A laundry list of proposals to drastically overhaul and expand Australia’s outdated privacy protections has excited privacy and digital rights activists, who are urging the government to act on them immediately.
Last week, the Attorney-General’s Department released the Privacy Act review, the culmination of a glacial process kicked off by the 2019 Australian Competition and Consumer Commission’s 2019 Digital Platform Inquiry.
Against the backdrop of a rapidly changing policy environment — the COVID-accelerated online transformation of the Australian economy and culture, privacy breaches from major companies impacting tens of millions of Australians, a royal commission into the impact of the government’s algorithmic robodebt debt-recovery program — the 320-page report includes more than 100 individual recommendations and 12 major proposals.
These include:
- Expanding Australians’ individual rights to include a right to an explanation about how their personal information is used, to object to it being used, to have it erased and even to have internet search results about them de-indexed or corrected.
- Giving Australians the ability to sue over loss or damage from a breach of privacy (known as a direct right of action) and introducing a statutory tort of serious invasions of privacy that could be used to sue over invasions of bodily and territorial privacy like recording a conversation or searching someone’s home without permission.
- Updating the Privacy Act to include information like location and predicted behaviour under personal information protections; and to water down exemptions for small business.
- Raising the bar for businesses’ requirements to keep Australians’ personal information by introducing a “fair and reasonable” test.
- Providing Australians more information about and allowing them to opt out of targeted advertising.
- Requiring transparency about automated decision-making that has a significant effect.
Salinger Privacy’s principal Anna Johnston told Crikey she was pleased with the review’s proposals that were “more or less” in line with what was discussed in the department’s 2021 discussion paper.
“These are the reforms that we clearly need to bring the Privacy Act into line with the laws around the world, the realities of the digital economy, and more importantly, to reflect the expectations of Australians for how they want their privacy respected,” she said.
While welcoming proposals like the fair and reasonable test, Johnston also said it was disappointing the review stopped short of completely dismantling exemptions for small business, political parties and media organisations. Overall, Johnston said it was frustrating to have yet another round of consultation before the Albanese government would consider taking legislative action.
“We know there’s a very strong community will to have better privacy protections, and that’s even more so after the Optus and Medibank situations,” she said.
Digital Rights Watch program lead Samantha Floreani was complimentary of the review’s breadth of proposals — ”it’s bolder than I expected it to be” — singling out the direct right of action and the statutory tort of serious invasions of privacy as two significant proposals. She also cited proposed restrictions about what information can be disclosed overseas as potentially reining in the impact of global data brokers.
Like Johnston, Floreani pushed for the government to expedite the process of introducing new protections.
“Another consultation period could mean dragging this whole process out,” she said.
The Attorney-General’s Department is accepting feedback for the government’s response to the review until March 31.
Yes, it is very disappointing. What possible justification can there be for not applying a ‘fair and reasonable’ to these also? If, for example, if it is too difficult and expensive for a small business to apply certain measures for privacy protection, then a fair and reasonable test is enough to excuse the small business. Exempting small business, political parties and media organisations completely from the provisions means they can apply unfair and unreasonable practices concerning the privacy of others with total impunity. It is likely the inclusion of small business and media organisations in this is just cover for the real point of the exemption. As always happens, our politicians believe they should be above the law, and so they write the laws that way. Just ask yourself how often a minister or the PM in the last government smugly insisted that ‘no law was broken’ after being found mired in yet another disgraceful scandal. The biggest scandal is that such claims are nearly always true.
Only seriously malignant abusers of privacy could find these bleedingly obvious recommendations controversial. So, just get on with the legislation and get on with consultations about how much further we should go.
Think Labor could take the opportunity to revisit, like in the ’80s, European now EU policies, regulation, standards and penalties on relavent issues e.g. data privacy via the EU GDPR?
Although there is much ignorance &/or antipathy encouraged by the media towards regulation and the EU in the conservative parts of the ‘Anglosphere’, it may come back and bite their bums due to the ‘Brussels Effect’ i.e. requires compliance on supply chains and services by non EU players.