How the Privacy Act Review Report could impact businesses and how to prepare

By Samuel Wall

In February 2023, the 2022 Privacy Act Review Report was released by the Attorney-General's Department. The Report proposes many sensible reforms in line with the current cultural shift towards greater privacy regulation. Organisations should start getting ready now.

These reforms have been a long time in the making and are well overdue. Many of the proposed changes resemble recommendations made in previous reports from the Australian Law Reform Commission, the Australian Competition and Consumer Commission, and national and state parliamentary committees over the last 20 years.

A cultural shift is underway – we’re caring more about privacy 

But this time seems different: we're in the midst of a cultural shift towards actually caring about privacy. 

Donald Trump's election as US President in 2015 marked a turning point, after which the general public became more sceptical of technology and democratic legislatures started to think seriously about risks to their citizens’ security online. The reality of those risks was brought home clearly in Australia in 2022 following various high profile data breaches. Privacy risks and data hacks are now common conversation topics around the Australian dinner table. Community expectations are higher now - we expect all companies should be taking our data seriously and are indignant when we find that is not the case.

These reforms also come at a time when the fields of cybersecurity and privacy are overlapping more than ever before. The most popular international standard for information security – ISO 27000 – has changed its title from 'information technology – security techniques’ to 'information security, cybersecurity and privacy protection’. But it doesn’t matter what we call it. The point is we expect our data to be secure when we interact online.

The reforms are mostly good ideas

Many of these reforms should be helpful in encouraging organisations to raise their privacy game. For example, the small business exception is proposed to be removed. Most Australians would be shocked to find out that over 95% of businesses aren't covered by the Privacy Act because their annual turnover is less than three million dollars. The removal of the small business exception will be particularly helpful for expanding the coverage of the Privacy Act.

Second, and importantly, the definition of ‘personal information’ will be broadened, to be brought more in line with the community understanding of this term in a world where most individuals are subjected to near-constant data collection and analysis. The current definition requires ‘personal information’ to be ‘about a’ reasonably identifiable person. The proposed new definition uses the words ‘relates to’ instead, which broadens it to information such as technical and inferred information. In addition, the OAIC will provide more specific guidance, including examples, about what is deemed ‘personal information’ and when an individual is ‘reasonably identifiable’. The proposed change widens the application of the Act, as is appropriate, and makes that application much clearer. 

A third welcome change is a proposed state and territory working group on privacy. We may well ask why such an institution does not yet formally exist. This group will hopefully work on projects such as aligning the slight differences in definitions of privacy across jurisdictions in Australia to make it easier, clearer and quicker for organisations to comply with multiple frameworks.

But there are areas for improvement

There are, of course, some areas where we would like to see more ambitious reforms. Here are three examples:

  • A number of proposals bring Australia's regulation closer towards the General Data Protection Regulation (GDPR), including the proposal to separate out processors and controllers of personal information. However, the decision to continue the exemption for employee records places Australia out of step with the European Union and may affect our ability to be recognised as an 'adequate' jurisdiction to which European Union data can be shared without any further safeguards.
  • It would be better to require data holders to ask users to 'opt in' to targeted advertising by default, rather than the current practice in which users must often 'opt out'. We know consumers tend to prioritise convenience over safety online (and choice architecture frameworks are designed to push them to do so). It’s disappointing that this protection is weaker than it could be.

And there is still a long way to go

While the Government seems keen to move quickly, we should not expect legislation to be enacted anytime soon. Organisations have until 31 March 2023 to respond to the Report, after which draft legislation and final legislation will need to be debated. Additional awareness campaigns and consultations will need to be carried out before changes such as removing the small business exception could happen. The Government is taking advantage of the current momentum and interest around privacy issues – now it needs to sustain the pace until it actually delivers. 

So, what should businesses do?

The reality is that businesses should expect many of the proposals to be accepted into law or regulation in some form. Organisations should be taking (and documenting) steps to minimise their data footprints, understand and secure the data they hold, and develop comprehensive, actionable breach response plans. Businesses can start preparing by developing an accurate understanding of their data footprint now; both as a matter of best practice and to be ready for the changes as they come. 

Samuel Wall is Senior Consultant for Privacy and Cyber Security, Sekuro