Privacy Act review puts forward GDPR-like provisions amid a raft of changes to protect Australians

The review also calls for sweeping reforms at all levels of business in regard to data retention and protection, especially for small businesses and political parties.

The terms of reference for the review were laid down in 2020, and consultation on the review began with industry and advocacy groups in 2021, lasting through November 2022. The report does make note of the changes to the privacy and threat landscape in that period, especially in reference to last year’s Optus and Medibank data breaches.

The review notes that some stakeholders may need to be consulted a second time, given the impact of those incidents on the review’s recommendations.

The overall takeaway of the review is that the current Privacy Act is simply not fit for purpose, given how integrated day-to-day life has become with connected services, and how user data is increasingly at the heart of developments in this space. Such a data-rich environment does deliver many benefits, the report admits, but it also comes with many unique challenges and risks that the current act is ill-equipped to address.

The review notes the work of many other countries and jurisdictions to increase data protection rights but specifically feels that Europe’s General Data Protection Regulation should be emulated here in Australia. This would give Australians the right to request data erasure, to object to how data is used, and to have search engine results de-indexed.

“Transparency requirements for automated decisions that use personal information and have a significant effect on individuals are also proposed,” the report says.

The report also called for an improvement in the way consent is given by individuals, and how data is handled once it is collected. While the Privacy Act does call upon organisations to only collect data that is “reasonably necessary”, the review wants to empower the Office of the Australian Information Commissioner with an enhanced set of guidelines for what steps companies and other organisations must take to de-identify or destroy user data.

“In addition, this report proposes that entities should determine, and periodically review, the period of time for which they retain personal information,” the review adds, while also calling for further law reform around data retention.

VIEW ALL

New data breach provisions are also called for. Under the review’s recommendations, data breaches would need to be reported to the Information Commissioner within 72 hours of the breach being discovered.

Many stakeholders consulted for the review, also felt that a number of current exemptions from the act should be narrowed or removed entirely. Small businesses are a particular focus.

“The community expects that if they provide their personal information to a small business, they will keep it safe,” the review concludes, but it also notes that this would have a significant impact on many operators. “Further extensive consultation would need to occur with small business to determine the best way for small businesses to meet their obligations under the act, proportionate to the privacy risks they typically face.”

An impact analysis would also need to be undertaken, further to the implementation of a support package for small businesses to be able to meet any new obligations. The review’s subjects also felt that exemptions for political parties and the media be re-examined.

“On balance, this report proposes that the need for Australians’ information to be adequately protected in the digital age justifies at least some recalibration of all of the exemptions to address contemporary privacy risks and meet current community expectations.”

The review also calls for more robust means to enforce and regulate the strictures of the Privacy Act, including giving individuals “more agency to seek redress for interferences with their privacy”, by right of direct legal action.

Does the review go far enough?

Erin Turner, chief executive officer of the not-for-profit Consumer Policy Research Centre, feels the review is a great starting point, but that it can go much further to protect consumers.

“The thing I’m most encouraged about is that it’s broad,” Turner told Cyber Security Connect. “And it’s relatively ambitious — it’s talking about how we need to update our act from a 1980s view of privacy to something that’s more appropriate to the digital internet era.

“But what we were looking for, in assessing any reforms to the act, is do they go beyond the notification and consent framework to privacy and the way all our protections work? Now, it’s about businesses just telling consumers what they’re doing with their data, usually in really inaccessible forms, in privacy policies written by lawyers, but there are few restrictions on what businesses can do with data.

“I love that there are definitely reforms that are being proposed in this review that go beyond notification and consent, but we’ll be asking, does it go far enough? And does the regulator have all the powers it needs to hold businesses accountable?”

Attorney-General Mark Dreyfus also agrees the act, as it stands, is not fit for the challenges of the modern era.

“The Privacy Act has not kept pace with the changes in the digital world,” Dreyfus said in an announcement today. “The large-scale data breaches of 2022 were distressing for millions of Australians, with sensitive personal information being exposed to the risk of identity fraud and scams.

“The government is now seeking feedback on the 116 proposals in this report before deciding what further steps to take.”

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.