A major review into the Privacy Act, handed down last week, has largely been welcomed by privacy advocates who have long called for reform, but the government needs to stick the landing with legislation to convince sceptics it’s interested in more than just political theatre.
For three years, the Attorney General’s department has been going over legislation that governs how organisations store and use our private data with a view of bringing the Privacy Act in line with community expectations and business practices of the 21st century.
Angus Murray, partner with Brisbane law firm Irish Bentley and Vice President of the Queensland Council for Civil Liberties, called the review an “an overwhelming positive step” that has “eloquently picked up a lot of things contained in submissions”.
But he, along with other privacy advocates, has said “proof of the pudding” will be in the legislation that is still to be drafted.
Murray anticipates a few issues will be hotly contested in the upcoming consultation phase, especially proposed changes to the small business exemption.
Currently, businesses with less than $3 million annual turnover are broadly exempt from the Privacy Act – an exemption the Attorney General’s department has proposed should be removed (but only after further analysis and consultation).
“In my view this is the right thing to do. In the digital age we live in, most businesses hold information – that is a part of doing business,” he told.
“The interesting thing will be how the balance is drawn between commerciality and privacy.”
Murray said he would like to see the language “tightened up” around emergency declarations – which lets entities bypass privacy controls to share information with one another in an emergency situation – warning the wording about ongoing emergencies could be “open for all sorts of abuses”.
He also wants to see proposals about automated decision making “go further”, noting that the EU’s General Data Protection Regulation (GDPR) includes a right for people “not to be subject to a decision based solely on automated processing, including profiling”.
Businesses should do better
Anna Johnston, principal of consultancy Salinger Privacy, said it was “frustrating” that there would be further delays before exemptions are removed but welcomes reforms to the Act.
“In reality, businesses should already be paying more attention to what customer data they’re keeping, and practising better data hygiene in terms of disposing of data as soon as it is no longer needed,” she said.
“The large-scale Optus and Medibank data breaches in late 2022 have shown us all that the privacy damage done by data breaches is unnecessarily made worse if businesses are holding on to personal information well past its use-by date.”
Another potentially contentious element of the Privacy Act review is to protect information that has been inferred or generated from other data, for example through machine learning or data analytics processes.
This is something ACS argued for in its submission to the Attorney General’s Department, but which has been opposed by big tech and social companies including Facebook which tried to argue that inferred data is owned by the company who creates it, not the individual about whom the data was inferred.
Samantha Floreani, Program Lead for Digital Rights Watch, told Information Age expanding the definition to include inferred and generated information is “critical” given the way definitions “act as a gatekeeper” for how privacy legislation is enforced.
“So many platforms’ business models work on inferring from data about their users,” she said, adding that it would be “good” if an updated Privacy Act negatively impacted Facebook.
Floreani said overall she thought the review was “pretty positive” and that she was pleasantly surprised by the inclusion of both a statutory tort and direct right of action that will give individuals a greater ability to fight for their privacy in the courts.
Proposed rights for erasure and de-indexation, which are complex features of the GDPR, were also surprising, if not welcome, inclusions.
Hard not to be cynical
Of course, it’s possible not every proposal will find its way into law and Floreani is reserving her praise until legislation lands.
“This is the third round of public consultation on the same set of issues and a lot of these proposals have been around for a decade,” she said.
“It’s hard not to be cynical about it. Privacy has, for a very long time, been a low priority for the Australian government.”
Justin Warren, managing director of IT consulting firm PivotNine, said it has long felt like the government “will do the right thing on privacy once it has explored every alternative” and said the latest report could just as easily sit on a stack.
“Is our privacy going to be protected or not?” he rhetorically asked Information Age.
“Sure, there’s a regulatory burden on business, but what about the burden placed on individuals who are having their private information scattered all over the internet?”
Warren said it was “excellent” to see the proposed definition of ‘consent’ expanded so that data collection must be done with “voluntary, informed, current, specific, and ambiguous” consent.
He was also heartened by updates to the object of the Act “to recognise the public interest in protecting privacy”.
“Those things together should do a lot to improve the privacy of everyday people and should close some of the loopholes that see rapacious surveillance companies spy on people for profit,” Warren said.
“If Australia wants to remain a liberal democracy, it needs to do liberal democracy things and protecting privacy one of those.”