The long awaited review of Australia’s privacy laws began today with the release of an issues paper and terms of reference. The government committed to reviewing the legislation following a landmark review of digital platforms which found systemic problems, including limited privacy protections in Australia.
Critics of the legislation argue it has not kept pace with the rampant data collection of online businesses, despite its deliberate technology agnostic design.
- Read more: Cover Story: As Surveillance Capitalism Takes Hold, Australia Lacks The Ability To Protect Its Citizens’ Privacy
Today, the Attorney General’s Department released its terms of reference for its review of the Privacy Act 1988 alongside an issues paper and a call for submissions by 29 November. Consultations will continue into next year and a discussion paper will be released in 2021, seeking more specific feedback on preliminary outcomes, including any possible options for reform.
The final report of the review will be made public after government consideration.
The review will consider whether the scope of the Privacy Act 1988 and its enforcement mechanisms remain fit for purpose, including reviews of terms like “personal information”, exemptions, and situations where data may be collected.
According to an issues paper released today, the review will also dive into notification requirements, consent and default settings, overseas data flows and the erasure of personal information – all fundamental issues covered by Europes 2018 GDPR laws, considered the strongest privacy protections to date.
The government has already agreed in principal to update the definition of personal information to capture technical data and other online identifiers, strengthen notification requirements, strengthen consent requirements and “pro consumer” defaults, and introduce a direct right of action to enforce privacy obligations under the Act.
The review will also consider whether the current exemption of political parties and journalist from some privacy principles should remain.
A new statutory tort of privacy will also be considered for serious invasions of privacy, as the ACCC recommended in its digital platforms inquiry. There is currently no tortious right of action for invasion of privacy under the Act or any other Commonwealth, state or territory statute.
Watchdog welcomes review
Australia’s Privacy Commissioner, Angelene Falk, today welcomed the review and potential reform.
“Australia has the opportunity to be at the forefront of privacy and data protection, with laws and practices that increase consumer trust and confidence in the protection of personal information and underpin innovation and economic growth,” Falk said.
“The review of the Privacy Act will help ensure that our regulatory framework can protect personal information into the future and hold organisations to account.”
According to Falk, the key elements to support effective privacy regulation over the next decade are global interoperability; enabling privacy self management; organisational accountability; and a “contemporary approach” to regulation, including “having the right tools to regulate in line with community expectations”.
Falk’s office last week confirmed it will struggle to get through its backlog of work without a funding boost but faces a near-50 per cent cut in resourcing in 2022-23.
Review terms of reference
The full terms of reference for the review of the Privacy Act are:
- the scope and application of the Privacy Act
- whether the Privacy Act effectively protects personal information and provides a practical and proportionate framework for promoting good privacy practices
- whether individuals should have direct rights of action to enforce privacy obligations under the Privacy Act
- whether a statutory tort for serious invasions of privacy should be introduced into Australian law
- the impact of the notifiable data breach scheme and its effectiveness in meeting its objectives
- the effectiveness of enforcement powers and mechanisms under the Privacy Act and how they interact with other Commonwealth regulatory frameworks
- the desirability and feasibility of an independent certification scheme to monitor and demonstrate compliance with Australian privacy laws.