The Government Response to Attorney General's Privacy Act Review Report: Caution, Iceberg Ahead!
Market Insight 12 October 2023 12 October 2023
Data Protection & Privacy
The recent release of the highly anticipated Government Response (Response) to the Attorney General's Privacy Act Review Report (Report) was, after the shock of the Report published in February 2023, somewhat underwhelming, at least on the surface.
Below we note the key highlights as regards the 'agreed' proposed changes for which we expect legislation to be introduced during 2024 and some potential impacts of those changes that are not readily apparent from reading the Response. We also flag our predictions as to adoption, implementation and likely effects of the most impactful 'agreed in principle' proposed changes that we expect will be settled and adopted by the Government during 2024 and 2025.
What happened in the Response?
The Government 'agreed' with only 38 of the 116 proposed changes from the Report, mostly the more administrative, increasing the powers of and encouraging enforcement by the Office of the Australian Privacy Commissioner (OAIC) type "tweaks" to the Privacy Act. It is these 38, some have suggested 'minor', agreed changes which will be legislated during 2024. Another 68 of the more significant proposed changes from the Report have been 'agreed in principle' by the Government in the Response. These 'agreed in principle' changes are subject to further engagement with those entities most likely to be impacted by the changes and a "comprehensive impact analysis" before the Government makes a final decision on the scope of each specific change and the best means of implementing it. Ten (10) of the 116 proposed changes from the Report were 'noted', meaning they are unlikely to be progressed by the Government in the foreseeable future.
What to expect from the 'agreed in principle' proposed changes
Given that, historically, 'agreed in principle' was code for endless rounds of further consultations with little if any progress and likely no resulting legislation/changes being implemented, it is understandable that many are underestimating the potential impact of the 'agreed in principle' changes (i.e. assuming that most, if not all, will never eventuate). However, when taking into account the:
- change in community and Government attitudes toward privacy over the last 12 - 24 months;
- acceleration of this change brought about by the recent spate of high-profile and very public data breaches;
- Government's very public approach to those high-profile data breaches;
- increase of the fine in December 2022 from up to $2.2 million (at the current indexed rate) to the greater of $50 million and 30% of revenue for the greater of 12 months and the length of the relevant breach of the Privacy Act/APPs;
- move back to a separate dedicated Privacy Commissioner within the OAIC; and
- increased funding in the budget for the OAIC/Privacy Commissioner,
this points to a break from recent history. That is, the 'agreed in principle' changes will likely be addressed expeditiously and most will be settled, adopted and implementation commenced by the Government in one form or another within the next 12 - 24 months. We expect the 'agreed in principle' changes will have short-focussed consultations with only the relevant entities (i.e. not be generally open to public consultation per se) with the impact analysis being done simultaneously so that, during 2024, many of the 'agreed in principle' changes will be shifted to 'agreed' and the form of such specified by the Government with legislation to implement them to commence in 2025. We also expect that most of the 'agreed in principle' (i.e. the 68) proposed changes from the Report, some of them being quite significant changes, will be adopted or 'agreed' by the Government during 2024 and early 2025. However, until such time as we see this in action and the form in which these are 'agreed' to be implemented by the Government, it is difficult to know exactly what these changes will look like.
The 'agreed' changes to the Privacy Act
Throughout the Response (and also in the Report) there are a significant number of changes to administrative provisions and giving increased and more targeted OAIC powers, together with a push to strengthen (and encourage) enforcement of the Privacy Act and APPs by the OAIC/Privacy Commissioner. As corollary to this theme, the 'agreed' changes also seek to clarify and simplify key definitions and concepts used in the Privacy Act and APPs in order to address those matters raised in numerous submissions to the AG's Review that led to the Report that business was not sure what they meant or which of their obligations were under the Privacy Act and APPs. This theme of increasing clarity and simplicity for business goes hand in hand with the theme of strengthening enforcement as it will give business less room to claim they did not know what they were supposed to do to comply with or how to comply with key APPs and their underlying concepts.
Of the 38 'agreed' changes to be legislated during the course of 2024, our highlights (i.e. those that we believe will have the most immediate impact on business) are:
- The likely criminal offence for malicious re identification of de identified information where there is an "intention to harm another" or "obtain illegitimate benefit" (with appropriate exceptions). On its face this appears uncontroversial but, of course, the devil will be in the detail of what "malicious re identification" actually is and whether the definitions or practical application of "intention to harm another" or "obtain an illegitimate benefit" will actually end up significantly widening the scope of behaviours that will constitute this criminal offence.
