated. Similar requirements exist under the GDPR, which requires detailed records of processing activities to be kept.

    Agreed in-principle: Direct right of action and statutory tort

    A direct right of action for breaches of the Privacy Act, and a statutory tort for serious invasions of privacy (for acts not covered by the Act) are likely to significantly expand liability exposure especially arising from data breaches and increases the risk of class action suits. The direct right of action could result in any order the court sees fit, including any amount of damages (potentially beyond the maximum penalties under the Privacy Act).

    Outside the Privacy Act, a statutory privacy tort would be more accessible than existing causes of action such as breach of confidence or defamation, particularly when claimants are able to take advantage of the new individual rights discussed above. It may also open up an avenue for claims against organisations or individuals who are not otherwise bound by the Privacy Act.

    In both of these cases, the expansion of rights that individuals have to bring claims directly in court also increases the potential class action risk, whether as a result of major data breaches or any other large privacy breaches that could arise in future.

    Other changes of note

    The proposed changes are numerous, and there are others not mentioned here that will also have a significant impact on the way that entities comply with their privacy obligations. In particular:

    • Controllers and processors: the Government has agreed in-principle to the introduction of the concepts of “controllers” and “processors” of personal information, with the aim of aligning closer to concepts used under the GDPR and similar laws, and help allocate responsibilities between organisations and service providers. Whether this is desirable or will simply add a layer of complexity remains to be seen.
    • Cross-border transfers: the Government agrees to the introduction of a mechanism to white-list countries that are considered “substantially similar”, and agrees in-principle to developing voluntary standard contractual clauses that could be used to support cross-border transfers where another mechanism is not available.
    • Children and vulnerable persons: the Government agrees that the age of a child should be defined as under 18, that a Children's’ Online Privacy Code should be developed, and agrees in-principle to restrictions on direct marketing to children and also mentions that entities should undertake age assurance to ensure that the age of the person is established where appropriate. For both children and vulnerable people, further guidance will be developed on managing consents.

    Building the capabilities to outpace change

    We don't know the specifics of the reforms yet, but given how broad some of the changes are, entities can't afford to wait and see. We need to start building underlying capabilities today.

    Adapting to these reforms would be hard enough if complying with new privacy laws was the only thing on the agenda. Ashurst’s recent Risk in Real Life report found that legal teams are already struggling to keep up with the pace of change and feel significant risk exposure. Teams often feel disempowered, and face organisational barriers in their ability to manage company-wide risk. These challenges are coming into sharp focus with an accelerating rate of regulatory change, and heightened expectations from governments, regulators and customers.

    Outpacing change means developing the technical and organisational capabilities to understand the business in real time. Better visibility, governance, control and risk management capabilities will help organisations not only adapt to and thrive under coming privacy reforms, but improve cyber security and enable organisations to adapt to the increasingly intense and uncertain regulatory compliance and reform environment. Investment in core capabilities is a "no regrets" decision that can be made before we see the detail of coming reforms.

    Through close collaboration between Ashurst’s legal and risk advisory services, we help in-house teams outpace change, translating legal insight into risk-informed interventions, systems and controls to shift the dial where it matters most.

    To learn more about what you can do today to get in front of coming reforms, please reach out to the key contacts below.

    Authors: Tim Brookes (Partner, Digital Economy); Geoff McGrath (Partner, Digital Economy); Rebecca Cope (Partner, Digital Economy); Leon Franklin (Director, Risk Advisory); Andrew Hilton (Expertise Counsel, Digital Economy); Kendrick Deng (Associate, Digital Economy); and Michael Turner (Executive, Risk Advisory).

    image

    A generational change in privacy regulation in Australia

    We draw on Ashurst's combined legal and risk advisory expertise to help organisations keep pace with the evolving Privacy Act reforms and the actions they can take to position themselves for success.

    Learn more about privacy reform in Australia

    This publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.

    The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.

    The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.

    For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com

    This material is current as at 1 November 2023 but does not take into account any developments to the law after that date. It is not intended to be a comprehensive review of all developments in the law and in practice, or to cover all aspects of those referred to, and does not constitute legal advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent legal advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst. While we use reasonable skill and care in the preparation of this material, we accept no liability for use of and reliance upon it by any person.

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.