The federal government will implement reforms to provide greater transparency around automated decision-making and improve online safety for children as part of its long-awaited response to the Privacy Act review but will consult further on many of its major recommendations.
While the federal government will move to legislate a handful of recommendations from the two-year review in 2024, some of the most significant proposals from it – including the introduction of a direct right of action for privacy breaches and the removal of the small business exemption – will be consulted on further, with no timeline given for their implementation
Calls to limit political party exemption from the Privacy Act and to allow individuals to opt-out of targeted advertising were merely “noted” by the federal government.
The review, which had been sitting with the government since February, emerged from the competition watchdog’s 2019 Digital Platforms inquiry report.
Of the 116 recommendations in the final report, the federal government has agreed with 38, agreed in-principle with 68, and noted 10.
Included among the proposals which the government intends to legislate next year are further protections around automated decision-making, the development of a Children’s Online Privacy code, and the introduction of mid and low-tier civil penalty provisions for privacy breaches.
Action will be taken to ensure that privacy policies set out the types of personal information that will be used in “substantially automated decisions” with a legal impact on someone’s rights, and for high-level indicators of the types of decisions to be included in the Privacy Act.
Individuals will also be given the right to request meaningful, jargon-free information on how automated decisions impacting them were made.
“This would include decisions on denial of consequential services or support, such as financial and lending services, housing, insurance, education enrolment, criminal justice, employment opportunities and healthcare services, or access to basic necessities such as food and water,” the government response said.
Reforms to automated decision-making were agreed to in the light of the damning Robodebt Royal Commission.
A Children’s Online Privacy code will also be developed to provide greater protections for children online, while a suite of additional protections such as banning targeted advertising to children and the trading of personal information will be considered.
The government has agreed to introduce a new mid-tier civil penalty provision for interferences with privacy that don’t meet the “serious” threshold, along with a low-level civil penalty for privacy breaches. The Federal Court will be given the power to make any order they see fit after these civil penalties are established.
The threshold for these penalties will be amended, with a requirement that they be “repeated” to be removed by the government.
The Privacy Act will also be amended to recognise the public interest in protecting privacy and that its focus is on information privacy.
Agreeing in-principle to maybe do something later
The federal government has agreed in-principle to most of the major recommendations from the review, meaning it will conduct further engagement and an impact analysis on the issues. As a result, any legislative changes could still be years away.
One such recommendation from the Privacy Act review was for the introduction of a direct right of action for individuals whose privacy has been breached, meaning they can access the courts to seek remedies for breaches of the Act.
The government agreed in principle to a model in which an individual would first have to lodge a complaint with the Office of the Australian Information Commissioner and then go to the courts if it is unlikely to be resolved.
The introduction of a statutory tort for serious invasions of privacy, where individuals whose privacy is invaded in circumstances outside of the Act, for serious intrusions into seclusion or a serious misuse of private information, was also agreed to in-principle.
Further consultation will take place on both of these proposals, and no timeline has been given by the government on their potential introduction.
Currently, small businesses with annual turnover of less than $3 million are entirely exempt from the Privacy Act. The review recommended that this exemption be removed “in light of the privacy risks applicable in the digital environment”.
Again, the Labor government agreed in-principle to this but will consult further with small businesses and other relevant parties before it takes action.
“This would inform consideration of what privacy obligations should be modified for small businesses to ease the regulatory burden and what support small businesses would need to adjust their privacy protections to facilitate compliance with new privacy obligations,” the government said in its response.
While this is taking place, small businesses engaging in activities with a “significant privacy risk”, such as involving biometric information, will no longer be able to use the exemption.