Federal Attorney-General Mark Dreyfus KC announced the release of the Privacy Act Review Report earlier this week. The review culminates the results of a review period that extended for more than two years and included over 200 submissions.
The Report contains 116 sub-proposals within 30 proposals which would significantly reform the contents of the Act to broaden its extent and introduce new protections.
The review proposes broadening what is considered personal information, and amending the definitions of de-identification and sensitive information. An updated definition of consent would extend beyond the current provision to require that it must be voluntary, informed, current, specific, and unambiguous, replacing the previous version which only included expressed or implied consent. These terms are used substantially within many of the provisions of the Act, so many of the provisions are contingent on this definition.
A proposed amendment of the Act would require that the collection, use and disclosure of personal information is done fairly and reasonably, based on the objective perspective of a reasonable person. This would apply whether consent has or has not been obtained.
Several of the proposals would give individuals more control over their own privacy. The review outlines the creation or development of a right to access your own personal information, object to the collection of personal information, use or disclosure of personal information, request the erasure of your information, and seek correction or de-indexing of personal information for individuals. A right to opt-out of both the use of their personal information in targeted advertising as well as the receipt of targeted advertising is also recommended.
The proposals suggest an update of the Australian Privacy Principles to require collection notices to be clear, up-to-date, concise and understandable, to be supported by publicly available templates for privacy policies and collection notices. The development of collection notices is particularly notable after the Office of the Australian Information Commissioner’s review into Clearview AI, who had scraped images from third party sources to develop a facial recognition database based on an individual’s biometric information.
The review also outlines guidelines for the development and usage of substantially automated decisions where they may have a significant effect on an individual, including a right for individuals to request meaningful information about the decision. This could increase transparency of these largely opaque systems that tend to function as black boxes of decision making.
Other reforms suggested include removing or amending the small business, political, journalism and employee records exemptions, introducing a Children’s Online Privacy Code, updating the notifiable data breaches scheme, a review of the current civil penalties available, giving individuals a direct right of action relating to interference with privacy to seek relief from the courts and establishing a statutory tort for serious invasions of privacy.
The review has been underway since October 2020, when the issues paper was released. Submissions were collected during 2021 supported by the discussion paper. It is now open for feedback until 31 March 2023, which will inform the drafting of the reformed Act. The proposed recommendations would move Australian privacy policy closer towards the more extensive General Data Protection Regulation in the European Union, which went into effect in 2018.
