The Shifting Sands of Data Privacy: The Privacy Act Review Report

In part one of The Shifting Sands of Data Privacy series, the path to modernising Australia’s privacy regime was outlined against the backdrop of a digital economy that hinges upon data. As lawmakers seek to create productive digital markets, a perennial challenge arises in engendering the consumer trust upon which data-driven innovation and growth is based. Fit-for-purpose data privacy laws can pay dividends in shaping a digital economy that serves the interests of governments, industry and consumers alike.

The imperative of a fit-for-purpose data privacy regulatory framework in a digital age led to the Australian Government’s extensive review of the Privacy Act 1988 (Cth) [Privacy Act]. A two-year review process culminated in the release of the Attorney General’s Privacy Act Review Report [the Report] in February 2023. The Report comprises 116 proposals for the reform of the Privacy Act. The proposed reforms endeavour to modernise Australia’s privacy regime in line with a maturing digital economy through achieving the policy objective of fair and efficient markets for the benefit of consumers.

The Privacy Act Review Report: Modernising Australia’s Privacy Regime

The Privacy Act Review Report’s proposals endeavour to modernise Australia’s principal privacy legislation and improve productivity in a digital economy. The Report’s key highlights are outlined via the 14 proposals below:

1. Definition of consent: Consent must be voluntary, informed, current, specific and unambiguous. This standard remains unchanged from that within the Australian Privacy Principles [APPs]. The Report does not delegitimise implied consent, provided that it is unambiguous; however, informed consent that is expressly provided will serve to mitigate risk with respect to data collection and use.
2. The fair and reasonable test: Organisations must act fairly and reasonably in the collection, use and disclosure of personal information. Accordingly, consent will no longer cure inappropriate data collection, use and disclosure. 
3. Broadened scope of the definition of personal information: The Report recommends changing the word ‘about’ to ‘relates to’ in the relevant Privacy Act provision regarding personal information to capture a broader range of information that can be regulated.
4. De-identified information: De-identified information can only be considered as such to the extent that an individual is not identifiable or reasonably identifiable. Moreover, the Report proposes that protections for personal information be extended to cover de-identified information. Specifically, this will require organisations to protect de-identified information from a) misuse, interference and loss; and b) unauthorised re-identification, access, modification or disclosure. 
5. Introduction of the right to erasure: Currently, the right to erasure in limited circumstances exists under Australia’s Consumer Data Right (CDR) regime. The Report proposes the introduction of a limited right of erasure under the Privacy Act to allow personal information deletion requests to be made by individuals in specific circumstances.
6. Reduction to a 72-hour time frame regarding Notifiable Data Breaches: A reduction in the time of reporting of eligible data breaches to the Office of the Australian Information Commissioner (OAIC) to 72 hours. The 72-hour period commences from the point in time when an organisation arrives at a belief on reasonable grounds that an eligible data breach has occurred. Moreover, the Report proposes that organisations must notify impacted individuals ‘as soon as practicable’ upon drawing a conclusion on reasonable grounds of the occurrence of an eligible data breach, whilst outlining the steps that it will take to remedy that breach.
7. Direct right of action: Individuals who have suffered loss or damage as a result of an interference with their privacy will have recourse to a direct right of action as an additional avenue of redress. 
8. Mandatory Privacy Impact Assessments (PIAs): The Report proposes the introduction of mandatory PIAs for all high-risk activities i.e. activities likely to have a significant impact upon the privacy of individuals. Organisations will need to adopt the proportionality test to determine whether the associated privacy risk is necessary and proportionate to the business need for which data is collected. 
9. Introduction of the statutory tort of privacy: A tort is a legal wrong committed by a person/entity towards another person/entity, with a usual remedy of damages. This proposal intends to create a statutory tort for serious invasions of privacy that are intentional or reckless. 
10. Introduction of the concept of processors and controllers within Australian law: The introduction of the concept of processors and controllers will make the taxonomy of Australia’s privacy regime similar to that of the GDPR. Specifically, when processors act in accordance with the instructions of a controller, the processor will be bound by fewer legal obligations under the proposed reforms.
11. Regulation of targeted advertising: The proposal prohibits the use of sensitive information in targeted advertising and content to individuals. Any targeting must be fair and reasonable, with transparency afforded to consumers in relation to the use of algorithms and profiling for recommended content.
12. Regulation of the use of personal information in automated decision making: The Report proposes greater transparency with regard to personal information that is used in substantially automated decisions. It is also proposed that individuals be granted the right to request information in relation to the mechanics of automated decisions made utilising their personal information.
13. Additional protections for children and vulnerable persons: Organisations will be required to make privacy policies and collection notices ‘clear and understandable’ to all demographics. Moreover, an organisation must have regard to the best interests of the child in its application of the fair and reasonable test for data collection, use and disclosure. 
14. Expanded enforcement powers and penalties: In addition to the enhanced penalties and enforcement powers granted to the OAIC through the passage of the Privacy Legislation Amendment [PLA] in December 2022, the Report proposes further measures to fortify the enforcement of the Privacy Act by way of new civil penalties and greater powers for the national privacy regulator.

