It's a big week for privacy in Australia: the government has released an exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Online Privacy Bill), and a discussion paper (Discussion Paper) containing proposals for future reform of the Privacy Act 1988 (Cth) (Privacy Act).

Online Privacy Bill

The Online Privacy Bill would enable the creation of a binding online privacy code (Code) which will apply to social media services, data brokers, and certain large online platforms operating in Australia. Service providers and platform operators subject to the code will need to comply with strict new privacy requirements, including stronger protections for children on social media. Among other things, the Code will:

  • require social media services subject to the code to take all reasonable steps to verify their users' age, obtain parental consent for collection of personal information of users under the age of 16, and give primary consideration to the best interests of the child when handling children's personal information
  • prescribe how privacy policies, notices and consents are to be drafted and delivered
  • detail when consent will be valid and, for sensitive information, when it needs to be renewed
  • deal with the process for user requests to cease handling of personal information

The Online Privacy Bill will also introduce tougher penalties for breach of the Privacy Act, with courts being empowered to impose penalties of A$10million or more (in line with the Australian Consumer Law), and increased enforcement powers for Australia's privacy regulator, the Office of the Australian Information Commissioner (OAIC).

Also, of interest to businesses handling personal information offshore, the Online Privacy Bill proposes to remove the condition that an organisation has to collect or hold personal information from sources inside of Australia in order to be subject to the Privacy Act. This would mean that foreign organisations who carry on a business in Australia will generally be subject to the Privacy Act, even if they do not collect or hold personal information directly from a source in Australia.

Discussion Paper

The Discussion Paper is a key milestone in the government's review of the Privacy Act, which began in late 2020. The paper examines submissions received to the issues paper which was published when the review began, and goes on to outline proposed reforms which will go beyond the measures to be introduced by the Online Privacy Bill. Many of the proposed reforms originate from the Australian Competition and Consumer Commission's recommendations in its Digital Platforms Inquiry Final Report. There's a lot to unpack in the 200+ page Discussion Paper, and the summary of its proposals alone run to 8 pages. As a taster, some of the more notable proposals include:

  • broadening key definitions (e.g. personal information and collection) and adding new ones (e.g. in respect of terms such as reasonably identifiable, consent, primary purpose, secondary purpose, disclosure)
  • amendments to requirements for privacy notices including an express requirement that privacy notices must be clear, current and understandable and stronger requirements for when a notice is required
  • possibility of standardised privacy notices and consents being addressed in the development of a code, such as the Code, including standardised layouts, wording, icons, or consent taxonomies
  • additional rules and restrictions in relation to certain large scale or high risk acts and practices (e.g. direct marketing, use of sensitive information, children's personal information, location data or biometric data; automated decision making with legal or significant effects)
  • pro-privacy default settings on a sectoral or other specified basis
  • proposals to protect children and individuals linking in to proposals under the Online Privacy Bill
  • express rights for an individual to object or withdraw their consent to the handling of their personal information
  • a right of erasure of personal information in certain circumstances (subject to exceptions)
  • various changes relating to overseas disclosures including adding a new mechanism to prescribe countries and certification schemes that qualify as substantially similar to the Australian Privacy Principles and provision of standard contractual clauses for entities to use when disclosing personal information overseas
  • various changes to enforcement and remedies including giving individuals a direct right of action and possibly introducing a statutory tort for invasion of privacy

Implications 

The Online Privacy Bill will be highly significant for many organisations, especially - but not only - those in the social media, data brokerage and digital platforms space. The Code in particular will have significant operational ramifications for businesses within its scope, as it may require the implementation of particular notice, consent, age verification and other processes that may involve changes to services and/or significant effort to operationalise. However, the proposed penalty increases, enforcement measures and extra-territoriality change will apply more broadly and have significance for all organisations that carry on business in Australia and collect, hold, use or disclose personal information of individuals in Australia.

The review of the Privacy Act, though longer term, will involve a significant shift for all organisations subject to the Privacy Act, which will likely increase the compliance burden and legal risks for organisations handling personal information. Organisations will need to reconsider and update their existing data handling processes, policies and practices in light of the changes. Businesses should start to consider how these reforms will impact them, and consider making submissions to the relevant consultation so their voices are heard.

Next Steps 

Submissions from stakeholders on the Online Privacy Bill will be welcomed by the government until 6 December 2021. Subject to any amendments arising from the consultation, we can then expect the bill to be introduced to parliament. The Code will need to be developed and registered within 12 months of the legislation receiving Royal Assent. Stakeholders have a little more time to digest the Discussion Paper: the consultation closes on 10 January 2022 and the review of the Privacy Act will be a longer term process. The next stage after the consultation will involve consideration of submissions received before legislation is drafted.

We will be watching these developments closely.

With special thanks to Liz Grimwood-Taylor, Knowledge Lawyer, for input on this post.