Privacy Act Review: Discussion Paper
The Law Council commends the Attorney-General’s Department on the long-term consultation process regarding the review of the Privacy Act 1988 (Cth) (Privacy Act). The comprehensive Discussion Paper considers the submissions made in the first round of consultation in detail and has continued to refine the proposals to balance the best interests of individuals and organisations in relation to privacy.
The Privacy Act has now been in operation for over 30 years and the Privacy Amendment (Private Sector) Act 2000 (Cth) was introduced some 20 years ago, extending privacy obligations to the private sector to provide a minimum set of privacy protections for individuals. During this time there have been significant changes to the landscape in which these pieces of legislation operate and therefore the Law Council welcomes the current review of the legislative framework.
While the Law Council has not had the opportunity to respond to all of the proposals set out in the Discussion Paper in the time provided, this submission addresses the following key matters set out in the consultation process:
- support for updating and clarifying the definition of ‘personal information’ under the Privacy Act, including a reconsideration of the definition of personal information with a view to clarifying the uncertainty regarding technical data;
- recognised opportunities to implement standardisation with respect to complying with particular requirements of the Privacy Act and Australian Privacy Principles (APP), particularly in relation to Privacy Notices, Consents, and Standard Contract Clauses for overseas disclosures;
- in-principle support for the proposal set out in the Discussion Paper to create tiers of civil penalty provisions to provide the Office of the Australian Information Commissioner (OAIC) with more options to better target regulatory responses, noting that it is critical that the OAIC be appropriately resourced to apply to the courts for civil penalties for serious or repeated interferences with privacy and to further its enforcement activities;
- a need to clarify (and in some cases reconsider) existing exemptions under the Privacy Act, including in relation to small businesses, employee records and journalism;
- reflections on the proposal to create a private right of action under the Privacy Act’s data protection regime, noting that any such step will require careful consideration of the drafting to ensure that there are no unintended consequences and all causes of action as updated by the reform process can be considered in context;
- support for the development of a statutory tort of serious invasion of privacy, on the condition that there are sufficiently high thresholds in place to ensure actions are limited to serious invasions of privacy and that the scope of the statutory tort is carefully considered and drafted to address the risk of unintended consequences; and
- support for the creation of a Commonwealth, state and territory working group to harmonise privacy laws and focus on key privacy issues.
In relation to the final point above, and in the context of other current reforms impacting on Australian privacy law, it is critical that there be a concerted effort to avoid fragmentation in the reform process in order to reduce the likelihood of uncertainty and unintended consequences for those subject to the Australian privacy framework.
You can read the full submission below.