The Online Privacy Bill and the Privacy Act review discussion paper
This article was written by Michael Swinson
An exposure draft has been released of a Bill that would require the development of a new binding code under the Australian Privacy Act to impose enhanced compliance obligations on social media providers, data brokerage services and large online platforms. The Bill also proposes to increase maximum penalties available under the Privacy Act and expand its extraterritorial reach.
At the same time, a new Discussion Paper has been released canvassing a wide range of general privacy reforms that would apply on an economy-wide basis. While the specific reform agenda is still being developed, this process is driving what will be the most significant developments in Australian privacy law for a decade or more.
Submissions may be made on both the Bill and the Discussion over the next couple of months.
On 25 October 2021 the Australian Government delivered an early-Christmas / post-lockdown treat for avid followers of privacy law by issuing not one but two major privacy law reform updates in the shape of an exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Online Privacy Bill) and a Discussion Paper on the review of the Privacy Act that was originally commenced almost exactly 12 months ago in October 2020. Both of these developments have major implications for all organisations that collect and use personal information.
Online Privacy Bill
The Online Privacy Bill has three main features:
- It establishes a framework for the development of a binding Online Privacy Code that would clarify how social media services, data brokerage services and large online platforms should comply with the existing Australian Privacy Principles (APPs) and also impose some additional compliance obligations on those organisations on top of the APPs. This will include clarifying how such organisations should satisfy existing transparency and consent requirements (such as by ensuring that their privacy notices are “clear and understandable”) as well as requiring them to give special consideration to the management of information about children and other vulnerable groups.
- It strengthens the enforcement options available to the Commissioner, most notably by delivering on the Government’s longstanding promise to align maximum civil penalties available under the Privacy Act with those that apply under the Australian Consumer Law (being the greater of: AU$10 million; 3x the value of the benefit obtained from the relevant contravention; and, if the value cannot be determined, 10% of domestic annual turnover).
- It amends the extraterritorial application of the Privacy Act to foreign organisations by removing the last limb of the existing “Australian link” test. If implemented, that change would mean that the Privacy Act may apply to acts done outside Australia by any foreign organisation as long as the organisation carries on business in Australia – strictly speaking, it could apply to information that the organisation collects outside Australia about individuals who are not even present in Australia. That would be a significant expansion, and we expect that it will prompt some push back.
A key issue under the Online Privacy Bill will be the scope of organisations that will be subject to the Online Privacy Code. It has been long expected that the Government would impose additional compliance obligations on social media services and data brokers. However, the broad inclusion of “large online platforms” was somewhat less expected. This category will capture any organisation that has at least 2,500,000 end-users in Australia and collects information about those end-users in connection with providing access to goods or services by the use of an electronic service. The explanatory statement that accompanies the Online Privacy Bill nominates major global technology companies (like Apple, Google and Amazon), along with media sharing platforms (like Spotify), as examples of large online platforms. However, on its face a much broader range of organisations that do business online could be caught – including, for example, banks and major retailers with digital offerings. One notable exception is that customer loyalty schemes are expressly carved out of scope, as they are to be considered as part of the general Privacy Act review.
Another key issue associated with the Online Privacy Code is the extent to which it will apply special conditions to the provision of social media services to children. As contemplated by the Online Privacy Bill, there will be a requirement for social media service providers to verify the age of all end-users and to obtain the consent of a parent or guardian before collecting, using or disclosing any personal information of a child under the age of 16. This would be a massive undertaking by any measure, and the Regulatory Impact Statement that accompanies the Online Privacy Bill estimates that the implementation cost for this will be over AU$500 million, with the age of more than 20 million end-users needing to be verified and consents obtained for more than 800,000 end-users under the age of 16.
Privacy Act Review Discussion Paper
The Discussion Paper represents the latest step in the ongoing review of the Privacy Act that was originally prompted by recommendations coming out of the ACCC’s Digital Platforms Inquiry in 2019. The initial Issues Paper that kicked off the review resulted in more than 200 submissions from a wide range of interested stakeholders, reflecting the far reaching significance of these reforms. The diversity of views expressed in those submissions may go some way to explain why it has taken such a long time for the Issues Paper to be followed by the new Discussion Paper.
In any event, the Discussion Paper seeks input on a number of specific reform proposals as well as some other areas where the Government is still weighing up various reform options. After considering submissions in response to the Discussion Paper and engaging in further consultation, the Attorney-General’s Department will produce a Final Report for consideration by the Government. The Government of the day will then decide what, if any, specific reforms it wishes to pursue. In other words, we are still some way from seeing a clearly defined set of specific proposed changes, and it is likely that there will be an election before the reform process concludes. However, with each step of the process the potential scope of the Government’s final reform agenda becomes a little clearer. Importantly, unlike the Online Privacy Code, the reforms contemplated in the Discussion Paper would apply on an economy-wide basis.
It is really beyond the scope of this alert to canvass the full range of very significant reforms proposed in the Discussion Paper. However, to flag just a few highlights, the Discussion Paper proposes:
- changes to the definition of “personal information” to broaden its scope and to clarify the status of technical data, including online identifiers, and inferred information – this would include a non-exhaustive list of types of information that may fall within the updated definition, and broadly align the definition with the equivalent concept in the European General Data Protection Regulation
- stricter requirements to “anonymise” rather than merely “de-identify” information before it is no longer subject to the Privacy Act
- new overarching requirements to ensure that personal information is collected, used and disclosed in a way that is “fair and reasonable” taking into account individual expectations, the sensitivity of the information concerned, foreseeable risks that may arise, and other legislated factors
- new rules on how the “primary purpose” and any “secondary purposes” for which personal information is collected would be assessed
- new rights for individuals to object to the collection, use or disclosure of their information and to request the erasure of that information in certain circumstances
- an unqualified right for individuals to object to any collection, use or disclosure of personal information for direct marketing purposes
- clarification of the current framework for overseas data flows, including introducing a mechanism to prescribe countries that offer equivalent protection to the APPs and developing standard contractual clauses to facilitate disclosures to non-prescribed countries
- the introduction of a voluntary domestic privacy certification scheme that would be designed to work in harmony with the international Cross Border Privacy Rules scheme
- a wider range of enforcement options for the Information Commissioner, including the ability to apply for lower civil penalties or issue infringement notices for less serious breaches, as well as direct rights of actions for individuals in certain circumstances
- an industry funding model for the Information Commissioner, including a statutory levy that would apply to entities which operate in a high privacy risk environment
In addition, as flagged above, the Discussion Paper seeks further submissions to help determine whether reforms are required in a number of other areas, such as: whether to do away with the current small business and employee records exemptions; whether to introduce ‘no-go zones’ for privacy practices that should be prohibited even with consent; whether to draw a distinction between the role played by “controllers” and “processors” in the manner of the GDPR and some other overseas privacy regimes; and whether to introduce a statutory tort of privacy in some form.
No matter what the Government’s final reform agenda, it is clear that this process is driving what will be the most significant developments in Australian privacy law for a decade or more.
Submissions on the Online Privacy Bill close on 6 December 2021, while submissions on the Discussion Paper close on 10 January 2022 (providing plenty to do for those privacy law followers who would otherwise have idle hands over the Christmas break!). Please get in touch with your KWM contacts if you have queries about how either of these developments may affect your business.