EM Forster famously offered two cheers for democracy. In the same spirit we might say two cheers for the Government's very uneven response to the Privacy Act Review Report (discussed here) - some recommendations embraced, others merely noted (the policy can being kicked down the road or into the weeds) and much dependent on sighting the detail.
The Review reflected 20 years of recommendations by law reform commissions, scholars and parliamentary committees.
The response states
The Government will progress consideration of reforms to Australia’s privacy framework under five key focus areas:
1. Bring the Privacy Act into the digital age
Bring the scope and application of the Privacy Act into the digital age by recognising the public interest in protecting privacy and exploring further how best to apply the Act to a broader range of information and entities which handle this personal information.
2. Uplift protections
Uplift the protections afforded by the Privacy Act by requiring entities to be accountable for handling individuals’ information within community expectations, and enhancing requirements to keep information secure and destroying it when it is no longer needed.
Reforms to the Notifiable Data Breaches (NDB) scheme will assist with reducing harms which may result from data breaches and new organisational accountability requirements will encourage entities to incorporate privacy-by-design into their operating processes.
New specific protections will also apply to high privacy risk activities and more vulnerable groups including children, especially online.
3. Increase clarity and simplicity for entities and individuals
Provide entities with greater clarity on how to protect individuals’ privacy, and simplify the obligations that apply to entities which handle personal information on behalf of another entity. The reforms will increase the flexibility of code-making under the Act, reduce inconsistency and improve coherence across different legal frameworks with privacy protections, and simplify requirements for transferring personal information overseas, particularly to those countries with substantially similar privacy laws.
4. Improve control and transparency for individuals over their personal information
Provide individuals with greater transparency and control over their information through improved notice and consent mechanisms.
We will also explore the scope and application of new rights in relation to personal information and increased avenues to seek redress for interferences with privacy, through a direct right of action permitting individuals to apply to the courts for relief for interferences with privacy under the Privacy Act and a new statutory tort for serious invasions of privacy.
5. Strengthen enforcement
Increase enforcement powers for the OAIC, expand the scope of orders the court may make in civil penalty proceedings and empower the courts to consider applications for relief made directly by individuals.
A strategic assessment of the OAIC and further consideration of its resourcing requirements, including investigating the effectiveness of an industry funding model and establishing litigation funds, will enhance the effectiveness of Australia’s privacy regulator.
Next steps
The Attorney-General’s Department will lead the next stage of implementation which will involve:
• development of legislative proposals which are ‘agreed’, with further targeted consultation to follow
• engagement with entities on proposals which are ‘agreed in-principle’ to explore whether and how they could be implemented so as to proportionately balance privacy safeguards with potential other consequences and additional regulatory burden
• development of a detailed impact analysis, to determine potential compliance costs for regulated entities and other potential economic costs or benefits (including for consumers), and
• progressing further advice to Government in 2024, including outcomes of further consultation and legislative proposals.
The Government acknowledges that entities covered by the Privacy Act will require sufficient time to be in a position to comply with new requirements when reforms commence. Consideration will be given to appropriate transition periods as part of the development of legislation as well as appropriate guidance and other supports which could be developed to help entities understand their compliance requirements.
An impact analysis will be undertaken to more comprehensively determine the costs and benefits for Australians, including consumers as well as businesses and organisations. Given the diversity of entities required to comply with the Privacy Act, the impact analysis will consider the costs to different sectors of the economy and whether particular industries may require additional support to comply with new requirements. It will also facilitate a more detailed understanding of the practical implications for entities in transitioning to meet new obligations. Transition periods will be critical to ensure entities are in a position to comply with new obligations on their commencement.
The Government’s role in strengthening privacy regulation, enforcing privacy protections and assisting with coordinating responses to significant data breaches must be complemented by Australians’ increased understanding of privacy risks, and improved privacy practices of both individuals and entities. There is also an important role for the Government in conducting its own activities – including its use of data and digital technologies – in an appropriately careful manner. The Government will adopt robust and appropriate privacy and security settings as set out in this response and its Data and Digital Government Strategy.
Reforming Australia’s privacy framework will complement other reforms being progressed by the Government, including the 2023-2030 Australian Cyber Security Strategy, the Digital ID, the National Strategy for Identity Resilience, and Supporting Responsible AI in Australia. All these initiatives recognise the critical importance of Government working with stakeholders on reforms which will assist entities to manage risks appropriately and enable Australians to safely and securely engage in the digital economy. In progressing privacy reforms, the Government will continue to work closely with all stakeholders to ensure appropriate implementation.