Attorney-General Mark Dreyfus yesterday released a report with 30 proposals for updating Australia’s privacy regime. The proposals are practical, necessary and overdue. However, they are just proposals, which have been made several times in the past before disappearing into the “too hard basket” of the Australian, state and territory governments.
We can expect to see lots of noise about specific proposals and hope the Albanese government (copied by state/territory counterparts) gives us the legislation we need.
Making sense of the report
At a superficial level, the report gives effect to an election commitment – a promise to do something about federal privacy law, which is centred on public/private data collection and use (often online), rather than state/territory law dealing with activity such as strip searches, public hospital records, hidden cameras in toilets or senior figures distributing nude photos of rivals.
More deeply, it is a recognition that, as part of the global economy where data and investment flow across borders, Australia continues to limp behind law and administration where protecting privacy is concerned. Updating the Privacy Act also reflects recognition of challenges facing business and government in the world of ransomware, big data and artificial intelligence.
Unhappiness with the “she’ll be right, mate” approach of some large organisations and the failure of the key national privacy regulator (under-resourced, under-skilled and slow to act) was evident in the recent Optus and Medibank data breaches.
The proposals are not new. They have been voiced in detailed law reform commission reports, national and state parliamentary committee reports, statements by independent bodies such as the Law Council and academics over the past 20 years. The lack of action to date means Australians might be sceptical about what will happen once the government is lobbied by those whose interests are served by keeping things as they are, and it is again tempted to kick the can down the road.
What do the proposals cover?
It is important to remember that states and territories have significant responsibilities regarding privacy. The proposal to set up a working party involving those governments provokes thought about why that hasn’t been done already.
The initial proposal calls for changing the 1988 Privacy Act to explicitly recognise that privacy is in the public interest, something that shouldn’t be controversial and offsets the absence of a human rights framework in the national constitution. After that, we are into some positive steps forward. However, these are tempered by a lot of “let’s wait and see the administration” before starting to celebrate.
The report retains the overall structure of the 1988 Act but, crucially, extends its coverage, in particular on what is “personal information”. It calls for consultation about criminal penalties and for prohibiting some of the ways organisations have got around restrictions.
It proposes consultation about removing the exemption for small businesses (those under A$3million) and about the handling of employee records. The major exclusion of political parties – a common source of unhappiness – would be modified. Journalists would be expected to behave better.
The report emphasises meaningful consent. In the collection of personal information, consent must be
voluntary, informed, current, specific and unambiguous.
This would bring Australia into line with Europe and indeed with much of our existing law, such as that administered by the Australian Competition and Consumer Commission.
We can expect controversy about a proposed right of “erasure” and about “de-indexing”. This is referred to as the “right to obscurity” in Europe, and means some personal information stays online but is not highlighted in search engine results. Individuals would need to ask for that obscurity, and it would not be granted for serious criminal offences.
There have been recurrent proposals for a “privacy tort”: this means people whose privacy has been seriously invaded could take action in a court to stop the invasion and/or gain compensation.
The report endorses this recommendation by the Australian Law Reform Commission. It also proposes a “direct right of action” under the current act. This implicitly offsets the weakness of the Office of the Australian Information Commissioner (OAIC), one of the two national information privacy watchdogs.
The report grapples with data breaches such as the recent Optus and Medibank incidents. Proposals regarding mandatory reporting of such breaches tweak the current regime.
There is likely to be more push-back from business and public sector organisations regarding a proposed requirement for those bodies to “identify, mitigate and redress actual and reasonably foreseeable loss”. This is a first step towards persuading organisations to meaningfully lift their game and compensate for harms.
It’s too soon to cheer
On the surface, the report is a major step forward, something that business and the community should strongly endorse. In practice, we need to look beyond the headlines and see the details of how the proposals would be written into law, and whether the attorney-general can harness support in the face of the usual strong lobbying.
Proposals that there will be discussion, yet again, don’t provide much comfort. More worryingly, the proposals centre on the development and implementation of guidelines and standards by the OAIC.
In practice, the report proposes to perpetuate existing problems involving a regulator with a timid corporate culture and a commitment to interpreting the legislation through the eyes of the bodies it is meant to regulate. Change is better than good intentions.