Prioritising the Privacy Imperative: 3 Key Implications for Organisations

By considering the three key implications of the Privacy Act Review Report below, organisations can adopt effective measures to recalibrate their privacy compliance strategies:

1. Board and senior management: The proposed reforms expand board responsibility and accountability. In turn, this requires boards and senior management to remain informed of changes to Australia’s privacy regime, with a view to recalibrate business models, ensure effective data governance and facilitate top-down communication to aid in privacy compliance.
2. Consent does not cure illegitimate data practices: The introduction of the fair and reasonable test requires that an objective standard of fairness and reasonableness be applied to determine whether data collection, use and disclosure is valid. In effect, this means that inappropriate data collection, use and disclosure cannot be cured through a grant of consent.
3. De-identified information: The proposed reforms extend to the regulation of de-identified data sets to obligate organisations to protect de-identified information from 1) misuse, interference and loss; and 2) unauthorised re-identification, access, modification or disclosure. This will require organisations to transform their data governance frameworks, and ensure sufficient oversight and accountability in the use of de-identified information throughout the data lifecycle.

Tealium Transforms Trust in the Digital Era

Privacy is now inherent to business viability, and integral to any commercial strategy. Tealium partners with organisations globally to enable their privacy compliance strategies. With Tealium, organisations are empowered to achieve the following outcomes that improve privacy readiness:

• Data governance: A transparent, accessible and controllable data supply chain is the foundation upon which data governance that enhances privacy compliance is built. Tealium consolidates data within a centralised hub where regulatory requirements can be addressed before propagation to the wider technology ecosystem.
• Consent management: Tealium iQ Tag Management provides a built-in consent manager to safeguard consumer trust and privacy. Additionally, Tealium integrates with consent management platforms (CMPs) to enable a more robust data privacy infrastructure by orchestrating consent preferences and integrating them into a unified visitor profile.
• First-party identity resolution: As consumer trust is inextricably linked with commercial viability, Tealium’s customer data platform (CDP) can perform the identity resolution process utilising first-party data alone to safeguard privacy.
• Real-time cross-channel preferences: Tealium CDP consolidates customer records from multiple data sources within a single unified profile. Once this single customer view has been created, it can be utilised in segmentation rules across channels to preclude customer opt-outs appearing in lists that would have otherwise targeted them.
• Upholding consumer data rights: Federal privacy legislation in key Asia-Pacific and Japan (APJ) markets grant consumers a set of rights in relation to their personal data. For example, Australia’s Privacy Act 1988, New Zealand’s Privacy Act 2020, Japan’s Act on the Protection of Personal Information and Singapore’s Personal Data Protection Act all grant a right of access. In addition, key APJ markets will soon introduce an economy-wide right to data portability. Without a CDP, the administrative burden associated with gathering all customer data stored across multiple systems to uphold consumer data rights is significant and fraught with risk. A CDP simplifies this process by providing a consolidated single source of truth for all customer data held by an organisation.

As privacy and consent market leaders, Tealium and Deloitte have collaborated to create a centralised consent management solution designed to enhance privacy readiness in line with evolving data privacy laws. Learn more by accessing our complimentary white paper: Consumer Data Right: The New Value Exchange.