'Not fit for purpose': Attorney-General confirms tough new privacy regulations

By AdNews | 6 May 2024
Credit: Tim Mossholder via Unsplash

Attorney-General Mark Dreyfus will be bringing forward legislation in August to overhaul the Privacy Act.

In a speech delivered at the Privacy By Design Awards, Dreyfus confirmed recent large-scale data breaches and the rise of artificial intelligence have accelerated the need for regulatory reform.

“The Privacy Act, which is the primary vehicle for regulating personal information of Australians, is woefully outdated and unfit for the digital age,” Dreyfus said. “The speed of tech innovation and the rise of artificial intelligence underpins the need for legislative change.

“It is clear that personal information has immense value – not just to individuals, but to those engaged in marketing, research, product development and advertising. But the Privacy Act framework dates back to the 1980s and is not fit for purpose for our modern economy.

“It's past time we stopped treating the most personal and private information of Australians as an asset that entities hold.”

Following major data breaches in late 2022, the Federal Government developed amendments to the Privacy Act to significantly increase maximum penalties and to provide the Office of the Australian Information Commissioner with enhanced enforcement powers.

The Government also appointed Carly Kind as a standalone Privacy Commissioner, restoring the Office of the Australian Information Commission to its three Commissioner model.

After an almost three-year review process which began in 2020, the Federal Government commenced a reform pathway to protect privacy last year.

“Since then we have continued to consult with privacy experts, business and media organisations to develop these proposals and ensure we get them right,” Dreyfus said. “But one thing is clear. Australia can no longer afford to have inadequate privacy protections. It is vital that our privacy laws properly protect our personal information to promote security and trust in the systems we engage with daily.

“Effective privacy regulation builds confidence, which in turn supports data-driven innovation and growth, and the digital economy. A failure to improve Australia's privacy standards would not only have implications for individuals, but has the potential to adversely impact the international competitiveness of Australian business. We must keep pace and more closely align with global standards.

“Weak privacy laws can also have a devastating impact on women fleeing family violence, allowing their abusers to track them, and cause further harm by sharing their most intimate images and personal information.”

At the request of the Prime Minister, Dreyfus said he will now be bringing forward legislation in August to overhaul the Privacy Act and protect Australians from doxxxing - the malicious use of their personal and private information. The Government will also seek to strengthen laws against hate speech. 

“This work will complement work already underway across Government as we seek to strengthen online safety for all Australians,” he said.

“Over the next few months I will be calling on my colleagues on all sides of the federal parliament to work with me and the Government to ensure that the personal information of Australians is adequately protected.”

During his speech, Dreyfus confirmed an investment of $11 million over the next four years for a new mobile application allowing Australians to self-manage their identity credentials.

Through the mobile application, an individual will have the ability to enable or disable the use of their identity credentials for the purpose of verifying their identity and receive notifications whenever they are used. This will allow an individual to fully disable the use of their credentials for identity verification purposes until they are ready for them to be used.

The initiative stems from the 2022 Optus data breach which affected around 10 million Australians, including the compromise of 100,000 passports.

Dreyfus confirmed the Government is also considering a range of proposals that would further entrench ‘privacy by design principles’ into the Commonwealth framework.

This includes requiring that privacy notices should be clear, up-to-date, concise and understandable. The introduction of a ‘fair and reasonable' test could assist to ensure that the collection, use and disclosure of personal information by entities are fair and reasonable in the circumstances.

The Government is also considering options to respond to recommendations in relation to high risk privacy practices, by expanding the range of entities required to conduct Privacy Impact Assessments for activities with high privacy risks.

These include instances involving new or changed ways of handling personal information that have a significant impact on the privacy of individuals – such as certain kinds of facial recognition technology, or the use of biometric information for identification when used in public spaces.

The Government has also agreed that the types of personal information to be used in substantially automated decisions which have a legal, or similarly significant effect on an individual's rights should be clearly outlined in privacy policies. There will also be a right for individuals to request meaningful information about how these decisions are made.

The Government has agreed-in-principle that a statutory tort for serious invasions of privacy should be introduced, to complement the Privacy Act protections.

Based on recommendations made by the Australian Law Reform Commission in 2014, the proposed tort would regulate a broader range of privacy harms, such as the physical intrusion into an individual's private space, and would extend to individuals and entities who are not otherwise required to comply with the Privacy Act.

The proposed tort will be designed so that privacy protection is appropriately safeguarded and balanced with other rights, including freedom of speech and freedom of the media.

The Government has also agreed-in-principle that individuals should have more direct access to the courts to seek remedies for breaches of the Privacy Act through a direct right of action. 

The direct right of action would enable individuals who suffer loss or damage as a result of an interference with their privacy to seek compensation.

The Government is also considering requiring entities to develop maximum and minimum retention periods for personal information they hold and specifying these in their privacy policies.

“Consultation with industry is ensuring that the implementation of the reforms is both feasible and balanced with the regulatory burden on industry,” Dreyfus said.

Have something to say on this? Share your views in the comments section below. Or if you have a news story or tip-off, drop us a line at adnews@yaffa.com.au

Sign up to the AdNews newsletter, like us on Facebook or follow us on Twitter for breaking stories and campaigns throughout the day.

comments powered by Disqus