Australia’s privacy regulator has called for a raft of changes to privacy law to ensure they remain “consistent with Australian values” and suitable for an increasingly digital world.
But the watchdog stopped short of supporting GDPR style data regulation and consent management, as the government considers the biggest reforms to Australian privacy law in decades.
Australian Information Commissioner and Privacy Commissioner Angelene Falk today released the regulator’s submission to the ongoing review of Australia’s Privacy Act which includes 70 recommendations.
- Read more: Cover Story: As Surveillance Capitalism Takes Hold, Australia Lacks The Ability To Protect Its Citizens’ Privacy
The Attorney General’s Department is currently conducting a review of Australia’s privacy laws following the ACCC’s reccomendation for reform after its landmark digital platforms inquiry.
The submission says Australia’s privacy law should be changed to put more accountability on the entities collecting personal information and greater protection for individuals.
The regulator, which is currently responsible for bringing action over breaches of privacy, wants to give individuals the right to direct action in courts against organisations that breach privacy law including the introduction of a statutory tort for serious invasions of privacy.
It would also like to see the removal of exemptions for certain entities and types of information under the current legislation, which includes small businesses, political parties, and employee records.
Reserving consent requirements
The submission also calls for the strengthening of notice and consent requirements. But it cautions an overbearing consent requirement could lead to a “tick-box exercise” of management.
“Australians should be able to expect that safe practices are in place, without having to read lengthy and complex notices on a take-it-or-leave-it basis,” said Commissioner Falk in a statement today.
“Consent should be kept for where it really matters and is meaningful, so it doesn’t turn into a tick-box exercise which detracts from its value in higher-risk situations.”
According to the regulator’s submission “fairness and reasonableness” standards should be introduced for the collection of personal information. While the current laws are underpinned by the concepts, the regulator says, the protection does ot currently go far enough and companies have skirted them to collect and use personal information for additional purposes.
The regulator argues this is a better approach than explicit consent for data collection which has been “eroded” in an online environment filled with pop ups and cookie management.
In a statement, Falk said Australia’s laws should be updated to better reflect community attitudes to privacy – the regulators own research shows an increasing displeasure with modern data practices – and to keep pace with the “global digital environment”.
In the regulator’s regular attitudes to privacy survey most Australian consumers said they are uncomfortable with targeted advertising and businesses keeping databases on their activity.
“The Privacy Act is a well-established framework that is principles-based, technologically neutral and flexible,” Falk said today.
“However, the external landscape has changed significantly in recent years, and our research shows declining levels of community trust in how organisations handle personal information.
“Australians want more done to protect their privacy in the face of ongoing and emerging threats.”
The OAIC summarised it proposed changes as recommending:
- greater emphasis on the protection of individuals and the obligations on entities to ensure business models and practices safeguard privacy
- the introduction of fairness and reasonableness standards for the collection, use and disclosure of personal information
- stronger organisational accountabilities for entities, with an onus on organisations to understand the risks that they create for others, and to mitigate those risks up front
- the removal of exemptions for employee records and acts and practices by small business operators and political parties
- that individuals should have a direct right to bring actions in the courts against organisations covered by the Privacy Act to seek compensation
- the introduction of a statutory tort that can respond to a wide range of serious invasions of privacy.