The Privacy Act is changing – here is what you need to know.

Significant reforms to the Privacy Act 1988 (Cth) (the Act) were announced by the Morrison Government on 25 October 2021, a key response to the Australian Competition and Consumer Commission’s Digital Platforms Inquiry.

The review seeks to ensure Australia’s privacy laws are fit for purpose in a digital era, enhancing privacy protections for individuals and assisting businesses in meeting their privacy obligations.

The Attorney-General’s department has just released an exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Online Privacy Bill).

The Online Privacy Bill introduces a binding Online Privacy Code (OP Code) on Australian online platforms as well as harsher penalties and enforcement powers exercisable by the Office of the Australian Information Commissioner.

The reforms will also cover Australia’s privacy frameworks more broadly. A Discussion Paper has been released concurrent to the Online Privacy Bill seeking stakeholder feedback on proposals primarily drawn from an Issues Paper released late last year. The Issues Paper calls for strengthened privacy protections for individuals and increased transparency in data handling practices.

The Discussion Paper has initiated the first changes to the Australian Privacy Principles (APPs) since their introduction in 2014 and enables individuals to directly take action for breach. Additionally, the paper proposed a new statutory tort for the invasion of privacy exercisable in circumstances of highly offensive conduct.

The Online Privacy Bill

The OP Code aims to mitigate the risks associated with online platforms having access to high volumes of personal information or regularly trading in personal information. It will be developed by industry for approval by the Commissioner, establishing more prescriptive detail about how online platforms should meet their obligations under the APPs.

The Online Privacy Bill will also strengthen penalties for entities regulated by the Act and increase the enforcement mechanisms available to the Commissioner. This is in response to recommendations that penalties under the Act should mirror the increased penalties for breaches of the Australian Consumer Law.

Application of the OP Code

The OP Code will apply to the following categories of private-sector organisations currently subject to the Act, known as ‘OP Organisations’:

1. Organisations that provide social media services

2. Organisations that provide data brokerage services

3. Large online platforms

4. ‘Specified’ organisations.

OP Organisations must meet the requirements of the OP Code alongside the ordinary provisions of the Act. In the event of a complaint or on their own initiative, the Commissioner can exercise their full range of enforcement powers in response to a breach.

Increased Penalties and Enforcement

A natural person will face an increased maximum civil penalty of 2,400 for serious and repeated interferences with privacy, which is approximately $532,800. The maximum penalty for corporations will be increased to an amount not exceeding the greater of:

1. $10,000,000;

2. three times the value of the benefit obtained by the body corporate from the conduct constituting the serious and repeated inference with privacy; or

3. 10% of their domestic annual turnover if the value cannot be determined.

Infringement notices can be issued where an individual fails to provide information to the Commission in the course of an investigation. Additionally, a separate criminal offence has been established where a corporation regularly fails to provide information to the Commission. At this stage, the matter can be referred to the Commonwealth Director of Public Prosecutions.

Broader Reforms to the Act

The Discussion Paper empowers individuals to directly bring an action for breach of the APPs affecting their personal information. The most substantial changes to the APPs include broadening the definition of ‘personal information’, introducing a requirement that the ‘collection, use or disclosure’ of personal information be ‘fair and reasonable in the circumstances’, and enabling consent to be withdrawn at any time.