The federal government has kicked off its review of the Privacy Act, which will consider whether Australians should have the right to have their personal information erased like in the European Union, among other reforms.
Attorney-General Christian Porter on Friday released the terms of reference for the wide-ranging review that the government committed to undertake in response to the digital platforms inquiry in December 2019.
The review will consider whether the Privacy Act, which has not been amended since the introduction of the Australian Privacy Principles (APP) in 2012, remains fit for purpose in the digital economy.
It will build on existing reforms underway to increase the maximum civil penalties under the legislation and introduce a “binding privacy code to apply to social media platforms” and other platforms that trade in personal data.
“The digital economy has brought with it immense benefits including new, faster and better products and services,” the issues paper [pdf] accompanying the terms of reference for the review states.
“As Australians spend more of their time online, and new technologies emerge, more personal information about individuals is being captured and processed, raising questions as to whether Australian privacy law is fit for purpose.
“At the same time, businesses that are trying to do the right thing are faced with an increasingly complex regulatory environment with respect to managing personal information.
“This is particularly true for businesses who work across international borders where complying with information protection standards can be a requirement for access to overseas markets.”
The review will consider a number of recommendations in the digital platforms inquiry such as updating the definition of ‘personal information’ to cover technical data and other online identifiers, strengthening existing consent requirements and introducing a “direct right of action”.
It will also look at whether exemptions for political parties should continue, and whether exemptions for small businesses with a turnover of less than $3 million a year “strike the right balance between protecting the privacy rights of individuals and avoiding the imposition of unneccessary compliance costs."
These exemptions were introduced in 2000, when the legislation expanded to the private sector, but there have been calls more recently to re-examine them in light of the increased handling of personal information and - in the case of political exemptions - controversies.
Other considerations include whether a statutory tort for serious invasions of privacy and a ‘right to erasure’ should be introduced, and whether there is a need to seek an individual's consent each time “an entity collects, uses and discloses information”.
The review will also look at the current approach to cross-border disclosures of personal information, and the “benefits or disadvantages of Australia seeking adequacy under the GDPR [General Data Protection Regulation]”.
The issues paper, which was released by the Attorney-General’s Department and will accept submissions until November 29, will be followed by a discussion paper early next year that seeks more specific feedback on possible areas for reform.
Privacy commissioner Angelene Falk welcomed the review, which she described as a “landmark opportunity” to ensure Australia’s privacy legislation could respond to challenges posed by the changing digital environment.
“Australia has the opportunity to be at the forefront of privacy and data protection, with laws and practices that increase consumer trust and confidence in the protection of personal information and underpin innovation and economic growth,” she said.
The full terms of reference cover:
- the scope and application of the Privacy Act
- whether the Privacy Act effectively protects personal information and provides a practical and proportionate framework for promoting good privacy practices
- whether individuals should have direct rights of action to enforce privacy obligations under the Privacy Act
- whether a statutory tort for serious invasions of privacy should be introduced into Australian law
- the impact of the notifiable data breach scheme and its effectiveness in meeting its objectives
- the effectiveness of enforcement powers and mechanisms under the Privacy Act and how they interact with other Commonwealth regulatory frameworks
- the desirability and feasibility of an independent certification scheme to monitor and demonstrate compliance with Australian privacy laws