Popular search terms
Click each term for related articles
Data Protection & Privacy
We have been eagerly awaiting the Government response to the Attorney General's Privacy Act Review Report (Report), since late last year when the Report was presented to the Government. On 16 February the Government made the Attorney General's Privacy Act Review Report public but not its response to the Report – rather, the Government announced it was seeking further public consultation on the Report’s 116 proposals for changes to the privacy law, likely given the extent and substance of the proposed changes in the Report.
While a little anti‑climatic, until the Government’s response is released the Report’s 116 proposals to “strengthen and modernise Australian privacy law”, most of which we expect will be supported by the Government and will result in changes to the Privacy Act/APPs in 2023 and 2024, are more than enough to keep us all busy considering their likely impact and how best to deal with them.
Given the Report's 116 proposals are subject to further consultation (until 31 March) and the Government's response (i.e. indicating whether the Government will implement them or not), we thought it appropriate at this stage to highlight some of the Report's key/most impactful proposals and their likely implications, if they are passed as proposed in the Report.
We believe that, for most businesses, the key proposals in the Report are those relating to the following areas (in no particular order):
Over the next few weeks we will roll out a series of short pieces on the Report’s key proposals in the areas noted above. We trust our series on these key proposals will help you to start thinking about how your operations will be impacted and what you might need to be considering now in order to be able to implement the relevant changes. Once (if) these proposals are enacted we expect they will become effective within a much shorter timeframe than has traditionally been the case for changes to the Privacy Act (based on the speed with which the December 2022 changes became effective).
After a general comment on the Report, below (and first in our series) we address the proposed changes to the definitions of personal and sensitive information and how de-identified information is proposed to be treated.
As an overarching general comment for all of the proposals, the Report notes a desire to 're‑align' Australian privacy law, in practice as well as in principle, with the GDPR. Even where the current Australian privacy regime already has a similar principle (or APP) to that of the GDPR, the Report's proposals seek to address the perceived prevailing uncertainty and misunderstanding of the meaning of existing principles or concepts by a combination of explanatory amendments to the existing Privacy Act provisions (and APPs) and further specific guidance on how the relevant principles/concepts should be interpreted and applied in practice. In most cases, that guidance is suggesting a more GDPR-consistent interpretation/application.
This ‘re-alignment’ will impact the compliance requirements and processes of most businesses and, in some cases, require a significant uplift in order to meet these revised privacy requirements. However, on the bright side, it will also ultimately result in easier personal data/information transfers from the EU/UK to Australia and, possibly, ‘adequacy’ for Australia which will significantly reduce the privacy hurdles for Australian businesses doing business in the EU/UK.
The key proposals of the Report in these areas are (in summary):
In essence, these proposals will significantly broaden the information (including de-identified information) to which the Privacy Act/APPs apply, clarify the interpretation and application of key concepts (i.e. no more ‘misunderstandings’ as to application) with non‑exhaustive examples and emphasise the accountability of APP entities to both (i) appropriately de‑identify information and (ii) ensure it is not re‑identified by others.
Subject to the precise wording of the legislative amendments to the Privacy Act, we believe that the increased obligations around de‑identified information will impose a significant burden on many APP entities which have based many of their current practices on the fact that de‑identified information is not currently subject to the Privacy Act/APPs. The practical consequence may be that, rather than apply slightly different information security regimes for each of personal information and de‑identified information, in practice it might be easier for APP entities to treat de‑identified information in the same manner, using the same systems and with the same information security settings that they use for personal information. This, of course, will have ramifications for existing data sets, data pooling, Big Data analytics and AI products.
Given the pace of change in technology and the increasing availability of different types of data, even within an APP entity, the likelihood of breaching the proposed re-identification prohibition is significant and may, no matter whether or not intentional, open up the APP entity up to large potential fines, class complaints/actions and related damages for contravening the Privacy Act/APPs.
Finally, the 'simple' change from 'about' to 'relates to' an individual for the definitions of personal and sensitive information will, despite the Report's suggestion to the contrary, substantially broaden the information (currently and previously collected by businesses) that will be subject to the Privacy Act/APPs. This will impact on existing data holdings, systems, processes/procedures, policies and also require the re‑training of staff as regards such.
The above and our series of short articles on the key proposals to follow are likely to raise many questions and issues for you. As noted, our aim is to raise awareness and alert you to what we perceive as the practical implications of these key proposals (if they were passed as proposed). However, please do not hesitate to reach out if you wish to discuss any of the proposals we highlight in more detail (or any of the other proposals of the Report) and how they will impact your specific industry and business, processes and/or current privacy compliance.