Private businesses with a turnover of AU$3 million dollars or more operating in Australia must comply with the Privacy Act in relation to customer and other personal information they collect. Certain other prescribed businesses have obligations irrespective of their turnover. Obligations include having a clearly expressed and up to date privacy policy and notifying affected individuals and the Office of the Australian Information Commissioner in the event of a data breach which is likely to result in serious harm. Adopting a data breach response plan is a prudent way to ensure the latter obligation is fulfilled.

The expansion of social media and online platforms which commercialise personal information has led the Government to review Australia’s privacy laws. Significant increases in penalties for breaches and other reforms are expected. Although the changes have been prompted by concerns regarding online privacy, many of them will apply to businesses whether or not they operate or interact with online platforms.

The Australian reforms coincide with a current global trend towards enactment and strengthening of data privacy laws.

Proposed changes to the Privacy Act

The Australian Competition and Consumer Commission’s Digital Platforms Inquiry report released July 2019 included recommendations for changes to Australia’s privacy laws. A number of those recommendations mirror proposed changes previously announced by the Government (24 March 2019). In its 12 December 2019 response to the ACCC’s report the Government confirmed the following key proposed changes:

1. Increasing the maximum penalty of AU$2.1 million for serious or repeated breaches to AU$10 million or three times the value of any benefit obtained through the misuse of information or 10% of a company’s annual domestic turnover – whichever is the greater.
2. Amending the definition of “personal information” under the Privacy Act to clarify that this includes technical data (eg IP addresses, device identifiers, location data, and other data that may be used to identify a person).
3. Revision and strengthening of the notification requirements including specific requirements for collection from children.
4. Revision and strengthening of the consent requirements including by requiring a clear affirmative act.
5. Creating a direct right of action for compensation by a person for breach of their privacy.
6. Introduction of an enforceable code for social media and online platforms which trade in personal information. The code will require these companies to be more transparent about any data sharing and requiring more specific consent of users when they collect, use and disclose personal information. Platforms will be required to implement a mechanism to ensure they can take all reasonable action to stop using an individual’s personal information.

Prior announcements indicated that consultation and development of draft amending legislation would be completed in 2020. Query whether COVID-19 will delay this process.

Consumer Data Right – banking, energy, then telecommunications sectors

A consumer data right was announced by the Government on 26 November 2017. It allows a consumer to require his or her data to be securely transferred to an accredited provider so the consumer can investigate, compare and access services more easily. It is intended to improve consumers’ ability to compare and switch between products and services and encourage competition between service providers.

The introduction of the CDR will be staged applying first to the banking sector followed by the energy sector. It is proposed that the telecommunications sector will follow. In relation to the banking sector, consumer data relating to credit and debit cards, deposit accounts and transaction accounts is available from 1 July 2020. Consumer mortgage and personal loan data will be able to be shared from 1 November 2020.

Up-regulation and trend towards consumer control

The proposed changes to the Privacy Act, though driven by concerns regarding collection and use of personal data online, will have a significant impact on all businesses that collect personal information and are bound by the Act. Changes to notice and consent requirements are likely to necessitate changes in data collection and handling procedures and documents for these businesses. The proposed maximum penalties for non-compliance are severe.

These privacy reforms and earlier reforms including the Notifiable Data Breach scheme and introduction of the CDR demonstrate that Australia is moving with other jurisdictions internationally towards increased regulation of data privacy, providing a greater level of protection to individuals and giving individuals a greater level of control over how their information is collected, used and disclosed.

If you have any questions in relation to compliance with privacy laws in Australia, please don’t hesitate to contact us.