• The review of Australia’s Privacy Act 1988, is being done by the Attorney General’s Department and has involved nearly 4 years of consultation.
• Along the way there have already been some key developments in the law and in the Governments commitment to Privacy protections.
• ADMA has been actively engaged in all stages of the Government’s Privacy Act Review (including the AGD’s direction for a Cost Benefit Analysis conducted in April 2024)
• The Privacy Act Review Report (released in February 2023) put forward 116
• ADMA was supportive of most of the proposals
• some in the form proposed
• some with a minor tweak , and others
• only after further consultation (These are the ones we were most concerned about).
the Privacy Act Review Report released in February 2023
89 (of the 116) proposals were directed at legislative change the Government response (in Sept 2023):
- Agreed to 25 of these proposals
- Agreed in principle to 56 of these proposals
- Noted 8 of these proposals.
Note:
A Proposal that would result in a ‘legislative change’ would mean that there is an actual amendment to the Privacy Act wording
On 12th Sept 2024, the Attorney General submitted a Bill to Parliament that would implement 23 of the 25 ‘Agreed’ legislative changes
The Attorney General introduced a ‘slimmed down’ Bill into the House (This is called the Privacy and Other Legislation Amendment Bill 2024)
• The Bill implements a first tranche of agreed recommendations from the Privacy Act Review including:
• A new statutory tort to address serious invasion of privacy This intends to cover both:
• intrusions on physical privacy; and
• the misuse of information where there is a reasonable expectation of privacy
• ‘Development of a Children’s Online Privacy Code to better protect children from a range of online harms;
• Greater transparency for individuals regarding Automated Decision Making (“ADM”);
• Stronger enforcement powers for the Australian Information Commissioner and creation of a tiered penalty structure so that the OAIC has greater ability to impose penalties for breaches that are not ’serious’;
• Streamlined information sharing in the case of an emergency or eligible data breach.
• The Bill also introduces new criminal offences to outlaw ‘doxxing’, the malicious release of personal data online
In order for the Privacy Act to be ‘fit for purpose’ in the digital age, there is a need for the scope of the Act to broaden.
This would come in a few different ways:
• broadening of the definition of personal information;
• removal of existing exemptions
• introduction of new definitions within the Act
These ‘legislative changes’ were not included in this stage
The introduction of the overarching Fair & Reasonable test is an Australian led ‘world first’ that has been well received by both Government and industry alike
This was not introduced in this stage
Proposals around Consent and Notice will need to become more transparent and easier for consumers to navigate
These were not included in this stage
Any delay is just that - a delay not a decision to drop other reform proposals.
The inclusion of the Proposals around Automated Decision Making and Children’s right to privacy is a direct indication that marketers need to continue the work they have begun in preparing for the full Privacy Reform.
The inclusion of the following:
• Automated Decision Making (ADM): An organisation’s privacy policy will need to set out the types of personal information used in and types of decisions made by, computer programs that use personal information to make decisions that could reasonably be expected to significantly affect the rights or interests of an individual;
• Children are defined as persons under 18 years within the Act;
• Introduction of an enforceable Children’s Online Privacy Code.
The inclusion of the “ADM” Proposals makes clear that marketers need to be transparent about the ways in which they collect, intend to use and disclose personal information and the reason for which they hold onto such data both now and in the future.
This requires marketers to shift their thinking around their data practices and be more proactive rather than re-active.
Given that Stage two of Reform is coming, Marketers should evolve their thinking around data to include some of the proposals that whilst not included in Stage one, are more directly impactful to daily operations.
These (at a minimum) include:
• the broadening definition of Personal Information
• likely changes to Consent and Notice
• the introduction of an overarching Fair & Reasonable test
• possible introductions of definitions for ‘direct marketing’, ‘targeting’, ‘targeted advertising’, ‘trading’;
• changing categorisation of de-identified information, sensitive information and location data.
Now that the Bill has been submitted to Parliament, the Government will consider it in both Houses and once it is approved, it will be enacted as law.
The Attorney Generals Department will continue to lead the next stage of the Privacy Act Review.
This will involve:
• further targeted consultation with key stakeholders (incl. ADMA)
• engaging with stakeholders on remaining proposals which were ‘agreed in principle’, to explore whether and how they could be implemented so as to ‘proportionately balance’ privacy safeguards with potential other consequences and additional regulator burden;
• progressing further advice to the Government in 2025, including outcomes of further consultation and legislative proposals.
• Continue to prepare for the changes still coming in full Privacy Reform
• Ensure your marketing teams consider use-cases on how the coming full Privacy Reforms will impact current operations;
• Do a data audit (applying the expanded definition of Personal Information)
• Review your current Notice and Consent in line with new expectations
• Understand your current data practices
• Review your current systems and access permissions
• Build Partner Accountability
• Prepare for changes in Direct Marketing and Targeting
• Strengthen your Data Breach Notification Plan
• Continue to champion Privacy compliance within your teams.
ADMA offers access to the best resources helping marketers be prepared in a changing landscape
ADMA membership > Regulatory sessions > Data Pass > ADMA IQ courses > Toolkits > Information sheets
