The Federal Government is seeking public feedback into proposed changes of Australia’s Privacy Act, with new rules to address longstanding concerns around the capture and use of personal data by online platforms and other emerging technologies.
The proposed amendments will, according to an ‘issues paper’ commissioned by the Attorney-General that flagged a number of outstanding concerns with the existing privacy regime, allow Australian citizens and organisations to maximise the “benefits” of the digital economy.
New technologies, including online media platforms, are “capturing and processing” vast quantities of personal data, necessitating a re-examination of Australia’s Privacy Act 1988, the issues paper states. The Act was last amended in 2017.
Newly proposed amendments focus heavily on digital platforms, with clearer recourse for action against online services in breach of the Act. For instance, the paper suggests increasing the maximum civil penalties for platforms committing “serious invasions of privacy” or repeated breaches of privacy. It also recommends the development of a “binding privacy code” to apply to online platforms that “trade in personal information”, like Facebook.
The review also broaches issues around consent, proposing that individuals could and should be notified separately by entities each time their information is collected and used. This would apply every time an individual’s personal data is used for purposes other than for which they were originally collected.
The Privacy Act intersects with several regulatory regimes and overseeing agencies, including the Office of the National Data Commissioner (ONDC), which is responsible for streamlining how public sector data is used and shared. The paper questions the need for separate regulatory bodies to address specific privacy concerns, and whether more “harmonisation” is needed between various privacy protection regimes.
A new “right to erasure” clause would also give individuals powers to request the destruction of their personal information held by entities, promising citizens greater control over their data, the ACCC’s Digital Platforms Inquiry (DPI) report states, which guided the formation of the issues paper.
The proposed change could significantly alter the way the public sector manages citizens’ information as well as their interaction with individuals and businesses, particularly as governments move to digitise services and backend processes.
For instance, a “right to erasure” clause would require government agencies to bear an added, not insubstantial, financial cost related to this capability. The paper also notes that deleting information that is simply “no longer needed” would create a “significant regulatory burden” for all entities, including the public sector. Enforcing this change may increase administration for agencies substantially.
Currently, agencies need to conduct a Privacy Impact Assessment (PIA) for all for “high privacy risk projects”. These are projects which generally involve “new or changed ways of handling personal information” that may have a significant impact on the individuals involved. The PIA helps agencies determine how to minimise or eliminate the impact a project might have on an individual’s privacy.
The issues paper also examines whether political parties should continue to be exempted from certain privacy laws, as they have been in the past. This was prompted by recent controversies, including the Cambridge Analytica scandal which saw personal data of up to 87 million people “improperly shared” by Facebook and used to influence voting.
The consultation paper was developed by drawing on research from a number of sources, including findings from the recently released Digital Platforms Inquiry (DPI), published in July 2019 by Australia’s competition watchdog, which reviewed the impact of online platforms and provided several proposed amendments to the Act.
It also considered research from other sources, such as the ACCC’s Digital Services Advertising Inquiry.
Angelene Falk, Australian Information Commissioner and Privacy Commissioner, described the review as a “landmark opportunity” to ensure Australia’s legislation could respond to challenges posed by the changing digital environment.
“Australia has the opportunity to be at the forefront of privacy and data protection, with laws and practices that increase consumer trust and confidence in the protection of personal information and underpin innovation and economic growth,” she said.
A discussion paper based on public feedback on the Privacy Act issues paper and complementary research by the Government will be released in early 2021.