Australia rethinks data privacy
Following the Attorney-General’s Privacy Act Review Report, the Albanese government has announced its proposals to protect its citizens against identity fraud and scams and ensure the global business competitiveness of Australia.
The initial Privacy Act Review Report, released in February 2023, aimed to clarify the act’s scope, uplift individual protections, provide clarity for regulated entities and bolster enforcement tactics. Over 500 public responses were considered in the government’s recently released official response to the report. In its response, the government has signaled its agreement with most of the 116 recommendations.
Among the endorsements are the proposed establishment of stronger data protections for children, curbing the ability of companies to target children for marketing purposes, and the introduction of a Children’s Online Privacy Code.
Additionally, the government has acknowledged that excessive reliance on consent can place an unrealistic burden on individuals to understand and manage their data privacy risks. It proposes shifting the burden from the consumer and, instead, requiring data-gathering entities to obtain informed consent for personal data handling and holding them accountable for the proper security and management of gathered data.
Currently, most small businesses with an annual turnover of AU$3 million (roughly US$1.9 million) or less are exempt from the Privacy Act and have no obligation to keep personal data secure or to notify affected individuals in the event of a data breach. The government has agreed in principle to remove this exemption after conducting an impact analysis and allowing for a reasonable transition period.
Following public outcry over its impact on journalism, the Privacy Act exemption for reporting will continue to be in effect. Media organizations will also remain exempt from requirements to disclose personal information they hold about individuals, which could otherwise lead to complaints and harassment by the subjects of journalistic reports.
Furthermore, the government has agreed in principle that data collection should be fair and reasonable and to expand the definition of personal information to include data such as cookie identifiers and IP addresses.
Public response to both the Act and the official government response has been diverse.
Notably, while praising the extra privacy protections offered to children, the Guardian called out the rejection of adults’ rights to opt of out of targeted advertising. The news outlet also voiced concerns about the government’s decision to decline a potential political exemption in the Privacy Act, which it believes would lead to misleading tactics by political parties and campaigns.
IAPP, a global privacy community, noted that while the government is making strides in various areas, recommendations to amplify the protection of anonymized data weren’t approved. Nevertheless, there was an acknowledgment regarding the crucial role of fostering a privacy framework conducive to business growth, with clarity in terminologies like collection, disclosure, and consent.
The Attorney-General will conduct an impact analysis and work with the community, businesses, media organizations and government agencies as it seeks to legislate changes in 2024.
These further changes will complement other critical reforms by the Government, including Digital ID, the 2023-2030 Australian Cyber Security Strategy, the National Strategy for Identity Resilience and Supporting Responsible AI in Australia.