Submissions sought for Australia’s Privacy Act review

Should the definition change to provide more coverage for:

• technical data
• inferred personal information (eg data combined from multiple sources for customer profiling)
• de-identified data (until it is permanently anonymised)
• deceased individuals?

Are the APPs sufficiently scalable and adaptable?

Are the mechanisms (eg regulations, APP codes) available to deal with more specific types of entities, information and activities appropriate?

Should any of the following exemptions be removed or modified:

• small business
• employee records
• political parties
• journalism?

How should concerns about employees’ ability to freely consent to employers’ collection of their personal information be addressed?

How can individuals’ awareness and understanding of the handling of their personal information be improved, while limiting regulatory burden and information overload?

Would a standardised notice framework (eg using standard words and icons) assist?

Where an entity collects an individual’s personal information and is unable to notify the individual of the collection, should additional requirements or limitations be placed on the use or disclosure of that information?

What approaches should be considered to ensure that consent to the collection, use and disclosure of information is freely given and informed?

Should individuals be required to separately consent to each purpose for which an entity collects, uses and discloses information?

If an individual refuses to consent to their personal information being collected, used or disclosed for a purpose that is not necessary or central to providing the relevant product or service, should that be grounds to deny them access to that product or service?

What requirements should be considered to manage ‘consent fatigue’ of individuals?

Should pro-privacy defaults be required for certain uses and disclosures of personal information?

Should specific requirements be introduced in relation to how entities seek consent from children?

Should entities be required to refresh an individual’s consent on a regular basis?

Should entities be required to expressly provide individuals with the option of withdrawing consent?

Should reforms be considered to restrict uses and disclosures of personal information? If so, how should any reforms be balanced to ensure that they do not have an undue impact on the legitimate uses of personal information by entities? Are the current ‘permitted general situations’ and ‘permitted health situations’ exceptions appropriate?

Are APP 8 and section 16C on overseas disclosure (restrictions and exceptions) still appropriate?

Are the exceptions in sections 6A and 6B for overseas conduct required by foreign laws appropriate?

Should there be restrictions on overseas use (as opposed to disclosure) of personal information, eg storage by overseas cloud storage providers?

Should Australia seek EU ‘adequacy’ status under GDPR to facilitate transfers of personal data from the EU to Australia?

What are the challenges of implementing the APEC Cross-Border Privacy Rules? Should a separate privacy compliance certification scheme be developed?

• Data security
• Requirements to destroy/de-identify personal information no longer needed
• A new right of erasure
• Overcollection of personal information
• Individual rights to access and correct their personal information
• Enforcement
• A new direct right to sue for invasion of privacy
• Notifiable data breach scheme
• Interaction between the Act and other laws