summary
The Australian Government issued the Privacy Act Review Report 2022 (the “Report”) in February 2023 with a list of 116 proposals to reform the Privacy Act 1988 (Cth) (the “Privacy Act”). These proposals aim to enhance personal data protection offerings to individuals with a view to a more digitalised world. The proposals, if adopted, may require companies to fundamentally modify or revamp the existing data protection and data security system in order to comply with the new requirements.
key changes
The key changes largely serve to align Australian standards with international developments in privacy and the increasingly digitalised world.
The new proposals introduce concepts of a data controller and data processor into Australian legislation. Whilst data controllers will be primarily responsible for the protection of personal data, data processors will, under the current proposal, be responsible for ensuring: i) transparent management; ii) data security; and iii) breach notification requirements are met.
The Report also proposes when conducting high privacy risk activities, which includes identifying and mitigating risks by conducting adequate assessment and analysis. Privacy policies and notices shall also be subject to certain requirements, underpinned by the idea that they must be clear, understandable and concise. Personal data to be collected, disclosed, or processed must be fair and reasonable, regardless of whether consent has been given by the individual. The proposals also made suggestions in relation to: i) rules governing international data transfer; ii) use of personal data for direct marketing and targeting activities; and iii) offering individuals rights to object and be forgotten.
measures
The proposed amendments to the Privacy Act 1988 would provide the Office of the Australian Information Commissioner (OAIC) with more investigative tools, such as the authority to conduct premises searches, seizure of evidential documents, and the undertaking of public reviews and inquiries under the Attorney-General’s direction. Additionally, courts will be vested with greater power to issue orders against entities in breach of the Privacy Act, and to handle applications for redress of privacy breaches via a new tort for serious invasion of privacy.
next steps
The Australian Government is currently seeking consultation on the Report which will end on 31 March 2023. Firms that collect, use, and disclose personal information should closely monitor these developments and take steps to ensure they are in compliance with any changes to personal data protection requirements. Firms should start reviewing the recommendations to understand the impact of compliance on the business, including knowing your data collection processes, controls and resourcing challenges to comply with new rules.
For more information, and any guidance or advice on how to ensure compliance with personal data protection requirements under the Australian Privacy Act, Cleveland & Co External in-house counsel™, your specialist outsourced legal team, are here to help.
Please click here to follow us on LinkedIn to receive the latest information on this and other important topics!
