At an event at the beginning of May, Attorney General Mark Dreyfus confirmed an earlier announcement by the Prime Minister that the Government will introduce a bill to amend the Privacy Act in August. Speaking at the Privacy by Design Awards in Sydney, the AG gave some broad indications of what we might expect to see in the bill. Unfortunately, his comments also seemed to include statements about the Government’s broader long-term agenda and matters that might not be addressed in the bill. We will know more detail about which specific reforms will be included once the bill is introduced to Parliament.
In his speech, the AG noted that recent large scale data breaches and other cyber incidents have shown that the Privacy Act is “woefully outdated” and “not fit for purpose for our modern economy”, a sentiment many no doubt share.
The bill will also address “doxing” (the malicious sharing of personal information) and legislate against online hate speech.
Although the speech presented a “big picture” view of the bill rather than focusing on the details, it is clear that it will include:
- Updated requirements for privacy notices and policies (especially regarding automated decision making).
- The introduction of a “fair and reasonable” test restricting what personal information can be collected and used.
- Requiring more entities to carry out Privacy Impact Assessments (especially in relation to the use of biometrics and facial recognition).
It was unclear whether other reforms would be included in the bill, or if the AG was simply restating the commitment set out by the Government in its response to last year’s Privacy Act Review Report (“the Report”). Those were qualified by describing them as being “agreed in principle” or as matters the Government was “considering”. It seems likely that the bill will include all of the Report’s recommendations that the Government has fully accepted, along with all or most of those accepted “in principle”.
The specific changes mentioned in the speech would be real game‑changers however, as they include the introduction of a statutory tort of serious breach of privacy and a direct right of action to seek remedies under the Privacy Act. These changes would make it much easier for individuals to take direct court action following breaches of their privacy rights.
Significantly, there was no mention of removing the current small business exemption to most obligations under the Privacy Act. In its response to the Report, the Government committed to this in principle, but only following consultation with small businesses. The response also foreshadowed removing the exemption from small businesses that collect biometric data.
Once the details of the bill become clear, we will have a much better idea of what to expect and the timetable for the introduction of those changes. It seems certain though that big changes to Australia’s privacy regime are not far off.