Big changes to privacy law in the pipeline

In February this year, the Commonwealth released its report responding to the recommendations arising out of an extensive 2-year review of the Privacy Act. The recommendations are aimed at making the Privacy Act fit for purpose for the digital age including addressing shortcomings in the data protection practices of Australian businesses, large and small. The Government’s response accepts outright or in principle the vast majority of the recommendations.

As detailed in our article available here, the report proposed a significant number of changes (116), which if implemented, would significantly alter the regulatory framework in Australia, from how personal information will be collected and managed to introducing a multitude of new rights for individuals.

The recommended changes to the law will:

• extend Privacy Act obligations to currently exempt small businesses for the first time;
• significantly increase the legal imperative for businesses to have in place:
  • appropriate technical and administrative cyber security controls to protect personal information
  • legally compliant and practically effective data breach response plans and teams;
• require businesses to review and update their Privacy Policies;
• significantly increase the scope for legal claims against non-compliant businesses.

Some of the likely changes arising out of the report include:

• removal of the small business exemption so that businesses with a turnover of less than $3M will now be subject to the Act;
• removal of employee records exemption so that employee records will have to be dealt with in line with the requirements of the Act;
• enabling individuals to bring direct legal claims for breaches of the Act;
• creating a new legal right to take legal action for any serious invasion of privacy;
• new and more specific regulations governing what information can be kept, for how long and how it must be protected;
• requiring faster investigation and notification of data breaches;
• a legal requirement to conduct privacy impact assessments for business involved in high privacy risk activities such as fitness or lifestyle monitoring, social media networks, facial recognition and identity verification systems and medical research;
• introducing individual rights regarding access, correction and erasure of data; and
• further regulation of direct marketing, targeting and trading in personal information.

The Government has agreed to introduce an increased range of penalties for breaches of the Privacy Act which we expect will significantly increase risks for businesses and lead to more claims for compensation arising from privacy breaches.

The Government has also agreed to increase obligations on businesses who utilise automated decision-making including that the privacy policies of these businesses should set out the types of personal information that will be used, as well as the introduction of a right for individuals to request information about how such decisions may affect their legal rights.

The Government has indicated that it will now progress into the next stage of implementation which is likely to occur in a number of tranches, much like the Government’s approach to industrial relations reform to date.

We will continue to provide updates on any legislative changes in this area including further details with respect to key proposed changes.

This article provides general comments only. It does not purport to be legal advice. Before acting on the basis of any material contained in this article, we recommend that you seek professional advice.


Author

Name: Lachlan Chuong

Position: Associate

Practice: Disputes