30 October 2020

Privacy Act Inquiry

It's that time of of the year, where governments - in what one of my more mordant friends describes as 'take out the trash' mode - announce short consultations on matters that are important but politically inconvenient. The national Government has today announced an inquiry into the Privacy Act 1988 (Cth), with responses to the issues paper due by 29 November. 

The Review reflects the Attorney-General's 12 December 2019 announcement that the Government would conduct a review of the Act to 'ensure privacy settings empower consumers, protect their data and best serve the Australian economy'. The announcement was part of the Government's response to the Australian Competition and Consumer Commission's Digital Platforms Inquiry. 

A-G's has hopefully dusted off the various ALRC reports from George Brandis's famous mahogany bookshelves (ignoring Brandis' unsuccessful attempt to euthanase the OAIC on the grounds that neither FOI nor privacy protection were really necessary). 

A-G's states 

We will draw on a range of sources for the review and invite submissions on matters for consideration. We will also meet with stakeholders on specific issues and consider research and reports on privacy issues. 

Those sources include

  • ACCC Digital Services Advertising Inquiry 
  • ACCC Digital Platforms Inquiry Final Report, 2019 
  • Data Availability and Use, Productivity Commission Inquiry Report, 2017 
  • Serious Invasions of Privacy in the Digital Era, ALRC Final Report 123, 2014 
  • For Your Information: Australian Privacy Law and Practice, ALRC Report 108, 2008

