On February 16, 2023, the Australian Attorney General released the Privacy Act Report. It summarises the extensive consultation and review of the Privacy Act 1988 within two years. It also contains varied proposals designed to better align Australia’s laws with global standards of information privacy protection and properly protect Australians’ privacy. Such proposals may enhance cross border data flows and result in economic benefits for Australian business and economy.
Image by rawpixel.com on Freepik
Particularly, the proposals focus on 3 main points: (1) scope and application of the Act, (2) protections under the Act and (3) regulation and enforcement. They answer the following corresponding questions:
First, what information should be protected and who should protect it?
The proposals underlines a greater flexibility in the Privacy Act. So, that would allow it to respond to a broader range of circumstances, including the emerging scenarios. The Report proposes clarification of personal information, as an expansive concept, including technical and inferred information, such as IP addresses, device identifiers and expansion to the de-identified information which we could re-identify. It also requires recalibration of its current exemptions to address contemporary privacy risks and meet current society expectations.
Second, what privacy protections should apply?
The Report proposes more improvement of information quality available to individuals about the collection and process of their information. It requires entities to take proper responsibility to handle personal information fairly and reasonably, also to identify and mitigate risks before engaging in high privacy risk practices. The proposals would strengthen privacy protection for children and people experiencing vulnerability. They would improve the users’ control over their personal data and give them more transparency, control over direct marketing, targeting and sale of their personal data. The proposal may reinforce the requirements on entities to keep personal data secure, and destroy or de-identify it when they no longer need it. Moreover, they shall facilitate personal data transfers and ensure its proper protection.
Third, how should breaches of privacy be enforced?
Toward the entities, they may benefit from reduced regulatory complexity between different privacy frameworks thanks to the harmonisation proposed of key aspects of privacy laws. Furthermore, the Report proposes an improvement of the entities’ response manners when a serious data breach occurs and simplifies the reporting process. The proposals would equip the regulator with more options to enforce privacy breaches and ability to identify and address privacy breaches. On the one hand, they enhance the Courts’ powers to make orders against the controllers/ processors that have breached their privacy obligations. On the other hand, they also open new pathways for individuals to seek redress before the Courts for privacy breaches, for example, through a new tort for serious invasions of privacy.
Sources:
https://www.ag.gov.au/sites/default/files/2023-02/privacy-act-review-report.pdf
https://www.ag.gov.au/sites/default/files/2023-02/report-on-a-page.pdf
https://www.ag.gov.au/rights-and-protections/publications/privacy-act-review-report
https://consultations.ag.gov.au/integrity/privacy-act-review-report/
For the U.S. SEC Report of Privacy Act Regulations: https://www.astraiagear.com/2023/02/15/sec-proposal-of-revision-to-privacy-act-regulations/