“If implemented, the proposed changes will constitute the most substantial and wide-ranging set of reforms to Australian privacy law since the private sector changes to the Privacy Act enacted in 2001,” stated Paul Kallenbach, partner at MinterEllison

“Organisations across every sector of the economy will be affected.”

“While a number of the report’s recommendations would largely enshrine best practice into law (for example, data mapping; undertaking privacy impact assessments; and appointing a person with responsibility for privacy), implementing some of the obligations will require organisations to devote significant resources,” Mr Kallenbach explained. 

“These include giving effect to a new set of privacy rights (in particular the ‘erasure’ and ‘objection’ rights); shorter time frames for reporting data breaches; updating policies, notices and consent wording; and new requirements around ‘targeting’ individuals in connection with direct marketing activities and trading in personal information.”

“Organisations in highly regulated sectors (such as health and financial services), or that are subject to GDPR obligations, may be in a better position to address the changes than those that are not.”

Alec Christie, partner at Clyde & Co, weighed in.

“The scale and ambition of the proposals in some areas is a significant evolution (if not revolution) of existing Australian privacy law,” he said.

VIEW ALL

“The ‘realignment’ of Australian privacy law to the GDPR (especially the more significant changes proposed) will, if the government ends up adopting the relevant proposals, have a large impact on the procedures and policies needed by business to comply with this new Australian privacy law, requiring a significant uplift to meet these revised privacy requirements.”

“However, on the bright side, it will also result in easier personal data/information transfers from Europe/UK to Australia and possibly enable ‘adequacy’ for Australia, which will significantly reduce the current privacy-related hurdles for Australian businesses doing business in the EU/UK.” 

Robyn Chatwood, partner in intellectual property and technology at Dentons, said: “Overall, I view the report in a positive light — given the objectives to provide Australians with more control over their personal information and its use, as well as addressing some of the flaws in the current laws, which are over 30 years old.

“The laws in Australia have not really kept up with the digital era or growing expectations of Australians — and so a comprehensive update was well overdue.”

Coherence across levels of government

Ms Chatwood noted a valuable aspect of the proposals, in that they seek to promote the various governments at federal, state and territory levels to work together to harmonise their privacy laws.  

“At present, many of our clients are facing a complex web of legislated privacy obligations — at the Commonwealth level and at state and territory level. The report acknowledges the disparate information handling rules, inconsistency, and overlap,” she stated. 

“However, the proposals to address this complexity, which creates material compliance costs for many clients, are very modest at best.”

“This is very disappointing — Australia needs to reduce bureaucratic red tape more than ever as business grapples with a potential downturn.” 

Ms Chatwood noted that a single national framework for privacy, and a central regulator would help.

Changes in geolocation data and child protection

“It is not easy to encourage data-driven technology while protecting individuals’ privacy,” Ms Chatwood posited, but there are many proposals that aim to help in this area.

“Addressing the uncertain status and treatment of geolocation data will bring in a change to the definition of personal information which will expressly recognise collection, use, disclosure, and storage of geolocation tracking data as a practice which requires consent,” she explained.

“The report’s proposal at least makes it very clear that geolocation data is personal information — and it is certainty about its classification and treatment that is the greatest need for many clients.”

Another strong aspect of the proposal is the additional protections for children and vulnerable persons, highlighted Ms Chatwood. 

“The ‘little’ wording change in the definitions of personal and sensitive information from being ‘about an individual’ to being ‘related to an individual’ will have significant practical impact, substantially increasing the information currently collected by businesses, which will be subject to the Privacy Act/APPs,” Mr Christie commented.