A new funding model and enhanced enforcement powers are among proposals for change in a review of the Privacy Act 1988 (Cth), writes Annelies Moens FAICD.
The Attorney-General’s Department has proposed a new industry funding model similar to the Australian Securities and Investments Commission (ASIC) regulatory model to support the privacy regulatory functions of the Office of the Australian Information Commissioner (OAIC) — as set out in a discussion paper released in October 2021. Over 200 submissions were received in response earlier this year.
The model incorporates two components — a cost recovery levy to help fund the OAIC’s provision of guidance, advice and assessments; and a statutory levy to fund the OAIC’s investigation and prosecution of entities operating in high privacy risk environments. Cost recovery and statutory levies operate in other regulatory models. According to the Attorney- General’s discussion paper, “around 90 per cent of ASIC’s regulatory activities are now recovered in the form of industry funding levies with the remaining 10 per cent recovered via fees for service”.
The new proposed funding model is one of 67 proposals for change to the Privacy Act 1988 (Cth).
The Attorney-General’s Department will review submissions to inform the final report.
Enforcement powers
Further penalties are proposed for interferences with privacy that are not serious or repeated (a new mid-tier civil penalty provision). The quantity of those lesser penalties is still to be determined. A new power to issue infringement notices for administrative breaches of the Australian Privacy Principles (APPs) is also proposed — for example, an infringement notice for not having a privacy policy. Other regulators, such as ASIC, ACCC, eSafety Commissioner and Safe Work Australia have similar infringement notice powers already.
This follows the intended tougher penalty regime in the Privacy Act, lining up penalties to match those in the Competition and Consumer Act 2010 (Cth), namely the higher of $10m, three times the benefit received, or 10 per cent of the annual domestic turnover for serious or repeated interferences with privacy.
A direct right of action for complainants to have their claim for breach of privacy heard in the Federal Court or Federal Circuit Court is also proposed after OAIC review.
Proposals for legislative change
Australian Information and Privacy Commissioner Angelene Falk considers key areas for substantial change include the proposed introduction of a “fair and reasonable” test for the collection, use and disclosure of personal information and increasing accountability. The intent of a “fair and reasonable” test is to take into account community expectations, social responsibility and potentially, societal harms — thus recognising “privacy” as not just an individual right, but also a societal right or collective concern. It is intended this be reflected in the objects of the Privacy Act, with a change to make it clear “the subjective interests of entities are not relevant if their functions and activities are not in the public interest” when balancing their interests with privacy.
Another area of substantive reform is increasing accountability by assessing the privacy risks of high- risk personal information handling activities. This would be done through, for example, the conduct of a privacy impact assessment (PIA).
The OAIC considers conducting PIAs to be a reasonable step to take under APP 1.2, depending on the project’s size, complexity and scope, and the extent to which personal information will be collected, used or disclosed. (See OAIC investigation into Clearview AI Inc [2021] where the US-based company was ordered to cease collecting images of Australians and destroy all the images it had collected of Australians with its controversial facial recognition software.)
High-risk personal information handling activities include, for example, large-scale:
- Collection, use or disclosure of sensitive personal information, children’s information, location information, biometrics (such as facial images)
- Processing of personal information using automated decision-making
- Online targeted advertising or selling personal information
- Influencing of individual behaviour or decisions
Online privacy code
In addition to comprehensive proposed changes to the Privacy Act, a separate code is planned targeting large online platforms, social media and data brokerage services. This is outlined in the exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021. The intent of the code is to protect the personal information of children and vulnerable persons.
This will include verifying the age of individuals using electronic services and obtaining consent from parents or guardians for processing children’s personal information.
Annelies Moens FAICD is managing director of privacy consultancy Privcore and co-founder of the International Association of Privacy Professionals in Australia and New Zealand.
Latest news
Already a member?
Login to view this content