In a digital economy, technology-driven innovation is predicated upon the vast swathes of data flowing through the global digital ecosystem. Regulating the use of data in the interests of commerce and consumers, however, has presented a perennial challenge as the Fourth Industrial Revolution outpaces lawmakers’ ability to respond.
Following a two-year consultation process, the release of the Attorney-General’s Privacy Act Review Report [Report] in February 2023 heralded a new era in the Australian Government’s [Government] approach to privacy regulation. Presenting 116 proposals, the Report outlined prospective reforms to the Privacy Act 1988 (Cth) [Privacy Act] that would evolve Australia’s federal privacy regime to remain fit for purpose in a global digital economy. Yet, organisations contended with uncertainty regarding the extent to which the proposed reforms would be legislated, and the timeline for any legislative amendments to come into effect. In turn, this opaque veil clouded the ability for organisations to chart a path forward towards privacy-driven growth.
The Great Privacy Awakening
On 28 September 2023, the Government’s release of its response (Response) to the Report provided a long-awaited level of illumination regarding the next step in modernising Australia’s federal privacy regime. Overall, the Response highlighted the Government’s broad support of the Report’s proposals, with over 90% of the 116 proposals indicated as ‘agreed’ or ‘agreed-in-principle’. By categorising the proposed reforms into five key areas of focus, the Response provides organisations with a framework to guide investment decisions that can enhance privacy readiness as the federal privacy regime evolves. The Government’s five key focus areas in advancing the prospective reforms to the Privacy Act include:
- Bringing the Privacy Act into the digital age
The Government recognises the public interest in protecting information privacy in a data-driven digital economy by seeking to enact amendments to bring the scope and application of the Privacy Act into the digital age.
- Uplifting protections
The proposed reforms endeavour to increase organisational accountability in the handling of personal information in accordance with community expectations by enhancing the protections afforded to consumers. Increased protections will extend to the enforcement of the principle of data minimisation, incorporation of privacy-by-design into operating processes, and reforms to the Notifiable Data Breaches (NDB) scheme to reduce harms that arise from eligible data breaches. Specific new protections will also apply to vulnerable groups, such as children, in addition to high privacy risk activities.
- Increasing clarity and simplicity for entities and individuals
To streamline Australia’s privacy regime is to make it more effective. The Government will endeavour to cohere Australia’s patchwork privacy regulatory framework to enhance consistency and clarity regarding the obligations of organisations in handling personal information. Moreover, increasing harmonisation in relation to cross-border data transfers will minimise ambiguity, whilst elevating the standards of privacy protections to improve Australia’s digital competitiveness.
- Improving control and transparency for individuals over their personal information
Providing consumers with greater choice, control and transparency in relation to their personal information will serve to mitigate the inequality in bargaining power between consumers and organisations in a digital economy in which data is the principal currency. The Government indicates that a key avenue through which to empower consumers is the enhancement and expansion of their rights in relation to personal information. In tandem, the introduction of a direct right of action and statutory tort for serious invasions of privacy will grant consumers additional avenues via which to seek redress.
- Strengthening enforcement
Further to the enhanced enforcement powers ushered in by the passage of the Privacy Legislation Amendment, the Government will seek to broaden the scope of regulatory oversight and identify appropriate funding models to effectively empower the OAIC’s role as the independent national privacy regulator.
Privacy Plasticity and the Connected Consumer
In an interconnected digital economy, plasticity is the key to evolving the expression of an organisation’s DNA from business as usual to the business of the future. In turn, the business of the future will be characterised by its ability to build connected consumer profiles that honour real-time privacy preferences at every stage of the customer lifecycle. Moreover, the impending reforms to the Privacy Act signal a new era in Australia’s digital ecosystem that can serve to elevate its global digital competitiveness. To minimise the opportunity costs of delayed action, organisations can take prudent steps now to enhance privacy readiness prior to the proposed legislative reforms coming into effect.
Within the Response, the Government’s five key areas of focus provide a compass through which to rewire an operational framework for improved privacy readiness. Key questions organisations could ask in determining privacy priorities include:
- Does my organisation adopt a privacy-by-design approach?
- What is my organisation’s response plan in the event of an eligible data breach?
- Does my organisation conduct Privacy Impact Assessments (PIAs) for high-risk privacy activities?
- Has my organisation audited its data collection, use and disclosure practices?
