Navigating Australian Privacy Reform: Your guide to the changes ahead

Key proposal(s): Expand the legislative definition of personal information to cover information or opinion that relates to (rather than is about) an identified or reasonably identifiable individual.

What to do next: Consider how an expanded definition of personal information will impact your data practices including those that rely on the use of technical data (e.g. in the context of targeted advertising).

Key proposal(s): Require entities to inform individuals when relying on substantially automated decision-making based on personal information where there is a legal effect or other significant effect for the individual. Some uses of AI involving personal information may also be captured by the reforms relating to ‘high privacy risk activities’, which will require entities to conduct a privacy impact assessment.

What to do next: Consider required updates to notices, policies and privacy impact assessment processes, and the implications of other upcoming changes to AI regulations on your use of personal information (including to train AI algorithms).

Related content

Key proposal(s):

• Amend the Privacy Act to reflect the OAIC’s current guidance that consent (where required) must be voluntary, informed, current, specific, unambiguous, and easily withdrawn.
• Require entities to provide additional information to individuals about their data handling practices, including in relation to overseas disclosures, high privacy risk activities and retention periods.
• Expand the circumstances where consent is required (e.g. to collect, generate, use, or disclose geo-location tracking data, or trade in personal information).

What to do next: Consider required uplift of notices and consent practices, including for entities that rely on implied and/or ‘bundled’ consent (where consent is sought for a single document such as a privacy policy or terms and conditions, which deals with multiple activities). Consider timing of consent changes, balancing ‘future proofing’ against commercial impacts. Consider mechanisms to enable individuals to withdraw consent, particularly in respect of data sets you plan to use in the medium to long term. Ensure that the circumstances relating to overseas disclosures, high privacy risk activities and retention periods are understood internally, in preparation for needing to provide greater transparency about these matters.

Key proposal(s): Introduce GDPR-inspired rights for individuals including to obtain explanation about, or object to, the handling of their information, have their personal information erased where no longer needed and extend correction rights to generally available publications controlled by an APP entity.

What to do next: Consider systems, processes and resources needed to respond to individual’s exercise of their new and enhanced rights.

Key proposal(s): Require that the collection, use, or disclosure of personal information be fair and reasonable in the circumstances, regardless of consent, having regard to legislative factors such as reasonable necessity, individual reasonable expectations, the kind, sensitivity and amount of personal information, and impact on individuals.

What to do next: Identify and assess activities that are more likely to be considered unfair or unreasonable,² and consider potential mitigations.

Key proposal(s):

• Require privacy impact assessments to be conducted prior to undertaking activities with high privacy risks, which may include some activities involving targeted advertising, individual profiling, sensitive information, children, automated decision making and sale of personal information.
• Require entities to determine and record the purposes for which they collect, use and disclose personal information.

What to do next: Develop or enhance privacy impact assessment processes and templates. Develop or enhance approach to governance and compliance records and documentation, such as a privacy management plan and record of personal information holdings.

Key proposal(s):

• Introduce an unqualified right to opt out of direct marketing.
• Prohibit targeting of individuals based on sensitive information (unless socially beneficial) or targeting of children (unless in their best interest).
• Require transparency about the use of algorithms and profiling in advertising.

What to do next: Consider the impact of the proposed changes on your promotional activities and ability to leverage data when engaging with customers. Consider interaction with other marketing laws, such as the Spam Act and Do Not Call Register Act.

Key proposal(s): Require organisations to meet baseline data security outcomes (e.g. confidentiality, integrity, availability – to be confirmed), adopt data breach response plans and notify the OAIC of eligible data breaches within 72 hours.

What to do next: Develop or enhance your data breach response plan. Ensure it is tested for effectiveness (e.g. training and data breach simulations). Assess the sufficiency of other cyber security and cyber resilience measures, including security controls and contractual data security protections.

Related content 

Key proposal(s): Require organisations to document minimum and maximum retention periods for different types of personal information held, and provide further information about data retention in privacy policy.

What to do next: Develop or update a data retention policy, having regard applicable statutory minimum data retention periods (e.g. under tax, corporate, employment, environment and other laws), litigation requirements, limitation of action periods and Privacy Act justifications for ongoing use of personal information. Prioritise analysis of high-risk and older records.

Related content 

Key proposal(s):

• Expand the OAIC’s enforcement toolkit including a tiered approach to civil penalties and enhanced coercive investigation powers.
• Introduce a direct right of action and statutory tort for breach of privacy.

What to do next: Consider your exposure to increased class action and regulatory enforcement risk, noting that previous reforms in late 2022 also significantly increased the maximum penalties for Privacy Act breaches.

Related content

Key proposal(s): Limit the scope of the employee records exemption and, subject to consultation, enhance certain privacy protections for private sector employees. Potential areas where expanded obligations are likely include privacy notices, data security, data breach notification, data retention and rights of individuals (e.g. access, correction, etc).

What to do next: This is one of the more uncertain areas of the reforms at this stage, so should be watched closely for further details. Given the existing limitations on the scope of the employee records exemption, employers should in the meantime ensure they are currently compliant in respect of any human resources personal information that is outside the scope of the exemption.

Related content 

Key proposal(s):

• Make standard contractual clauses available to APP entities for use when transferring personal information outside Australia.
• Introduce a mechanism to recognise countries and certification schemes as providing substantially similar protection to the APPs.

What to do next: Once the standard contractual clauses are made available, assess whether and when to adopt them for overseas transfers, and how to integrate them into existing contracts and templates. If on the receiving end, consider the extent to which the clauses can be accepted.

Key proposal(s): Introduce a controller-processor distinction in the Privacy Act, similar to the EU GDPR and data protection regimes in many other jurisdictions.

What to do next: Consider your organisation’s role(s) in the new regime, and prepare for updating contractual arrangements and procedures relating to supply chain management and data breach response.