Small business exemption, consent, and cross-border transfers

Following on from our introductory article (which also addressed personal information, de-identification and sensitive information), below we highlight the proposals of the Attorney General's Privacy Act Review Report (Report) related to the small business exemption, consent and online privacy settings and overseas transfers of personal information.

1. Small business exemption

To date the Privacy Act has not applied to businesses with an annual turnover of $3 million or less (i.e. small businesses), unless such entities collected certain types of high-risk personal information (i.e. health service providers, accredited entities under the Consumer Data Right system, etc). The Report notes that while the original intention of the small business exemption was to protect such businesses from overbearing privacy costs when the risks to individual privacy was low, advances in the digital economy and technology generally and changes to the way small businesses operate (i.e. using Cloud computing or receiving orders over the internet) have dramatically increased the privacy risks that small business practices pose to individuals’ personal information. Accordingly, the Report proposes that:

• The small business exemption should be removed, but only after:
   
  • an impact analysis is undertaken on the impact on the exemption’s removal to inform what small businesses require to comply with the amended Privacy Act (taking into account the technological developments and updated obligations under the amended Privacy Act);
     
  • appropriate support is developed, in consultation with small businesses, which the Report notes may include OAIC-developed resources (such as guides/templates, targeted education, e-learning courses, hotlines, live-chats) to minimise compliance costs; and
     
  • the most appropriate way for small businesses to meet their obligations proportionate to the risk is determined (i.e. resources are developed and made available for small businesses) and small businesses are positioned to comply with these obligations.
     
• Given the long-term timeline required to remove the small business exemption, in the short-term the Report proposes to:
   
  • prescribe in the amended Privacy Act that small businesses cannot rely on the small business exemption where such entities collect biometric information for use in facial recognition technology (as concerns regarding biometric information is a key theme in the Report); and
     
  • remove the exception that permits small businesses to trade in personal information (while still being protected by the small business exemption) so long as consent is obtained from individuals. The justification for this proposal (other than advancing technology and modernising business practices) is that this exception unfairly places responsibility on the individual to understand the broad implications of their consent.

Altogether, the proposals in relation to the small business exemption seek to implement a two-fold approach. In the short term the Report has prioritised reducing the privacy risk to individuals by restricting small businesses in relation to collecting and using biometric information for facial recognition technology and to close the exception that currently permits some small businesses to ‘trade’ in personal information while still not being caught by the Privacy Act, although the exemption will otherwise remain largely untouched. In the long term, once appropriate resourcing, education and awareness of changes to the Privacy Act are made available to small businesses, the Report makes clear its intention that the small business exemption should be removed.

However, this ‘long term vision’ lacks a clear timeline (i.e. will it be months or years after the release of the amended Privacy Act?) and clarification of when appropriate resources and notice to small businesses will have been provided. It may therefore be the case that the small business exemption is here to stay for longer than most stakeholders initially anticipated. Although, we suspect that this is one area where the Government may do more than proposed – for example, act faster to remove the small business exemption.

2. Consent and online privacy settings

The Report proposes:

• to ‘amend’ the definition of consent to provide (or confirm existing requirements but not universal current practice) that it must be voluntary, informed, current, specific and unambiguous (defined below), as the current Privacy Act provides no detailed clarification as to the concept of consent, other than it may be express or implied;
   
• that the OAIC develop guidance on how online services should design consent requests. This guidance could address whether particular layouts, wording or icons could be used when obtaining consent and how the elements of valid consent should be interpreted in the online context. Consideration could also be given to further progressing standardised consents as part of any future APP codes.
   
• to expressly recognise the ability to withdraw consent and to do so in a manner as easily as the provision of consent (i.e. information relating to withdrawing consent should be made available and individuals should be able to withdraw consent at any time). Under this proposal the withdrawal of consent would not affect the lawfulness of how the personal information was handled before the consent was withdrawn.
   
• to require that online privacy settings reflect the privacy by default framework of the Act (i.e. an entity’s product or service pre-selects the most restrictive (or protective) privacy settings by default where multiple layers of settings are available). APP entities that provide online services will be required to ensure that any privacy settings are clear and easily accessible for service users (e.g. such as for the purpose of modifying and selecting the most restrictive settings).

The effect of these proposals is to clarify the definition and nature of consent and to significantly broaden the application of consent. The Report suggests that interpretation of the amended definitions may be assisted by explanatory material published by the OAIC but notes that entities may, in the meantime, interpret the elements as follows:

• Voluntary means an individual must have a genuine opportunity to provide or withhold consent and that provision of a service should not be conditional on that individual providing consent (i.e. consent should not be bundled as per GDPR requirements and question then if employees can ever give consent, which is a significant issue in France).
   
