Key takeouts
Australia is set to announce significant changes to the Privacy Act in August 2024 as part of ongoing privacy reforms aimed at enhancing online safety.
The assessment and notice timeframe for Notifiable Data Breaches will likely tighten from the current 30-day period to just 72 hours.
The proposed reforms may also narrow or remove exemptions currently applied to employee records or small businesses.
The Privacy Act 1988 (Cth) (Privacy Act) is a cornerstone in Australia's legal framework, representing the nation's dedication to protecting personal information and ensuring privacy. Over the years, this essential legislation has evolved slowly to address the challenges brought on by technology and the rising threat of cyber attacks. In the 21st century, the relationship between cyber risks, data security and information privacy has become more crucial than ever.
The Commonwealth Attorney-General is expected to announce in August 2024 the next phase of the long-anticipated privacy reforms as part of the Australian Government’s initiatives to enhance digital privacy and online safety.
Until the Government’s specific proposals are announced, the extent of the reform’s scope remains uncertain. In this article we discuss our predictions on likely reform proposals, and if adopted what these changes would mean for your business or not-for-profit organisation.
Increased reporting guidelines and improved definitions
The existing requirement to take 'reasonable steps' to protect personal information will be clarified as requiring both technical and organisational measures, ensuring a more holistic approach to data protection. Additionally, clarification of key definitions, such as collection, disclosure, geo-location tracking data, de-identified data, and consent will help to ensure consistency in the privacy practices adopted by organisations regulated by the Privacy Act.
For organisations that have multiple mandatory notification obligations, the reforms are expected to consolidate and simplify reporting across multiple regulators, such as the OAIC, ACSC, ASIC, and My Health Record, streamlining these processes.
Mandatory disclosure requirements for the types of personal information transferred overseas are also anticipated, along with the possibility disclosures of personal information to recipients in specific overseas jurisdictions may be relaxed where those jurisdictions offer equal or better protections for personal information.
The reforms may distinguish between data controllers and processors, potentially reducing the regulatory burden on processors while enhancing overall data governance.
High risk activities: biometrics, facial recognition, AI
Given the recent political and social attention on advancement and adoption of developing technologies such as biometrics, facial recognition and machine learning (as a branch of artificial intelligence), the Government is expected to propose a specific requirement for organisations to carry out privacy impact assessments (PIA) when planning or deploying these technologies. Although most small businesses are currently exempt from the Privacy Act, this proposed change to require PIAs would apply to any business adopting these technologies.
Tiered penalty provisions
In response to (among other things) the significant data breaches suffered by health insurer Medibank and telco Optus, the Privacy Act was amended in late 2022 to increase the maximum penalties for seriousness or repeated interferences with privacy.
Since then, one of the proposed reforms has been to introduce penalty tiers, and to modify the Privacy Act to allow the Australian Information Commissioner to directly apply lower- or mid-range civil penalties, rather than needing to first obtain an order from the Federal Court.
Additionally, the reforms would mean that if a civil penalty provision regarding privacy is triggered, the Federal Court and Family Court would have the authority to also issue appropriate orders reflecting the gravity of such privacy breaches. This will aim to underscore the critical importance of privacy protection by imposing consequences for lesser but still significant as well as more serious or repeated violations.
Notifiable Data Breaches scheme
In force since February 2018, the scheme mandates that after an entity becomes aware of an actual or suspected data breach, it has 30 days during which to assess whether the incident creates a risk of serious harm to the affected individuals; and if yes, to notify the Australian Information Commissioner and the affected individuals.
We expect that the assessment and notice timeframe will tighten from the current 30-day period to just 72 hours.
If this change is made, the likely impacts will be:
- significantly shorter time to assess a potential data incident, under the spectre of large penalties for serious or repeated incidents or non-compliance. This will require organisations to have readily-available incident response plans and playbooks, and templated messages for key audiences;
- shift of incident response focus onto identifying the types of personal information impacted;
- risks of premature or unnecessary notices to regulators and affected individuals;
- rolling updates aimed at keeping regulators and individuals continuously informed about the status and implications of the breach, yet with corresponding risks of disclosing point-in-time findings which may be speculative, inconclusive, or incorrect;
- delays to remediation, root cause analysis, containment and eradication works; and
- increased times to recover and return the organisation to normal operations.
More speculative reforms
Several of the more overarching and therefore challenging of the potential reforms may include:
- imposing a principles-based requirement that an organisation’s handling of information must, in all aspects be "fair and reasonable" in all the circumstances;
- narrowing or removing the existing exemptions afforded to employee records and to small businesses having annual turnover of less than $3 million, which if made would thereby extend privacy protections to a broader range of personal information and entities; and
- introducing a tort for serious invasion of privacy, and a corresponding right for individuals to bring a claim against an organisation for serious or repeated privacy violations.
Latest updates to the Privacy Act
While these are our predictions for the likely changes to come, the Australian Government are expected to announce specific changes in August 2024. We will be sharing the latest updates to the Privacy Act as they are released. To receive these updates, please subscribe to our IP, Technology and Cyber Security mailing list here.