In the Australian Government’s first step towards enhancing and enforcing privacy compliance in Australia, the Attorney-General’s Department has released two publications regarding amendments to Australia’s privacy regime:
- An exposure draft introducing amendments to the Privacy Act 1988 (Cth) (the Privacy Act), which will establish an online privacy code applicable to major online platforms and introduce increased penalties for non-compliance with the Privacy Act for all entities (the Online Privacy Bill); and
- A discussion paper seeking further submissions on up to 67 proposals to amend the Privacy Act and introduce a raft of amendments to Australian privacy law focused on increasing enforcement, empowering individuals and aligning Australia with global privacy regimes (the Discussion Paper).
The Online Privacy Bill is Australia’s immediate response to certain issues identified out of the Australian Competition and Consumer Commission’s Digital Platforms Inquiry Report published in 2019 (the Digital Platforms Inquiry). While the Online Privacy Bill is still subject to public submission, we expect that the Australian Government will look to swiftly progress these reforms throughout 2022 in order to give more ‘teeth’ to Australia’s privacy regime while also effecting the Government’s commitment to further regulating major digital platforms.
The primary aspects of the Online Privacy Bill are:
- Enhanced penalties, with maximum penalties for serious and, or, repeated breaches of the Privacy Act increasing from just over $2 million to an amount not exceeding the greater of AU$10 million, three times the value of the benefit obtained from the conduct or, if the value can’t be determined, 10% of the domestic annual turnover of the offending entity;
- Increased enforcement powers, introducing new mechanisms for the Australian Information Commissioner to enforce the Privacy Act (through new information sharing arrangements, expanded assessment powers, infringement notice protocols, and expanded scope of determination powers) and creating criminal penalties for multiple instances of non-compliance; and
- The online privacy code, implementation of an online privacy code that will apply to social media providers, data brokerage services and large online platforms (platforms with 2.5 million or more annual end users in Australia) (the OP Code). The OP Code is designed to enhance privacy protections for users of major digital platforms that collect and trade in high volumes of personal information. Entities subject to the OP Code will be subject to more stringent obligations regarding the notice, collection and use of personal information already existing under the Privacy Act while also introducing new obligations, including a right for individuals to request platforms to cease using their personal information and enhanced protections to children and other vulnerable groups.
The Discussion Paper is another step in the increasingly lengthy process of reforming the Australian privacy regime generally. A follow up to the initial Issues Paper published in October 2020 (itself a response to the Digital Platforms Inquiry), the Discussion Paper seeks public comment on a vast array of proposals to amend the Privacy Act. Notable proposals include the creation of a Federal Privacy Ombudsman, the introduction of torts of privacy enforceable by individuals, new rights to individuals to object to or withdraw consent regarding the processing and use of their personal information and clarification to ambiguous terms of the Privacy Act, among others. A key focus of the Discussion Paper is the potential to implement terms that will align Australia with privacy regimes abroad, such as the European Union’s General Data Protection Regulation, or at least ensure that Australia’s system can act as a modular expansion of global privacy law through proposals to implement standard overseas data transfer terms and to remove exceptions to the Privacy Act to allow greater alignment with foreign privacy law.
While it is unlikely that all, or even a substantial majority, of the 67 proposals flagged in the Discussion Paper will be implemented, these proposals represent an opportunity for Australia to address holes in its current privacy regime and identify and implement the best elements of privacy compliance around the world.
What is clear from both the Online Privacy Bill and the Discussion Paper is that Australia is taking privacy more seriously. After being one of the first-movers in establishing a holistic data privacy regime in 2012, Australia’s privacy regime has stagnated in the context of privacy globally. These first steps highlight that Australia is not only looking to ensure it is at the forefront of privacy compliance once again, but also that it has the bite to enforce those standards.
Any interested party can provide responses to the Australian Government’s proposals by 6 December 2021 (with respect to the Online Privacy Bill) and 10 January 2022 (with respect to the Discussion Paper).
If you would like to discuss how these proposed changes could affect your business, or if you would like assistance with preparing responses to the Government’s proposals, please reach out to the authors.