25 Nov Landmark privacy reforms to better protect Australian online

On 12 December 2019, the Attorney-General announced that the Australian Government would conduct a review of the Privacy Act 1988 (Privacy Act). The review was announced as part of the Australian Government response to the Australian Competition and Consumer Commission’s (ACCC’s) Digital Platforms Inquiry.

On 25 October 2021, the Australian Government announced landmark privacy legislation to protect Australians online and ensure that Australia’s privacy laws remain fit for purpose in the digital age. This is in addition to the recently promulgated Online Safety Act 2021 which gives the eSafety Commissioner powers in relation to online harm such as cyber abuse, cyberbullying and image-based abuse.

The Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (the Online Privacy Bill) will give effect to the Australian Government’s commitment to strengthen the Privacy Act). It enables the introduction of a binding online privacy code for social media and certain other online platforms, and it increases penalties and enforcement measures.

The Government invites submissions on the Online Privacy Bill by 6 December 2021.

Interaction between the Online Privacy Bill and the Review of the Privacy Act

Consultation on the Online Privacy Bill is being held at the same time as the Privacy Act Review. While the Online Privacy Bill addresses the pressing privacy challenges posed by social media and other online platforms, the Privacy Act Review seeks to build on the outcomes of the Online Privacy Bill to ensure that Australia’s privacy law framework empowers consumers, protects their data and best serves the whole of the Australian economy.

As part of the review of the Privacy Act, the Discussion Paper considers feedback on the Issues Paper and seeks further feedback on potential changes to the Privacy Act.

The Attorney-General will be accepting submissions on the Discussion Paper until 10 January 2022.

The Online Privacy Bill and Online Privacy Code

The Online Privacy Bill proposes an Online Privacy Code to update the Office of the Australian Privacy Commissioner’s (OAIC’s) enforcement powers, including penalties for breach, and amending the extraterritorial scope of the Privacy Act.

If the Online Privacy Bill is promulgated and an Online Privacy Code established, then social media and data brokerage organisations, and large online platforms will need to comply with more rigorous obligations in relation to existing Australian Privacy Principles (APPs) under the Privacy Act, as well as comply with new obligations.

Enhanced obligations under the APPs include the requirement for (i) clear and simple privacy policies to describe the purpose for collecting, holding, using and disclosing personal information (APP 1), (ii) voluntary, informed, unambiguous, specific and current consent (APP 3, APP 6), and (iii) clear, understandable, current and prior notification of collection etc. (APP 5).

New obligations will require organisations subject to an Online Privacy Code to (i) take reasonable steps not to use or disclose, or to not further use or disclose, the personal information of an individual if so, requested by the individual, and (ii) provide special protections to protect children and vulnerable groups.

Interaction between privacy laws and Regulators in Australia

The Australian regulatory regime is complex. The reforms discussed here concern the Attorney-General, ACCC, OAIC and eSafety Commissioner, all of which have separate but sometimes overlapping roles and responsibilities.

In addition to the laws and reforms discussed here, organisations also have to comply with (i) generally applicable laws such as corporations’ law with ever increasing liability for directors, and (ii) sector-specific laws such as those that apply to the financial sector. Other Regulators such as the Australian Securities and Investments Commission (ASIC), Australian Prudential Regulatory Authority (APRA) and Australian Communications and Media Authority (ACMA) have far-reaching enforcement powers and their own sector-specific requirements all of which impact privacy and personal information. Notably, the ACCC  (under the Treasury) which was responsible for the Digital Platforms Inquiry and proceedings against Facebook is responsible for operationalising the Consumer Data Right (CDR), and the CRD Rules, including security.

Identifying the compliance requirements and understanding the risk exposure and mitigation treatments available to a business can be a daunting task that is necessary to the implementation of controls – particularly in the vast ecosystem of the digital age.

In Summary

The Online Privacy Bill is set to have significant impact on organisations subject to an Online Privacy Code, namely private sector organisations that are already subject to the Privacy Act, organisations that provide social media services, data brokerage services, and large online platforms with at least 2.5 million end users in Australia.

We strongly recommend that you keep abreast of privacy law reforms and the relevant issues that will impact you and your business.  Where possible, participate in the public discourse to shape your future.

We are here to assist and to guide you through the ramifications.