116 Proposals for Change: The AG’s Privacy Act Review Report goes public

We have been eagerly awaiting the Government response to the Attorney General's Privacy Act Review Report (Report), since late last year when the Report was presented to the Government. On 16 February the Government made the Attorney General's Privacy Act Review Report public but not its response to the Report – rather, the Government announced it was seeking further public consultation on the Report’s 116 proposals for changes to the privacy law, likely given the extent and substance of the proposed changes in the Report.

No Government response yet!

While a little anti‑climatic, until the Government’s response is released the Report’s 116 proposals to “strengthen and modernise Australian privacy law”, most of which we expect will be supported by the Government and will result in changes to the Privacy Act/APPs in 2023 and 2024, are more than enough to keep us all busy considering their likely impact and how best to deal with them.

Our approach

Given the Report's 116 proposals are subject to further consultation (until 31 March) and the Government's response (i.e. indicating whether the Government will implement them or not), we thought it appropriate at this stage to highlight some of the Report's key/most impactful proposals and their likely implications, if they are passed as proposed in the Report.

We believe that, for most businesses, the key proposals in the Report are those relating to the following areas (in no particular order):

• personal information, de-identification and sensitive information;
   
• children's and vulnerable person’s privacy;
   
• removal/revision of the employee records and small business exemptions;
   
• security, destruction and retention of personal information;
   
• consent and online privacy settings;
   
• the rights of the individual;
   
• direct marketing, targeting and trading;
   
• organisational accountability;
   
• controllers and processors of personal information;
   
• overseas dataflows, cross‑border privacy rules and domestic certification; and
   
• notifiable data breaches scheme and enforcement.

Over the next few weeks we will roll out a series of short pieces on the Report’s key proposals in the areas noted above. We trust our series on these key proposals will help you to start thinking about how your operations will be impacted and what you might need to be considering now in order to be able to implement the relevant changes. Once (if) these proposals are enacted we expect they will become effective within a much shorter timeframe than has traditionally been the case for changes to the Privacy Act (based on the speed with which the December 2022 changes became effective).

After a general comment on the Report, below (and first in our series) we address the proposed changes to the definitions of personal and sensitive information and how de-identified information is proposed to be treated.

General comment

As an overarching general comment for all of the proposals, the Report notes a desire to 're‑align' Australian privacy law, in practice as well as in principle, with the GDPR. Even where the current Australian privacy regime already has a similar principle (or APP) to that of the GDPR, the Report's proposals seek to address the perceived prevailing uncertainty and misunderstanding of the meaning of existing principles or concepts by a combination of explanatory amendments to the existing Privacy Act provisions (and APPs) and further specific guidance on how the relevant principles/concepts should be interpreted and applied in practice. In most cases, that guidance is suggesting a more GDPR-consistent interpretation/application.

This ‘re-alignment’ will impact the compliance requirements and processes of most businesses and, in some cases, require a significant uplift in order to meet these revised privacy requirements. However, on the bright side, it will also ultimately result in easier personal data/information transfers from the EU/UK to Australia and, possibly, ‘adequacy’ for Australia which will significantly reduce the privacy hurdles for Australian businesses doing business in the EU/UK.

Personal information, de‑identification and sensitive information

The key proposals of the Report in these areas are (in summary):

• Amend the current definitions of 'personal information' and 'sensitive information' by replacing the word 'about' in relation to being 'about an individual' and replacing it with the words 'relates to' to read ‘relates to an individual’. This broadens the definitions (and thus application of the Privacy Act/APP) to include a much wider set of the information which is collected by businesses but not currently considered to be 'about' an individual and therefore not treated as subject to the Privacy Act/APPs.
   
• Include examples of information that may be personal information and sensitive information based on these changes (i.e. using 'relates to' rather than 'about') and this is to be further expanded with OAIC guidance.
   
• Provide a definition of 'geolocation tracking data' related to the collection and holding of an individual’s precise geolocation by reference to particular places and times and make the collection, use, disclosure and holding of such data subject to the individual’s consent.
   
• Clarify that the definition of 'collects' covers information obtained from any source by any means by an APP entity, including any personal or sensitive information that is 'inferred or generated information', noting that sensitive information can be inferred from other than sensitive information.
   
• Making it clear that de‑identification is a process informed by best available practices applied to personal information which involves treating it in such a way that no individual is identified or is ‘reasonably identifiable’ in the current context and to understand that this 'assessment' needs to be repeated over time to ensure that such information remains de‑identified.
   
• The definition of 'reasonably identifiable' will be supported by a list of circumstances to which APP entities will be expected to have regard in their assessment of whether an individual is reasonably identifiable in relation to the relevant (including de-identified) information.
   
• Prohibiting APP entities from re‑identifying de‑identified information obtained other than directly from the individual to whom the information relates. Also, the protections under APP 8 and APP 11.1 are to be extended to de‑identified information to ensure both (i) the security of de‑identified information and (ii) the compliance with the obligation not to re‑identify de‑identified information when it is disclosed to overseas recipients. The proposals made in respect of profiling and direct marketing will apply to de‑identified information to the extent it is used for such purposes.

In essence, these proposals will significantly broaden the information (including de-identified information) to which the Privacy Act/APPs apply, clarify the interpretation and application of key concepts (i.e. no more ‘misunderstandings’ as to application) with non‑exhaustive examples and emphasise the accountability of APP entities to both (i) appropriately de‑identify information and (ii) ensure it is not re‑identified by others.

Subject to the precise wording of the legislative amendments to the Privacy Act, we believe that the increased obligations around de‑identified information will impose a significant burden on many APP entities which have based many of their current practices on the fact that de‑identified information is not currently subject to the Privacy Act/APPs. The practical consequence may be that, rather than apply slightly different information security regimes for each of personal information and de‑identified information, in practice it might be easier for APP entities to treat de‑identified information in the same manner, using the same systems and with the same information security settings that they use for personal information. This, of course, will have ramifications for existing data sets, data pooling, Big Data analytics and AI products.

Given the pace of change in technology and the increasing availability of different types of data, even within an APP entity, the likelihood of breaching the proposed re-identification prohibition is significant and may, no matter whether or not intentional, open up the APP entity up to large potential fines, class complaints/actions and related damages for contravening the Privacy Act/APPs.

Finally, the 'simple' change from 'about' to 'relates to' an individual for the definitions of personal and sensitive information will, despite the Report's suggestion to the contrary, substantially broaden the information (currently and previously collected by businesses) that will be subject to the Privacy Act/APPs. This will impact on existing data holdings, systems, processes/procedures, policies and also require the re‑training of staff as regards such.

Next steps

The above and our series of short articles on the key proposals to follow are likely to raise many questions and issues for you. As noted, our aim is to raise awareness and alert you to what we perceive as the practical implications of these key proposals (if they were passed as proposed). However, please do not hesitate to reach out if you wish to discuss any of the proposals we highlight in more detail (or any of the other proposals of the Report) and how they will impact your specific industry and business, processes and/or current privacy compliance.