- The changes to the journalism exemption are significant but, obviously, limited to a small subset of affected businesses. However, if you have been relying on the journalism exemption as currently provided, expect your world to become significantly more prescriptive and onerous (and more focussed on privacy-enhancing conduct) once the changes to the exemption are legislated in 2024.
- The combined changes introducing mandatory Privacy Impact Assessments (PIAs) for "high privacy risk activities" ('agreed in principle' but linked to an 'agreed' change), the requirement for enhanced risk assessments for the use of facial recognition technology and other biometric information together with the Government's direction to the OAIC to develop practice specific guidance(s) for new technology and emerging privacy risks will usher in a significant changes to privacy risk assessment practices. These changes will require more "up front" privacy-related effort and analysis (along Privacy by Design lines) by business similar to (and possibly in excess of) the current GDPR requirements. This will, for many businesses, be a substantial process change as to when and how much they consider privacy issues. Also, the OAIC’s practice specific guidance(s) may act to extend, in practice, the scope of the activities subject to a mandatory PIA and/or an 'enhanced' risk assessment, including as regards third party providers which process their personal information. This will impact the way that all organisations, even those which are currently privacy compliant, do business.
A likely evolution of these changes will result in, ultimately, organisations requiring third party service providers that process their personal information to show them a PIA for that processing and to be able to satisfy them of the service providers' privacy compliance and adequate cyber security (e.g. along the lines of CPS 234 for APRA regulated entities). Of course, these changes will ultimately put organisations in a much better position as regards managing privacy and cyber risks more effectively, efficiently and cost effectively, after the initial business process change costs.
- The changes around children and vulnerable persons and how to deal with them in respect of their privacy, both generally and online, will also (as we flagged in previous articles) impose significant and different privacy obligations on businesses (as compared to the adult non vulnerable population). To comply with these changes, even for organisations currently following privacy better practice, businesses will require significant additional effort and expenditure to change and run different (and likely parallel) processes going forward.
- The Government's direction to the OAIC to provide further detailed guidance in terms of the "reasonable steps" under APP 11.1, who to consult with to do so and the inclusion of the General Data Protection Regulation (GDPR) concepts of "technical and organisational methods" to be specified, along with guidance on the steps that the OAIC will consider reasonable as regards the de identification or destruction of personal information under APP 11.2, were essentially requested by business. However, despite being guidance, over time these will become de facto legal standards required to be implemented in full in order to meet one's obligations under APPs 11.1 and 11.2.
- Finally, the raft of enforcement changes including the Government's 'encouragement' to the OAIC to do more in enforcement, greater and more targeted powers for the OAIC and a wider range of available (i.e. layered) penalties are, when taken together, a strong follow on from the recent increase in the maximum fine to $50 million. In particular, the establishment of new 'mid tier' and 'low-level' civil penalties (and giving the OAIC the power to levy them directly) will, with the increased level of enforcement, see the OAIC/Privacy Commissioner much more active and present on all levels of business across all sectors (think of the current approach and activity of the ACCC).
The 'agreed in principle' proposed changes highlights
While it is difficult to predict exactly what form many of the 'agreed in principle' changes will take, we briefly note what we anticipate will be the 'agreed in principle' changes that are likely to have the most impact if they are ultimately implemented in a manner close to that suggested in the Report (as noted in our prior articles available here):
- The amendments to definitions including "personal information", "sensitive information", "collection" and "de identified" and the supporting of other terms/concepts such as "reasonably identifiable" with non exhaustive lists of circumstances to be considered will increase all organisations' privacy obligations much more than is apparent on a brief reading of these proposed changes. For example, given the history of interpretation by tribunals and courts of the word "about" in the definitions of "personal information" and "sensitive information", the change to "related to" an individual (following the GDPR model) will mean, for those businesses who used this to limit the extent of the personal or sensitive information they were processing, applying privacy obligations across a much wider range of data (including that already held and not considered to be "about" an individual and therefore not personal or sensitive information). In addition, the expansion of the definition of "collection" and the proposal that sensitive information can be inferred (and thus collected) from non sensitive information will challenge the current data models of a number of businesses. Further, the changes to the definition of "de identified", which confirm current better practice, will have a significant impact on those businesses with large de identified data holdings and those who have not, to date, been rigorous in their de identification procedures.