- Has my organisation mapped its data ecosystem to determine the third parties to whom data is disclosed?
- Is data collection fair and reasonable for the business purpose for which it is collected?
- Does my organisation adhere to the principle of data minimisation to mitigate cyber risk?
- Does my organisation link real-time consent status to the respective consumer’s data set?
- Does my organisation have centralised data governance to give effect to the fulfilment of consumer data rights?
- How does my organisation intend to reap the rewards of digital ecosystem participation amid heightened privacy obligations?
Innovation and Inertia: The Distinction between CX Leaders and CX Laggards
The winds of change are ushering in unparalleled opportunities for organisations to leap ahead of the competition in a dynamic consumer market. Yet, inertia remains the primary obstacle to innovation in the data-driven digital economy. Every decision to maintain the status quo is a decision to forfeit an invaluable innovation opportunity. Over time, the accumulation in lost opportunities translates to declining revenues compounded by macroeconomic uncertainty.
The world is evolving at an unprecedented pace, and the impending reforms to the Privacy Act will compel many organisations to change or cease. The time is now to choose between innovation or inertia as the decisive factor in unlocking endless opportunities for growth instigated by legislative reforms that could reshape digital markets. Change is the new normal in the digital economy, and the cost of complacency will be too high a burden to bear.
The evolving privacy landscape provides the precursor to distinguishing between the next generation of CX leaders and CX laggards. CX leaders will be characterised by their ability to drive data-driven differentiation through a privacy-first lens. The first step to fortifying innovation capability will be to build the privacy foundation from which to scale data-driven growth. Per the Government Response, the following non-exhaustive list of likely legislative proposals indicate the future direction of the Privacy Act and how organisations can seek to enhance privacy readiness now:
- Security of personal information
Organisations will be required to deploy both the technical and organisational measures to safeguard personal information (Proposal 21.1). Practically, this will mean that privacy compliance will no longer be within the sole purview of Compliance or IT departments. Rather, centralised data governance, enabled by a fit-for-purpose technology infrastructure, will be an organisational imperative.
- Automated decision making
Privacy policies should outline the types of personal information that will be used in substantially automated decision making that will have a significant effect on individuals (Proposals 19.1 and 19.2). Additionally, individuals will have a right to request information about how such decisions are made (Proposal 19.3). Accordingly, organisations will benefit from auditing the use of automated decision making and updating privacy policies to enhance transparency in relation to substantially automated decisions.
- Introduce a mechanism to prescribe countries with substantially similar privacy laws
By introducing a mechanism to determine adequacy, it will reduce the administrative burden associated with compliance in relation to cross-border data transfers (Proposal 23.2). Yet, for major trading partners without substantially similar privacy regimes, it will be critical for organisations to supplement an adequacy regime with other mechanisms to determine compliance in cross-border data transfers.
- Strengthen enforcement
The introduction of new mid-tier and low-tier civil penalty provisions for breaches that do not meet the ‘serious’ threshold, alongside powers to issue infringement notices for ‘low-level’ breaches (Proposal 25.1) will enhance the efficacy of enforcement. Moreover, it will empower the OAIC to fulfil its mandate as Australia’s independent national privacy regulator, with a view to create fairer and more efficient digital markets for the benefit of consumers.
- Increase the threshold for valid data collection, use and disclosure
Whilst subject to further consultation and ‘agreed-in-principle’, the introduction of a fair and reasonable test for valid data collection, use and disclosure means that consumer consent will not cure illegitimate data practices (Proposals 12.1 – 12.3). If introduced, this reform will shift greater onus upon organisations for ensuring that data collection, use and disclosure is ethical and in the consumer’s interests, whilst alleviating the burden on consumers to decipher complex privacy policies and collection notices.
Rebooting Revenue through Trust
The Response to the Report underscores that future-ready privacy compliance sits at the intersection of governance, technology and strategy. Privacy is now an organisational imperative not merely confined to the domains of compliance or technology specialists. For the modern marketer, privacy is the foundation from which to foster CX-driven growth.
Tealium serves as a trusted advisor to the world’s most innovative brands to enable organisational transformation in a privacy-first digital era. Importantly, effective organisational transformation hinges upon robust data governance to address the requirements of impending reforms to the Privacy Act. To learn how organisations can achieve privacy-led value realisation across the data supply chain, access Tealium’s Org of the Future white paper.