(Some) Privacy to the People (Maybe)

The Attitudes to Privacy Survey conducted by the Office of the Australian Information Commissioner in 2020 (Privacy Survey) reported that privacy is an increasing area of concern for Australians, with 9 in 10 wanting ‘more choice and control over their personal information’.

On 12 December 2019, Attorney-General Christian Porter announced that the Federal Government will be conducting a comprehensive review of the Privacy Act 1988 (Cth) (Privacy Act) (the Review).

Background

The review will consider the changes recommended by the Australia Competition and Consumer Commission’s (ACCC) Digital Privacy Inquiry. The ACCC’s inquiry identified certain inadequacies in the Privacy Act, including its inability to provide sufficient protection to an individual’s personal information and to act as a deterrence against harmful data practices.

A discussion paper will be released in 2021 which will provide members of the public, business, non-profit organisations and public sector agencies an opportunity to make submissions based on the preliminary outcomes of the Review, including any possible reforms.

Focus of the Review

The Review seeks to bring privacy regulations more in line with the realities of online use and the increased ease with which personal information is collected, used and disclosed due to technological developments in the area of Artificial Intelligence and data analytics. The Attorney-General has emphasised the need for a ‘privacy regime that is fit for purpose’ and is consistent with the ‘growing digital economy’. The Attorney-General also emphasised the need for reforms to develop a ‘practical and proportionate framework for promoting good privacy practices.

The Review will focus on empowering consumers by increasing the transparency surrounding the collection, use and disclosure of personal information.

Scope and Application

As the Privacy Act governs the collection and use of ‘personal information’ it is important that the Privacy Act also reflect today’s digital economy and provide the relevant protections for consumers as to how their data is collected and used. 

One proposal before the Review is to expand the definition of ‘personal information’ to specifically include the growing variety of technical data collected and used by organisations, namely IP addresses, device identifiers, and location data.

Such an amendment would bring the Privacy Act into alignment with international standards, including the European Union’s General Data Protection Regulation (GDPR).  As we saw in January 2019, breaches of the GDPR can result in large sanctions (for example, Google was fined $57M by France’s data watchdog, CNIL (see previous WR article).

Potential for direct rights of action

Most influential of its considerations will be the potential increased scope and application of the Privacy Act and whether direct rights of action and a statutory tort for serious invasions of privacy should be introduced to increase the ability of consumers to enforce obligations under the Privacy Act.

Australia, unlike the United Kingdom, New Zealand, and Canada, does not currently provide consumers with a direct right to seek redress against a party or entity that has misused their personal data or breached their privacy.

The Privacy Survey reported that approximately 78% of Australians believe that they should have a right to seek legal action and compensation for a breach of privacy.

The Review will consider the ACCC’s recommendation to strengthen individuals rights within the current privacy scheme to provide consumers with a direct right to bring a claim (including by way of a class action) against an entity under the Privacy Act.

The ACCC’s recommendation was that the direct right of action should be accompanied by the introduction of a statutory tort for serious invasions of privacy which has been previously recommended by the Australian Law Reform Commission.

By providing consumers with a direct right of action, Courts will be able to interpret the Privacy Act, and hopefully provide greater clarity and guidance for breaches of the Privacy Act, including the standard for penalties and compensation in relation to privacy breaches.

Given the increased use of the digital platforms, including the transition to online working environments due to COVID-19, the proposed changes are more important than ever for the protection of personal information.

The content of this article is intended to provide a general guide to the subject matter. Specific advice should be sought about your specific circumstances.