“Some proposals which are likely to have a significant impact include the fact that entities would need to notify the Australian privacy regulator of eligible data breaches within 72 hours; individuals would be provided with a right of erasure, also known as a ‘right to be forgotten’ (similar to the UK/EU GDPR data protection regime); and a direct right of action for interference with privacy — and for larger organisations, they would need to appoint a senior employee (who reports to management) as a privacy officer,” explained Ms Sharma. 

“Organisations need to be taking steps now to prepare for these drastic proposed changes,” she stated. 

“We strongly recommend that all organisations, regardless of size, urgently conduct a data mapping exercise to understand what personal information and other data they currently handle, what consents and notices they currently provide, and what policies, procedures and other organisational measures are currently in place,” she said. 

“Without this baseline understanding, entities will struggle to be in a position to comply with changes to the privacy laws that result from this review. Organisations can’t afford to sleep on this issue,” stated Ms Sharma.

“The stakes are higher than ever before, with the increased powers and penalties that recently came into force following the Optus and Medibank data breaches, the constant and increased threat of cyber attacks and the need to foster community trust,” explained Ms Sharma.

“The key message is that privacy is complex, and organisations need to be proactive in preparing for these changes,” she added. 

Paul Kallenbach, partner at MinterEllison also commented.

VIEW ALL

“While a number of the report’s recommendations would largely enshrine best practice into law (for example, data mapping; undertaking privacy impact assessments; and appointing a person with responsibility for privacy), implementing some of the obligations will require organisations to devote significant resources,” he told Lawyers Weekly.

“These include giving effect to a new set of privacy rights (in particular the ‘erasure’ and ‘objection’ rights); shorter time frames for reporting data breaches; updating policies, notices and consent wording; and new requirements around ‘targeting’ individuals in connection with direct marketing activities and trading in personal information,” he explained. 

“Organisations in highly regulated sectors (such as health and financial services) or that are subject to GDPR obligations may be in a better position to address the changes than those that are not,” noted Mr Kallenbach. 

“For global organisations and those organisations that disclose personal information overseas, some of the proposed changes may be quite helpful (for example, a whitelist of overseas countries and standard contractual clauses),” he noted.

“By moving Australia towards a GDPR standard, it’s more likely that Australia could achieve adequacy status (although retaining aspects of employee records and small business exemptions may adversely impact this),” he added. 

Robyn Chatwood, partner in intellectual property and technology at Dentons, also discussed how lawyers can advise organisations. 

“Australia is now clearly catching up to the higher standards elsewhere amongst its trading partners,” Ms Chatwood mused.

“Developments associated with new data subject rights in particular need to be followed closely — as they will create some of the greatest impact on day-to-day operations for business (such as rights of objection and rights of erasure),” she told Lawyers Weekly. 

“It will be important to make clients aware that the era of privacy class actions is dawning, and so board preparation will be key, so that boards understand the responsibilities and put appropriate resources into preparing for the reforms,” added Ms Chatwood.