Privacy Act review to examine privacy tort, direct action rights, and GDPR compliance

The Attorney-General's Department will look at carve-outs, harmonisation with states and other nations, and a right to erase for Australians.

Australia's Attorney-General Christian Porter announced on Friday the terms of reference and issues paper that his department will use as a basis for its review of the Privacy Act.

The wide-ranging review will consider the definition of personal information; whether existing exemptions for small businesses, political parties, and the storing of employee records to comply with the Act should remain; whether individuals should gain the power to drag privacy violators to court; and whether a privacy tort should be created.

The review was agreed to as part of the Commonwealth's response to the Australian Competition and Consumer Commission's (ACCC) Digital Platforms Inquiry.

In posing 67 questions for submissions to respond to, the Attorney-General's Department (AGD) has asked whether the definition of personal information should be extended to inferred personal information as well as whether additional protections should be extended to de-identified, anonymised, and pseudonymised information.

Of particular interest in the paper was the failure of Australian privacy laws to be compatible with those in Europe, especially the General Data Protection Regulation (GDPR), with exemptions created in the Australian law two decades ago being a roadblock.

"The [Australian Law Reform Commission (ALRC)] noted that no other comparable jurisdiction (the United Kingdom, New Zealand, Canada, and the European Union) exempts small businesses from the general privacy law," the paper said.

"The Senate Committee inquiry further recommended the removal of the exemption given the privacy regimes in overseas jurisdictions have operated effectively without a small business exemption and that the existence of the exemption was one of the key outstanding issues preventing Australia from seeking adequacy with the EU.

"[The ALRC] also noted that the United Kingdom does not exempt employee records and that removing the exemption may facilitate recognition of the adequacy of Australian privacy law by the EU."

On the flip side, the paper pointed out that only UK and Germany were in Australia's top 15 two-way trading partners while other economies around the Asia-Pacific made up 72% of trade. The EU only accounted for 13.5%.

"As less trade is undertaken with the EU than within the APEC region, the government's recent priority has been to ensure adequate privacy protections within and between APEC economies," the AGD said.

"Requiring businesses to comply with different information handling requirements under the Act, [Cross-Border Privacy Rules] and GDPR could result in a regulatory landscape that is overly complex. On the other hand, compliance with the GDPR may give businesses a competitive advantage in engendering consumer trust."

The privacy law benchmark: What is GDPR? Everything you need to know

Currently in Australia, if a business has revenue under AU$3 million, it is exempt from the Act, and the paper wrestled with the idea of whether a threshold should remain, and if so, what should it be since businesses under that threshold could handle sensitive personal information yet maintaining the threshold could increase compliance costs for those businesses.

Leaning on the ACCC's recommendations, the paper raised the prospect of requiring organisations requesting personal data to implement defaults to make collection of information opt-in. It also asked whether individuals should be made to consent for each purpose and time their information is collected and whether the core concept of consent was effective.

The paper also asked whether there should be higher requirements to destroy or de-identify personal information that is held by organisations and whether Australia should have a "right to erasure", which would be an analogue to Europe's right to be forgotten.

The potential of handing Australians the power to initiate court action to seek compensation from privacy breaches was also raised -- Australians currently can only directly apply for an injunction -- and questions on how to stop the courts being filled with actions over "trivial breaches", such as funnelling complaints via the Office of the Information Commissioner for conciliation or capping damages, were also asked.

The paper also discussed the idea of whether a statutory tort of privacy was needed, with the AGD saying it would allow for privacy breaches not covered by the Privacy Act to be caught, but also that recent criminal legislation may lower the need for such a tort.

"A key issue for the design of a statutory tort of privacy is the types of liability it would cover. That is, liability based on intention, liability based on negligence or strict liability," the AGD said.

"The ALRC recommended that a statutory tort should be confined to intentional or reckless invasions of privacy and should not extend to negligent invasions of privacy or attract strict liability. However, it is questionable that an invasion of privacy due to gross negligence where a person may not have been reckless but failed to exercise even the slightest degree of care and diligence in relation to an obvious risk should be outside scope."

The terms of reference also stated the review would not look into any changes to the Privacy Act that were made to cater for the government's COVIDSafe app, nor recent changes made to credit reporting.

Submissions to the review have a deadline of November 29, with a discussion paper set to appear early next year. A date for the final report was not specified.

"Australians are spending more and more of their time online and more of their personal information is being collected, handled and stored," Porter said.

"Technology is also rapidly evolving in areas such as artificial intelligence and data analytics, which is why it is crucial that we have a privacy regime that is fit for purpose, can grow trust, empower consumers, and support the growing digital economy."

The review will also examine the effectiveness of the Notifiable Data Breaches scheme.

"The NDB Scheme commenced on 22 February 2018. There are therefore some difficulties in determining at this stage whether the scheme has achieved its long term objectives," the AGD said.

Related Coverage