The Terms of Reference are -

  •  the scope and application of the Privacy Act
  • whether the Privacy Act effectively protects personal information and provides a practical and proportionate framework for promoting good privacy practices 
  • whether individuals should have direct rights of action to enforce privacy obligations under the Privacy Act 
  • whether a statutory tort for serious invasions of privacy should be introduced into Australian law
  •  the impact of the notifiable data breach scheme and its effectiveness in meeting its objectives
  •  the effectiveness of enforcement powers and mechanisms under the Privacy Act and how they interact with other Commonwealth regulatory frameworks 
  • the desirability and feasibility of an independent certification scheme to monitor and demonstrate compliance with Australian privacy laws.
The questions in the 89 page issues paper are 
Objectives of the Privacy Act 
1. Should the objects outlined in section 2A of the Act be changed? If so, what changes should be made and why? 
Definition of personal information 
2. What approaches should be considered to ensure the Act protects an appropriate range of technical information? 
3. Should the definition of personal information be updated to expressly include inferred personal information? 
4. Should there be additional protections in relation to de-identified, anonymised and pseudonymised information? If so, what should these be? 
5. Are any other changes required to the Act to provide greater clarity around what information is ‘personal information’? 
Flexibility of the APPs in regulating and protecting privacy 
6. Is the framework of the Act effective in providing flexibility to cater for a wide variety of entities, acts and practices, while ensuring sufficient clarity about protections and obligations? 
Exemptions Small business exemption 
7. Does the small business exemption in its current form strike the right balance between protecting the privacy rights of individuals and avoid imposing unneccessary compliance costs on small business? 
8. Is the current threshold appropriately pitched or should the definition of small business be amended? a. If so, should it be amended by changing the annual turnover threshold from $3 million to another amount, replacing the threshold with another factor such as number of employees or value of assets or should the definition be amended in another way? 
9. Are there businesses or acts and practices that should or should not be covered by the small business exemption? 
10. Would it be appropriate for small businesses to be required to comply with some but not all of the APPs? a. If so, what obligations should be placed on small businesses? b. What would be the financial implications for small business? 
11. Would there be benefits to small business if they were required to comply with some or all of the APPs? 
12. Should small businesses that trade in personal information continue to be exempt from the Act if they have the consent of individuals to collect or disclose their personal information?   
Employee records exemption 
13. Is the personal information of employees adequately protected by the current scope of the employee records exemption? 
14. If enhanced protections are required, how should concerns about employees’ ability to freely consent to employers’ collection of their personal information be addressed? 
15. Should some but not all of the APPs apply to employee records, or certain types of employee records? 
Political parties exemption 
16. Should political acts and practices continue to be exempted from the operation of some or all of the APPs? 
Journalism exemption 
17. Does the journalism exemption appropriately balance freedom of the media to report on matters of public interest with individuals’ interests in protecting their privacy? 
18. Should the scope of organisations covered by the journalism exemption be altered? 
19. Should any acts and practices of media organisations be covered by the operation of some or all 
 of the APPs? 
Notice of Collection of Personal Information Improving awareness of relevant matters 
20. Does notice help people to understand and manage their personal information? 
21. What matters should be considered to balance providing adequate information to individuals and minimising any regulatory burden? 
22. What sort of requirements should be put in place to ensure that notification is accessible; can be easily understood; and informs an individual of all relevant uses and disclosures? 
Third party collections 
23. Where an entity collects an individual’s personal information and is unable to notify the individual of the collection, should additional requirements or limitations be placed on the use or disclosure of that information? 
Limiting information burden 
24. What measures could be used to ensure individuals receive adequate notice without being subject to information overload? 
25. Would a standardised framework of notice, such as standard words or icons, be effective in assisting consumers to understand how entities are using their personal information? 
Consent to collection, use and disclosure of personal information  
26. Is consent an effective way for people to manage their personal information? 
27. What approaches should be considered to ensure that consent to the collection, use and disclosure of information is freely given and informed? 
28. Should individuals be required to separately consent to each purpose for which an entity collects, uses and discloses information? What would be the benefits or disadvantages of requiring individual consents for each primary purpose? 
29. Are the existing protections effective to stop the unnecessary collection of personal information? a. If an individual refuses to consent to their personal information being collected, used or disclosed for a purpose that is not necessary for providing the relevant product or service, should that be grounds to deny them access to that product or service? 
30. What requirements should be considered to manage ‘consent fatigue’ of individuals? 
Exceptions to the requirement to obtain consent 
31. Are the current general permitted situations and general health situations appropriate and fit-for-purpose? Should any additional situations be included? 
Pro-consumer defaults 
32. Should entities collecting, using and disclosing personal information be required to implement pro-privacy defaults for certain uses and disclosures of personal information?   
Obtaining consent from children 
33. Should specific requirements be introduced in relation to how entities seek consent from children? 
The role of consent for IoT devices and emerging technologies 
34. How can the personal information of individuals be protected where IoT devices collect personal information from multiple individuals? 
Inferred sensitive information 
35. Does the Act adequately protect sensitive information? If not, what safeguards should be put in place to protect against the misuse of sensitive information? 
36. Does the definition of ‘collection’ need updating to reflect that an entity could infer sensitive information? 
Direct marketing 
37. Does the Act strike the right balance between the use of personal information in relation to direct marketing? If not, how could protections for individuals be improved? 
Withdrawal of consent 
38. Should entities be required to refresh an individual’s consent on a regular basis? If so, how would this best be achieved? 
39. Should entities be required to expressly provide individuals with the option of withdrawing consent? 
40. Should there be some acts or practices that are prohibited regardless of consent? 
Emergency declarations 
41. Is an emergency declaration appropriately framed to facilitate the sharing of information in response to an emergency or disaster and protect the privacy of individuals? 
Regulating use and disclosure 
42. Should reforms be considered to restrict uses and disclosures of personal information? If so, how should any reforms be balanced to ensure that they do not have an undue impact on the legitimate uses of personal information by entities? 
Control and security of personal information  
Security and retention 
43. Are the security requirements under the Act reasonable and appropriate to protect the personal information of individuals? 
44. Should there be greater requirements placed on entities to destroy or de-identify personal information that they hold? 
Access, quality and correction 
45. Should amendments be made to the Act to enhance: a. transparency to individuals about what personal information is being collected and used by entities? b. the ability for personal information to be kept up to date or corrected? 
Right to erasure 
46. Should a ‘right to erasure’ be introduced into the Act? If so, what should be the key features of such a right? What would be the financial impact on entities? 
47. What considerations are necessary to achieve greater consumer control through a ‘right to erasure’ without negatively impacting other public interests? 
Overseas data flows and third party certification 
48. What are the benefits and disadvantages of the current accountability approach to cross-border disclosures of personal information? a. Are APP 8 and section 16C still appropriately framed? 
49. Is the exception to extraterritorial application of the Act in relation to acts or practices required by an applicable foreign law still appropriate? 
50. What (if any) are the challenges of implementing the CBPR system in Australia? 
51. What would be the benefits of developing a domestic privacy certification scheme, in addition to implementing the CBPR system? 
52. What would be the benefits or disadvantages of Australia seeking adequacy under the GDPR? 
Enforcement powers under the Privacy Act and role of the OAIC 
53. Is the current enforcement framework for interferences with privacy working effectively? 
54. Does the current enforcement approach achieve the right balance between conciliating complaints, investigating systemic issues, and taking punitive action for serious non-compliance? 
55. Are the remedies available to the Commissioner sufficient or do the enforcement mechanisms available to the Commissioner require expansion? a. If so, what should these enforcement mechanisms look like? 
Direct right of action 
56. How should any direct right of action under the Act be framed so as to give individuals greater control over their personal information and provide additional incentive for APP entities to comply with their obligations while balancing the need to appropriately direct court resources?  
Statutory tort 
57. Is a statutory tort for invasion of privacy needed? 
58. Should serious invasions of privacy be addressed through the criminal law or through a statutory tort? 
59. What types of invasions of privacy should be covered by a statutory tort? 60. Should a statutory tort of privacy apply only to intentional, reckless invasions of privacy or should it also apply to breaches of privacy as a result of negligence or gross negligence? 
61. How should a statutory tort for serious invasions of privacy be balanced with competing public interests? 
62. If a statutory tort for the invasion of privacy was not enacted, what other changes could be made to existing laws to provide redress for serious invasions of privacy? 
Notifiable Data Breaches scheme – impact and effectiveness 
63. Have entities’ practices, including data security practices, changed due to the commencement of the NDB Scheme? 
64. Has the NDB Scheme raised awareness about the importance of effective data security? 65. Have there been any challenges complying with the data breach notification requirements of other frameworks (including other domestic and international frameworks) in addition to the NDB Scheme? 
Interaction between the Act and other regulatory schemes 
66. Should there continue to be separate privacy protections to address specific privacy risks and concerns? 
67. Is there a need for greater harmonisation of privacy protections under Commonwealth law? a. If so, is this need specific to certain types of personal information? 
68. Are the compliance obligations in certain sectors proportionate and appropriate to public expectations?