Federal Attorney-General Christian Porter has called for submissions to the long-awaited review of the federal Privacy Act 1988.
This is the first wide-ranging review of privacy laws since the Australian Law Reform Commission produced a landmark report in 2008.
Australia has in the past often hesitated to adopt a strong privacy framework. The new review, however, provides an opportunity to improve data protection rules to an internationally competitive standard.
Here are some of the ideas proposed — and what’s at stake if we get this wrong.
Australians care deeply about data privacy
Personal information has never had a more central role in our society and economy, and the government has a strong mandate to update Australia’s framework for the protection of personal information.
In the Australian Privacy Commissioner’s 2020 survey, 83% of Australians said they’d like the government to do more to protect the privacy of their data.
The intense debate about the COVIDSafe app earlier this year also shows Australians care deeply about their private information, even in a time of crisis.
Privacy laws and enforcement can hardly keep up with the ever-increasing digitalisation of our lives. Data-driven innovation provides valuable services that many of us use and enjoy. However, the government’s issues paper notes:
As Australians spend more of their time online, and new technologies emerge, such as artificial intelligence, more personal information about individuals is being captured and processed, raising questions as to whether Australian privacy law is fit for purpose.
The pandemic has accelerated the existing trend towards digitalisation and created a range of new privacy issues including working or studying at home, and the use of personal data in contact tracing.
Australians are rightly concerned they are losing control over their personal data.
So there’s no question the government’s review is sorely needed.
Issues of concern for the new privacy review
The government’s review follows the Australian Competition and Consumer Commission’s Digital Platforms Inquiry, which found that some data practices of digital platforms are unfair and undermine consumer trust. We rely heavily on digital platforms such as Google and Facebook for information, entertainment and engagement with the world around us.
Our interactions with these platforms leave countless digital traces that allow us to be profiled and tracked for profit. The Australian Competition and Consumer Commission (ACCC) found that the digital platforms make it hard for consumers to resist these practices and to make free and informed decisions regarding the collection, use and disclosure of their personal data.
However, the reforms must go further. The review also provides an opportunity to address some long-standing weaknesses of Australia’s privacy regime.
The government’s issues paper, released to inform the review, identified several areas of particular concern. These include:
the scope of application of the Privacy Act, in particular the definition of “personal information” and current private sector exemptions
whether the Privacy Act provides an effective framework for promoting good privacy practices
whether individuals should have a direct right to sue for a breach of privacy obligations under the Privacy Act
whether a statutory tort for serious invasions of privacy should be introduced into Australian law, allowing Australians to go to court if their privacy is invaded
whether the enforcement powers of the Privacy Commissioner should be strengthened.
While most recent attention relates to improving consumer choice and control over their personal data, the review also brings back onto the agenda some never-implemented recommendations from the Australian Law Reform Commission’s 2008 review.
These include introducing a statutory tort for serious invasions of privacy, and extending the coverage of the Privacy Act.
Exemptions for small business and political parties should be reviewed
The Privacy Act currently contains several exemptions that limit its scope. The two most contentious exemptions have the effect that political parties and most business organisations need not comply with the general data protection standards under the Act.
The small business exemption is intended to reduce red tape for small operators. However, largely unknown to the Australian public, it means the vast majority of Australian businesses are not legally obliged to comply with standards for fair and safe handling of personal information.
Procedures for compulsory venue check-ins under COVID health regulations are just one recent illustration of why this is a problem. Some people have raised concerns that customers’ contact-tracing data, in particular collected via QR codes, may be exploited by marketing companies for targeted advertising.
Under current privacy laws, cafe and restaurant operators are generally exempt from complying with privacy obligations to undertake due diligence checks on third-party providers used to collect customers’ data.
However, Australian political parties are exempt from complying with the Privacy Act and anti-spam legislation. This means voters cannot effectively protect themselves against data harvesting for political purposes and micro-targeting in election campaigns through unsolicited text messages.
There is a good case for arguing political parties and candidates should be subject to the same rules as other organisations. It’s what most Australians would like and, in fact, wrongly believe is already in place.
Trust drives innovation
Trust in digital technologies is undermined when data practices come across as opaque, creepy or unsafe.
There is increasing recognition that data protection drives innovation and adoption of modern applications, rather than impedes it.
We would all benefit if the government saw that this same principle applies to other areas of society where our precious data is collected.
Information on how to make a submission to the federal government review of the Privacy Act 1988 can be found here.