- Ultimate removal (as expected) of both the small business and the employee records exemptions or, at least, introducing "enhanced privacy protections" for employees should not have the widespread catastrophic impact that has been anticipated by many. The business ecosystem in which many small businesses operate, often as suppliers to larger businesses, has long insisted contractually on their compliance with the privacy law. Also, it has been the practice of many businesses to extend some, if not most, of the privacy rights to their employees already. However, for those businesses suddenly having to comply with the Privacy Act/APPs for the first time or extend the privacy rights and obligations to employees' personal information for the first time, this will require significant uplift in both their understanding of privacy and their current practices.
- While not a radical departure from existing legal requirements (although significantly different from implementation in practice), the changes to (or confirmations of) the consent requirements in terms of obtaining consent and facilitating its withdrawal and what additional matters consent will be required for will, again, mean a significant uplift of the policies, practices and procedures of organisations. Add this to the increased requirements around children and vulnerable persons privacy and this will become a significant uplift task for some businesses.
- The introduction of a "fair and reasonable" test and assessment obligation, together with "acting in the best interests of the child" where relevant, will impose a level of privacy consideration that, in practice, has not to date been widely adopted by Australian businesses. Many businesses will struggle to understand why, if they meet all APPs and other privacy law requirements, they cannot undertake a certain activity because it may not otherwise be considered as 'fair and reasonable in the circumstances'.
- A sleeper issue in the Report and now in the Response is, although it could have been better worded, the proposed change that requires an organisation to determine and record the purposes for which it proposes to collect, use and disclose personal information before commencing such collection. This has been understood by many as simply a reiteration of the obligations under APP 5 to include these matters in a privacy notice. However, it is much more than this. It is the introduction of a fundamental step and obligation for the business to consider upfront what personal information it is proposing to collect, whether it is entitled to do so under the APPs/Privacy Act and whether there is a less privacy intrusive way of meeting its objectives. That is, is all of the personal information proposed to be collected actually required? This will shift privacy considerations and risk management to the beginning of a potential collection, use or disclosure, requiring the business to undertake a version of Privacy by Design (and to document such).
- Finally, despite being a fundamental difference to the structure of our existing privacy law in Australia, the Response has 'agreed in principle' to introducing the EU/GDPR concepts of "controllers" and "processers". These different roles will attract different levels of privacy obligations. While this will not necessarily increase the privacy obligations on controllers (apart from more oversight and responsibility for their processers) and it may in fact reduce the privacy obligations of processors, in practice the additional administrative burdens and implementation of 'Standard Contractual Clauses' (like under the GDPR) will be a significant impost on business, especially in the 12 to 24 months after (if) this is passed.
What you can do now
While the detail of the 'agreed in principle' proposed changes remains in doubt, there are enough 'agreed' changes and detail in the Report as to where the likely key 'agreed in principle' changes will land. As such, business should therefore be uplifting their privacy compliance to meet the current requirements to ensure that the changes during 2024 and 2025 will not be a significant hurdle. If your organisation is not fully compliant with the current privacy law, when it comes time to address and implement the necessary policies, procedures and practices to meet the changed requirements in 2024 and 2025, you will face an uphill battle to comply within the ’transition period’ (which is yet to be determined but we expect for some of the ‘agreed’ changes may be shorter than usual).
Also, any privacy or cyber security related work being undertaken from now on must consider and build into any recommendations, controls, proposed approaches, policies or procedures the 'agreed' proposed changes and the core 'agreed in principle' changes that are likely to be implemented. This will assist to 'future proof' whatever privacy or cyber security uplift you are undertaking to minimise, as best you can, the risk of having to retro-fit significant privacy or cyber changes (or start again) when the proposed changes are legislated in 2024 and 2025.
How can we help?
Clyde & Co’s Technology & Media Team has unparalleled and specialised expertise across the privacy, cyber and broader technology and media practice areas. It also houses the largest dedicated and market leading privacy and cyber incident response practice across Australia and New Zealand. Our team is also highly regarded for their expertise and experience in managing all forms of disputes across sectors and international borders, including advising on some of the most high-profile disputes and class actions commenced in Australia.
The firm's tech, cyber, privacy and media practice provides an end-to-end risk solution for clients. From advice, strategy, transactions, innovations, cyber and privacy pre-incident readiness, incident response and post-incident remediation through to regulatory investigations, dispute resolution, litigated proceedings (plaintiff and defendant), recoveries and third-party claims (including class action litigation), the team assists its clients, inclusive of corporate clients, insurers, insureds and brokers across the full spectrum of legal services within this core practice area.
To read our series on the Attorney General's Review Report, please see the links below: