Australian Privacy Law to be “Much More like GDPR”

The Attorney-General's proposed changes to Australian privacy law and the Government's recent response will re-shape the approach of business privacy in Australia.

Under the stated aim of making Australian privacy law “more like the GDPR”, the Attorney General’s proposed 116 changes in the report on their review of privacy law (Report) and the Government’s recent response to the Report (Response) will significantly “shift the dial” for Australian privacy law when legislated over 2024 and 2025: its content/obligations and its enforcement, and re-shape the approach of business privacy in Australia.

The Government “agreed” with 38 of the 116 proposed changes in the Report, mostly increasing the powers of (and encouraging enforcement by) the Office of the Australian Information Commissioner (OAIC) including the Privacy Commissioner. These agreed changes also amend existing definitions and prescribe specific measures required to meet current umbrella obligations. It is these 38 agreed changes which are likely to be included in the amending legislation to be introduced by the Government in August 2024. 

Another 68 of the more significant proposed changes from the Report have been “agreed in principle” by the Government in the Response. These are subject to some limited further engagement with those to be impacted by the changes (and a "comprehensive impact analysis") before the Government finalises the scope of each proposed change and the best means of implementing it. 

The “agreed” changes to the Privacy Act

The “agreed” changes clarify and simplify key definitions and concepts used in the Privacy Act and in the Australian Privacy Principles (APPs), in order to address the numerous submissions by business indicating that it was not sure what was meant by or how to meet the obligations under the Privacy Act and APPs. The increased clarity and simplicity for business is supplemented by a significant number of changes to administrative provisions giving both increased and more targeted OAIC powers and a “push” to strengthen (and encourage more) enforcement by the OAIC. 

The “highlights” of the agreed changes likely to have the most immediate impact on business are:

• The introduction of a criminal offence for malicious re identification of de identified information where there is an "intention to harm another" or to "obtain illegitimate benefit". The definition of "obtain an illegitimate benefit" will likely create a wide range of behaviours that will constitute this criminal offence.
• The combined changes introducing mandatory Privacy Impact Assessments (PIAs) for "high privacy risk activities" (agreed in principle but linked to an agreed change) and a requirement for enhanced risk assessments for the use of facial recognition technology and other biometric information. Together with the OAIC’s guidance(s) for new technology and emerging privacy risks, this will be a significant change to the current required privacy risk assessment practices, requiring more "up front" privacy-related effort and analysis (along “Privacy by Design” lines) by business. 
• The changes to how to deal with the privacy of children and vulnerable persons will impose significant new obligations on business. 
• Further detailed guidance on the "reasonable steps" under the information security obligation (APP 11.1) will specify who business must consult with, include the GDPR concept of "technical and organisational methods" to be specified, and set out the steps that will be considered reasonable as regards the de identification or deletion of personal information under APP 11.2. Despite being “guidance”, these will become de facto minimum standards required to be implemented in order to meet the privacy law obligations under APPs 11.1 and 11.2.
• Finally, there are greater and more targeted powers for the OAIC and a wider range of available (i.e. layered) penalties “encouraging” the OAIC to do more in enforcement. The establishment of new “mid tier” and “low-level” civil penalties (and giving the OAIC the power to levy them directly) will mean the OAIC will be a much more active presence at all levels of business across all sectors.

What to expect from the “agreed in principle” proposed changes

When taking into account the:

• change in community and Government attitudes toward privacy over the last 12 - 24 months,
• acceleration of this change brought about by the recent spate of high-profile and very public data breaches,
• Government's very public reaction to the high-profile data breaches,
• increase of the fine for serious or repeated breaches of the privacy law in December 2022 from up to $2.2 million (at the then indexed rate) to the greater of $50 million or 30% of revenue for the greater of 12 months or the length of the relevant breach of the Privacy Act/APPs,
• move back to a separate dedicated Privacy Commissioner within the OAIC, 
• increased funding in the budget for the OAIC, and
• amending legislation (likely for the agreed changes) to be introduced in August,
• this all points to a break from the recent history of “agreed in principle” amendments never seeing the light of day. That is, the agreed in principle changes will be addressed expeditiously and likely settled and legislation introduced by the Government within the next 12 to 24 months.

The following agreed in principle changes will likely have the most business impact when legislated:

The amendments to definitions including the terms "personal information", "sensitive information" and the elaboration of other terms/concepts such as "reasonably identifiable" with non exhaustive lists of circumstances to be considered. These changes will increase the privacy obligations of business much more than is apparent on their face. For example, the change to the definitions of personal and sensitive information to "related to" (rather than “about”) an individual (following the GDPR) will significantly widen the range of data held by business which will be subject to privacy obligations. 

The expansion of the definition of "collection" and that sensitive information can be inferred (and thus collected) from non sensitive information will challenge the current data models of business. Likewise, the changes to the definition of "de identified" will have a significant impact on both business with large de identified data holdings and all who have not, to date, been rigorous in their de identification procedures. 

While not a significant departure from existing legal requirements, in practice the “confirmation” of the consent requirements and better facilitating the withdrawal of consent, together with the additional matters for which consent is required, will require the uplift of existing policies, practices and procedures. 

The introduction of a "fair and reasonable" assessment obligation will impose a level of privacy consideration that, in practice, has not been widely adopted in Australia to date. Business will struggle to understand why, if they meet all APPs and other privacy law requirements, they cannot undertake a certain activity because it may not otherwise be considered as “fair and reasonable” in the totality of the specific circumstances.

The change requiring an organisation to determine and record the purposes for which it proposes to collect, use, and disclose personal information before commencing such collection and use, while overlooked in most commentary, will have a disproportionate impact on business. The obligation to consider, upfront, what personal information it wishes to collect, whether it is entitled to do so under the APPs/Privacy Act and/or if there is a less privacy intrusive way (i.e. not collecting personal information or collecting less of it) to meet its objectives, will substantially shift privacy risk management for business to more of a “Privacy by Design” approach. 

The introducing of the EU/GDPR concepts of "controller", "processer" and “Standard Contractual Clauses” will both change and, for “controllers”, increase the privacy obligations adding more oversight of and responsibility for their “processers”. These changes will add a significant burden on business, especially in the 12 to 24 months after they are passed.

What can business do now?

With August 2024 fast approaching, business should now be uplifting their privacy compliance to at least meet the current requirements. If a business is not fully compliant with the current privacy law, it will face an uphill battle to comply within the “transition period” with the announced changes: that is, to uplift or add the necessary policies, procedures, and practices to meet the uplifted and new obligations. 

Any privacy or cyber security related work now being undertaken (until the changes are legislated) must build in the flexibility to meet/comply with the changes once they become effective. That is, to “future proof” business against the significant announced changes to the privacy regime once they are legislated in 2024 and 2025.