Focus on the Key Reforms – Don’t Be Distracted by the Rest (Submission to the Australian Federal Attorney-General on the Privacy Act Review Report)
11 Pages Posted: 13 Apr 2023
Date Written: March 30, 2023
By the change of national government in Australia in May 2022, reform of the Privacy Act 1988 had not been completed by the previous conservative coalition government. However, over 200 submissions to the Attorney-General’s Department (A-Gs) had been made, often critical of both a draft Bill on enforcement aspects and a Discussion Paper proposing wider reforms. Post-election, under the new Labor government, A-Gs continued to consider the submissions received, and in December 2022 published the Privacy Act Review Report, a 372 page report containing about 116 recommendations for reform under 30 main headings.
Legislation concerning enforcement had already been enacted in November 2022, following a number of large-scale data breaches, considerably strengthening penalties.
One main problem with both the Discussion Paper and the Review Report is that the recommendations made do not distinguish those that are useful and supportable, but only of modest effect, from those that are essential if there is to be real reform of the Privacy Act. These are reforms which will force data processors to change their business practices and business models (and their equivalents in the public sector) for the benefit of privacy protection. The key to the success or failure of this reform of the Privacy Act is that it maintains its focus on those reforms that are essential to change business and government practices, and does not allow them to be lost in the confusion of discussing the remaining multitude of proposed reforms.
This Submission therefore concentrates on identifying the reform proposals that should be the focus of changes to the Privacy Act (marked ‘Enact’ or ‘Do not enact’), coupled with a brief statement of why they are so important.
The most important proposed changes to the Review’s reform proposals advocated in the Submission concern the need:
• To expand the definition of ‘personal information’, particularly so that ‘identifiability’ includes the capacity for ‘individuation’ or ‘interaction’ without requiring individual identification.
• To avoid making ‘de-identified’ information a separate category mid-way between ‘personal information’ and anonymous information.
• To expand the definition of ‘sensitive information’.
• To remove the exemptions for small business, employee records, political and journalism as thoroughly and as swiftly as possible.
• To make the definition of ‘consent’ more precise (and like the GDPR).
• To support the proposal that processing in Australia ‘must be fair and reasonable in the circumstances’ as the foundation of the Act, but that this must allow the whole purpose of a processing activity to be found to not be ‘fair and reasonable’ on an objective test.
• To go beyond Privacy Impact Assessments for high risk activities, by regulation which allows some to be prohibited, including by assessments that they are not ‘fair and reasonable’ activities.
• To support the proposed new rights of the individual, but to also give individuals the right to require a determination by the OAIC on a dispute.
• To strengthen the rights in relation to automated decision-making.
• To support the right to opt-out of direct marketing and targeting, provided it is made stronger. To support the requirement of consent for trading in personal information, but only if forced consent is prohibited.
• To reject the inclusion of a distinction between controllers and processors.
• To reduce the dismissal of complaints under s41 by giving complainants the right to require a determination under s52.
• To support both the direct right of action (with modifications) and the statutory tort.
Keywords: Australia, Privacy Act, data protection, submission
Suggested Citation: Suggested Citation