New privacy laws incoming – Australian Government releases response to the Privacy Act Review Report

On 28 September 2023, the Australian Government released its response to the Privacy Act Review Report. The Report proposes changes to the Privacy Act 1988 (Cth). The response deals with the reform of current exemptions from the Privacy Act, as well as aiming to strengthen protections afforded by the Act and improve enforcement of its obligations.

Of the 116 proposals contained in the Report, the response agreed to 38 proposals, while agreeing in principle with 68 and noting 10. The proposals that were agreed to will be implemented by way of legislative amendment, while the proposals agreed with in principle will be subject to further engagement and consultation with regulated entities to explore whether or how they can be implemented.

The Government’s response to the Review indicates we are likely to see the most significant changes to privacy legislation since the Privacy Act was first introduced. The prospective changes carry significant implications for all Australian businesses, including small businesses which are currently exempted from the Privacy Act.

Small business exemption removal

Currently, most small businesses with an annual turnover of $3 million or below are exempt from the Privacy Act. The reasoning behind this was that small businesses posed a low risk to privacy and compliance with the Privacy Act would impose an unreasonable burden on them. In light of community expectations of privacy now extending to small businesses, the Government has agreed, in principle, to remove the exemption.

This means that, before enacting legislative amendment, the Government will first consult with small businesses and representatives on the impact of removing the exemption, what modifications to the Privacy Act obligations will be appropriate to ease the regulatory burden on small businesses, and what support they will need to adjust their practices to comply with the Act.

The Government also agreed in principle that, in the shorter term, small businesses engaging in activities that pose a significant privacy risk should not be able to rely on the small business exemption. This includes businesses that collect biometric information for identification and verification purposes, such as facial recognition technology, and businesses that trade in personal information with the consent of individuals.

Although only agreed with in principle at this stage, the removal of the small business exemption carries significant implications for small businesses, broadening the Privacy Act’s scope to cover all Australian businesses.

Employee records exemption reform

Private sector employers are currently exempt from complying with the obligations imposed by the Privacy Act’s Australian Privacy Principles (APPs) in relation to the handling of personal information relating to their employees.

This was done on the basis that employee privacy is better dealt with by workplace relations laws, but the Government has agreed in principle to consultation with representatives on how private sector employees might be better protected by legislation.

Consultation will cover the interaction between privacy and workplace relations laws, as well as consideration of the impact and timing of this reform with new privacy obligations being faced by small businesses.

Other changes

The Government accepted various other proposals aimed at improving protections for individuals, including:

• further consideration for how enhanced risk assessment requirements may be implemented for facial recognition and other uses of biometric information
• guidance to be developed by the Office of the Australian Information Commissioner (OAIC) on what reasonable steps an entity should take to keep personal information secure or to destroy or de-identify personal information
• development of a Children’s Online Privacy Code applicable to online services likely to be accessed by children
• requiring entities to set out in their privacy policies the types of personal information used in automated decision making for decisions that have a legal or similarly significant effect on an individual’s rights
• requiring entities to take reasonable steps to identify, mitigate and redress any actual or foreseeable harm suffered by individuals, with OAIC to publish guidance on how to achieve this.

The Government also accepted the following proposals that add clarity and flexibility to the operation of the Privacy Act:

• defining ‘child’ in the Privacy Act to be an individual who has not reached 18 years of age
• allowing the Information Commissioner to, on the approval or direction of the Attorney-General, make APP Codes where it is in the public interest and there is unlikely to be an appropriate industry representative to make a code
• prescribing countries with substantially similar privacy laws so that businesses can more easily disclose information to recipients in those prescribed countries.

Strengthening enforcement

A number of proposals were accepted that centre around bolstering the enforcement of the Privacy Act. These include the introduction of a tier system for civil penalties for interferences with privacy. The tier system will see the introduction of:

• a new ‘mid-tier’ provision for interferences with privacy that do not meet the threshold requirement of being serious
• a new ‘low level’ provision for certain administrative breaches of the Privacy Act and APPs.

The Federal Court and the Federal Circuit and Family Court of Australia will be given the power to make any order they see fit once a civil penalty relating to an interference with privacy has been established.

The Information Commissioner will also be given additional powers to enforce the Privacy Act, including:

• additional powers for investigation of civil penalty provisions
• the power to undertake public inquiries and reviews into a specified matter upon the approval or direction of the Attorney-General
• the power to, upon investigating a complaint, require an entity to take reasonable steps to identify, mitigate and redress actual or foreseeable loss suffered by an individual.

What now?

The response to the Review indicates we are likely to see the most significant changes to privacy legislation since the Privacy Act was first introduced.

The broadening of the reach of the Privacy Act and changes to penalties make understanding the amendments crucial for every Australian business.

Please contact a member of our corporate advisory team if you have any questions about the changes to the Privacy Act or any of the matters contained in this article.