The Attorney General’s Department released its Privacy Act Review report on 16 February 2023, that includes the broad suite of reforms you would expect to bring Australia’s privacy laws in to line with both international standards and the reality of our data-based economy. These include enhanced data subject rights and increased accountability requirements for organisations collecting and processing Australians’ personal information, as well as the introduction of a right of direct action for individuals and a new tort of serious invasion of privacy.
These recommendations, if implemented, will significantly change the impact of privacy laws on Australian companies and individuals. In a move reflecting the complexity and importance of the review on the Australian economy as a whole, the Commonwealth Government has opened the report to consultation, requesting feedback from stakeholders by 31 March 2023. Interested parties should review the report and its recommendations, analyse the impact on their business operations and consider whether to make submissions to the government.
In this article, we highlight four proposals in the report that Australian companies should consider reviewing immediately to understand the impact on their operations, in addition to the more headline grabbing proposals. We believe that some of these less attention grabbing proposals will have a greater impact on the day-to-day operations of Australian companies and warrant closer inspection.
- Introduction of the Controller-Processor distinction into Australian Law
- Removal of the Small Business Exemption
- Narrowing of the Employee Record Exemption
- Increased requirements for valid consent
Introduction of the Controller-Processor distinction into Australian Law
The report positively endorses the adoption of the concepts of data controller (the entity that determines the nature, type and purposes of collecting and processing personal information) and data processor (entities that process data on the basis of instructions from controllers). The difficulty in introducing those concepts while certain exemptions remain is recognised but interim measures are proposed to bridge the gap.
Processor obligations would include transparency (APP 1), Security (APP 11) and the Notifiable Data Breach scheme (NDB scheme) and, importantly, a contract would be required between the controller and processor governing the processing service. While many businesses already put contracts in place, it is likely that specific requirements will be prescribed by the reforms to ensure that the parties are aware of their respective obligations and to ensure that individuals’ rights are preserved.
For many organisations across Australia that utilise the services of small businesses in their data processing activities, it is likely that additional contracts and contractual requirements may need to be introduced, or existing contracts amended, to comply with this proposal. For those entities that will be processors, they will need to implement the appropriate organisational controls to manage the security and NDB scheme obligations.
Removal of the Small Business Exemption
The report recognises the small business exemption as anomalous when compared with other mature jurisdictions. Further, it acknowledges the potential impact the exemption may be having on Australia’s ability to efficiently trade in digital assets and services. While acknowledging the historic reasoning for the exemption and assessing other options, the report ultimately concludes that the small business exemption should be removed.
This recommendation is caveated by the need to do so only after an impact analysis is completed to inform the development of an appropriate support package for small business, and guidance or a code developed to enable small businesses to comply with their obligations in a manner proportionate to the risk.
For organisations that deal with small businesses frequently, this may be cause for cautious optimism as small businesses are often characterised as a weak link in the chain when it comes to security of personal information. Combined with the introduction of the controller-processor concept, the removal of the small business exemption will likely be welcomed by the community generally, even if not by small business owners. The impact of these additional compliance obligations on the cost of doing business will need to be determined.
Narrowing of the Employee Record Exemption
The removal or modification of the employee record exemption was, and remains, a highly contentious topic that divided stakeholders during the consultation, and this division is reflected in the report. While balancing the views of each side, the report concludes that there are legitimate concerns regarding the volume and nature of personal information being collected from employees and prospective employees, the limited transparency about what the information is being used for, how long it is being retained, and difficulties with consent in an employment relationship.
Consequently, the report concludes that enhanced privacy protections should be extended to private sector employees, to balance employee transparency and protection requirements while ensuring employers have adequate flexibility to collect and disclose information necessary to administer the employment relationship. In addition, the report recommends fixing an anomaly in respect of the NDB scheme where, currently, employers are sometimes not required to inform their employees about serious data breaches that have affected their employee records.
However, despite recognising the need for reform, the report recommends a round of further consultation to determine the most appropriate approach to implementing the reforms in legislation, particularly recognising the need to consider the impact on workplace relations laws. For all Australian businesses, these proposals, and the consultation as to how to implement them, will be critical.
Increased requirements for valid consent
The report recommends amending the definition of ‘consent’ to provide that it must be voluntary, informed, current, specific and unambiguous. This recommendation reflects the current guidance of the OAIC. Taking these each in turn:
- Voluntary: if there is a genuine opportunity to provide or withhold that consent. In some circumstances a voluntary consent may require an organisation to inform individuals about the implications or providing or withholding consent. This requirement is aimed at the practice of bundling consents in which a consent may not be truly voluntary if it is bundled with other matters such as contractual terms.
- Current: the report takes care to point out that it should not result in the need to periodically re-consent individuals but that consent cannot be assumed to endure indefinitely.
- Specific: the consent must be sufficiently precise as to the purpose for which the individual is providing consent, and will depend upon the circumstances including the purpose of processing and the nature of the personal information.
- Unambiguous: while not specifically recommending the removal of opt-out data collection processes, the requirement for consent to be unambiguous explicitly references OAIC guidance that inferring consent will only be appropriate in limited circumstances as the data subject’s intention in failing to opt out may be ambiguous. The practical effect of which would be to remove opt-out inferred consent from the data collection tool kit.
In addition, the report recommends expressly recognising the ability to withdraw consent and to do so in as easy a manner as it was provided in the first instance, a standard already seen in many international privacy laws.
The impact of such a definition of consent on activities such as facial recognition technology in a security context does not appear to have been explicitly considered by the report. Organisations are encouraged to consider the impact of these enhanced consent requirements on data collection and processing activities where consent was previously inferred from behaviour, such as entering premises subject to a prominent notice that facial recognition and biometric scanning are being used for security purposes.
These are just some of the technical changes recommended by the report that will have a significant impact on Australian businesses. Our next article will consider another set that we see as equally important for clients to assess in the context of their business operations. As stated above, should any of these changes concern your organisation, the Commonwealth Government has opened a consultation on its response to the report with submissions needing to be made prior to 31 March 2023.