The Australian government has responded to the Attorney-General's Privacy Review Report. Out of the Attorney-General’s 116 proposals, 38 proposals are poised for approval, 68 have garnering in-principle agreement, and 10 are ‘noted’ (ie unlikely to go ahead anytime soon). Below, we delve into the notable changes that have emerged from this response, highlighting likely shifts in privacy compliance obligations for small businesses, media companies, and social media platforms.
Currently, businesses with a turnover of less than $3 million are exempt from the Privacy Act's provisions. However, this exemption is likely to be scrapped, meaning small-scale enterprises will fall under the scope of the Act. This move marks a significant expansion of privacy regulations, with implications for small businesses. There will be consultation by the government to consider the impact of this reform before it is introduced.
Another change under consideration is the potential elimination of the employee record exemption. Presently, certain employee records are exempt from the Privacy Act's provisions. The Government agrees in-principle that further consultation should be undertaken with employer and employee representatives on how enhanced privacy protections for private sector employees may be implemented in legislation. This will need to include consideration on how privacy and workplace relations laws should interact.
In a somewhat contrasting development, political parties are likely to retain their exemption from the Privacy Act. The government defends this decision as a means to "enhance the operation of the electoral and political process."
While the government has indicated that the journalism exemption will endure, there is a possibility that the Office of the Australian Information Commissioner (OAIC) will establish and publish criteria for media privacy standards, aimed at fostering a more transparent and accountable media landscape, aligning with evolving privacy expectations. Media organisations will need to keep information secure, destroy it when it is no longer needed and report eligible data breaches to the OAIC.
Social media platforms may face new requirements aimed at curbing the use of dark patterns designed to prompt users to consent to privacy-intrusive practices. Additionally, online settings could shift toward privacy-protective default configurations to satisfy a "fair and reasonable" test, a principle that the government has tentatively agreed upon. These measures underscore the government's focus on safeguarding user privacy in the digital age.
The government acknowledges the need for individuals to have an unqualified right to opt-out of their personal information being used for direct marketing. However, harmonising these requirements across privacy, spam, and Do Not Call legislation presents a significant challenge. The government has agreed in principle that entities should be prohibited from targeting individuals based on sensitive information (eg race or sexual orientation) unless it is socially beneficial content.
Recognising the increasing concerns surrounding children's privacy, the government's response reflects a commitment to additional safeguards. Proposals include prohibiting the targeting of children, with certain exceptions, and prohibiting the trading of children's personal information. The government also supports the development of a Children's Online Privacy code, contingent on legislated protections for children.
The government supports the introduction of a statutory tort for serious invasions of privacy. Currently, Australians lack direct recourse for privacy violations. A statutory tort would empower individuals to seek legal redress, provided they can establish the seriousness of the invasion, a reasonable expectation of privacy, intentional or reckless behaviour, and a public interest favouring privacy.
The government agreed in principle with a proposed right of erasure, but this won’t apply to erasure of criminal records, and will not override laws requiring companies to retain identification documents.
As the government works to strike a balance between individual privacy rights and the interests of institutions and society, these decisions will shape the privacy landscape in the years to come. The government intends to legislate the changes in 2024. We will continue to closely monitor developments.