Proposal focuses on ways for ‘public trust’ to be rebuilt, but legal experts remain ambivalent
Australian regulators have proposed sweeping changes to the country’s Privacy Act of 1988 that take the EU’s GDPR as a blueprint.
On December 14, the Office of the Australian Information Commissioner (OAIC) announced a new submission to the Australian government which seeks to revamp the Privacy Act 1988, featuring a set of principles designed for larger businesses to follow in the collection, handling, and disclosure of private information.
Data law renovation
The EU’s General Data Protection Regulation (GDPR) sought to modernize data protection, including the UK Data Protection Act 1998, as older laws do not necessarily apply well to modern technology and business practices such as bulk data collection, mobility, and the internet.
New Zealand’s government has also pursued data protection reforms, which came into effect on December 1.
Australia’s OAIC says that “changes are needed to ensure privacy protections remain consistent with the values of Australians,” and this includes the introduction of a “strong, fair and flexible privacy framework that prevents harm, protects fundamental human rights, and builds public trust to support a successful economy”.
If Australia wants to establish a data-driven economy, the OAIC claims, then trust needs to be rebuilt from the ground up – and this begins with laws that hold data controllers responsible for the information they collect.
‘Innovation with confidence’
According to Australian Information Commissioner Angelene Falk, if entities are regulated properly and have a “clear framework” to refer to, this, in turn, will prompt economic growth and allow “innovation with confidence”.
“Equally, when Australians have clear privacy rights and trust that their personal information is protected, they will feel confident to engage in the data-driven economy and to access services,” Falk added.
To achieve this end, the OAIC has published draft proposals – with a consultation period set to follow next year – in a 150-page document (PDF) that appears to lean heavily on GDPR to make recommendations for reform.
The OAIC has introduced amendments to the act to require organizations to “fairly and reasonably” protect data, comply with data protection laws, offer ways for individuals to exercise permission and control of their data, and for the framework’s principles to be in line with global standards, “thereby ensuring that personal information is protected wherever it flows”.
‘GDPR’ is mentioned 80 times when discussing the four main themes of the proposed reforms: the inclusion of global interoperability; privacy self-management; organizational accountability, and the need to introduce the right tools to fit both regulatory needs and community expectations.
These principles are all reflected in GDPR standards, as well as another recommendation: the option for individuals to launch lawsuits against organizations under the Privacy Act should a data breach occur.
Intrusion on seclusion
Speaking to The Daily Swig, Australian lawyer Patrick Fair, of Patrick Fair Associates, said such an amendment could “make possible class actions for ongoing privacy breaches more likely,” although the extent of damages payable is not yet known.
Fair also noted that adding fairness and reasonableness data handling standards is a proposal that follows on from the inclusion of the ‘unfair terms’ test in consumer contract law, but “if implemented with no clarity as to where the line for fairness should be drawn, it may cause difficulties in implementation”.
Another area of potential concern is the proposal of a statutory tort (civil wrong).
Five recommendations for “serious invasions of privacy” have been suggested by the agency which could cause some conflict. Broadly, the OAIC cites the creation of a tort that does not specify a fault element to ensure it covers “intentional, reckless and negligent acts,” and is “not confined to intrusion upon seclusion and misuse or disclosure of private information”.
According to Fair, this is “highly contentious” as an issue and if based on the US’ idea of intrusion on seclusion – intentional intrusion by an individual to violate privacy – this could go beyond the data management principles in the act.
“Torts of privacy are usually based on the idea of ‘intrusion on seclusion’, a US concept that is different completely from the data management approach taken in the Privacy Act,” Fair said. “If this concept is to be progressed it should be the subject of a separate and extensive consultation.”
While the proposed changes are in the early stages, Tim Mackey, principal security strategist at the Synopsys CyRC, told The Daily Swig that businesses can still use this document as an indicator of what changes to future law they might expect.
Business should consider launching risk assessments in preparation for something resembling the draft proposals becoming Australian law.
“The OAIC relied on lessons from GDPR as well as input from the Australian Community Attitudes to Privacy Survey 2020,” Mackey said. “As such, any [entities] seeking to plan for future change can begin by conducting a comprehensive review of how they handle user-supplied data with an eye towards how that data might be classified under GDPR.”