• Informed means an individual must be provided with information sufficient to be aware of the implications of providing or withholding consent (with a focus on quality not quantity of information).
   
• Current means the consent does not endure indefinitely and must be sufficiently linked to the ongoing processing of personal information (i.e. the purpose for handling the personal information has not materially changed). Otherwise, periodic renewal of consent may be required.
   
• Specific means the consent must be sufficiently precise to a particular purpose(s) (i.e. not overly broad and for undefined future uses). While this is arguably already a requirement under current privacy law, this will be clarified and tightened.
   
• Unambiguous means an individual’s intent cannot be ambiguous or in doubt and that reliance on an opt-out mechanism to infer consent will rarely be appropriate. Again while we would argue this is a requirement of the current law, this will be clarified and strengthened.

It is expected that the OAIC will develop APP codes which put forward standardised forms for consent requests and terminology to improve individuals’ ability to make informed decisions and comprehend entities’ handling practices. An added benefit is that, should the small business exemption be removed as discussed above, this will further reduce compliance burdens for small business.

3. Overseas transfers of personal information

The proposals in the Report require:

• consultation on an additional requirement in subsection 5B(3) (being the ‘Australian link’ provision) to demonstrate an ‘Australian link’ that is focussed on personal information being connected with Australia. This intends to fulfil a number of purposes, including providing certainty to foreign organisations that they will only be regulated to the extent that their handling of personal information has a connection to Australia, future-proofing the extraterritorial application of the Privacy Act (e.g. against advances in technology) and making clear that such extraterritorial operation is not dependent on the means or method of collection or storage.
   
• introducing a mechanism to prescribe countries and certification schemes as providing substantially similar protection to the APPs under APP 8.2(a) similar to the adequacy agreements found under GDPR.
   
• standard contractual clauses (SCCs) be made available to APP entities for use when transferring personal information to overseas entities located in countries which are not prescribed.
   
• strengthen the informed consent exception to APP 8.1 (i.e. the requirement to take reasonable steps to ensure that the overseas recipient does not breach the APPs) by requiring entities to consider the risks of an overseas disclosure and to inform individuals that privacy protections may not apply to their information if they consent to the disclosure. However, it is not proposed to remove the information consent exception to APP 8.1, meaning that APP entities may disclose personal information to overseas entities without complying with APP 8.1 so long as the individual provides informed consent for them to do so.
   
• the APP 5 notice requirement in relation to overseas disclosures to be strengthened by requiring APP entities, when specifying the countries in which recipients are likely to be located if practicable, to also specify the types of personal information that may be disclosed to recipients located overseas.
   
• introduce a definition of ‘disclosure’ that is consistent with the current definition in the APP Guidelines (i.e. being instances where an entity makes information accessible or visible to others outside the entity and releases the subsequent handling of the personal information from its effective control). Further consideration should be given to whether online publications of personal information should be excluded from the requirements of APP 8 where it is in the public interest.

This is one of the areas the Report’s proposals will, if accepted and enacted by the Government, shift the privacy dial the most towards the GDPR and will impose a significant burden on Australian business in the short term. Essentially, these proposals would shift Australia’s overseas transfer framework much closer to that of the GDPR. In addition, these proposals build upon the amendments passed in the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 which simplified the extraterritorial operation of the Privacy Act by removing the requirement for an organisation to collect or hold personal information in Australia and to have an ‘Australian link’ and be subject to the Privacy Act / APPs.

By introducing mechanisms and certification schemes that prescribe certain countries and standards as providing similar protections to those afforded under the APPs, it is expected that APP entities will have greater certainty (and individuals be empowered to make informed choices) in respect of personal information disclosed overseas. In practice, this means that personal information may be permitted to flow to these adequate third countries or appropriately certified businesses (e.g. to the global privacy standard AS 27701 in Australia) with the presumption that further privacy safeguards will not be necessary (depending on the nature of the information flow). Similarly, the introduction of SCCs is another example of adopting a GDPR-like model, as these provisions will outline how overseas recipients of personal information located outside of Australia are expected to process personal information in accordance with and to not breach the APPs (e.g. what APPs they must comply with).

The good news! The Report also notes that consideration should be given as to whether, following the reforms arising out of the Privacy Act Review (and all the uplift business will need to implement), Australia should consider seeking an adequacy decision with the European Commission so as to be considered offering “an adequate level of data protection” in order to reduce business compliance costs. If this is obtained then at least the costs of and obstacles to Australian businesses of doing business in the EU/UK from Australia will be greatly reduced.

Read the first article in the series here.