Thursday night in Brisbane, a group of business owners and industry experts gathered for an important event about the upcoming privacy changes and how they will impact businesses in Australia. With the Australian government’s recent announcement of new privacy law reforms, many businesses are left wondering how they will need to adjust their practices to comply with the new regulations.
Here’s a quote from Attorney-General Mark Dreyfus – 16 February 2023
“The Privacy Act is no longer fit for purpose, and does not adequately protect Australians’ privacy in the digital age.”
Before discussing 3 of the 116 proposals in the Privacy Act Review Report, Robert Feldman, Director at Gadens in Brisbane, set the scene by highlighting how both the government and the regulators (e.g. ASIC and the ACCC) had cyber security uplift firmly in its sights. Together they are driving significant change around cyber security, data management and privacy and businesses need to be aware of what they are saying and what they are doing.
Turning to the Privacy Act Review Report, Robert explained how the general themes of the proposed changes are about putting more rights into the hands of individuals and more responsibility on businesses.
Looking at three of the key proposals, first, Robert discussed the requirement to act fairly and reasonably when collecting, using and disclosing personal information. The Report stresses that this requirement will be judged on an objective standard and will apply regardless of any consent – meaning that tick boxes and privacy policies will not cure inappropriate data collection and use. The Report lists a number of factors to be taken into account when determining whether any collection, use or disclosure of personal information is fair and reasonable.
From the Report “The fair and reasonable test would provide a principles-based means of determining whether the handling of individuals’ personal information is permissible. These include practices such as the creation and sharing of detailed profiles on consumers, which may include information about an individual’s interests, behaviours, movements, relationships, habits, socioeconomic status and health, the use of machine learning to infer traits about an individual without their knowledge, targeting content and advertising to individuals based on predicted vulnerabilities, the use of personal information for political microtargeting and the use of biometric data in certain contexts.”
Robert commented: “This provision is a positive step towards protecting the privacy rights of individuals, regardless of whether they have previously consented to the collection and use of their personal information.”
The second key proposal that was discussed was in relation to small business – the report recommends removing the small business exemption ($3m threshold), but only after consultation, and with measures to address the difficulties for these organisations to assume this compliance burden.
From the Report: “In recognition of the increasing privacy risks posed by small businesses and the benefits of improved privacy protection for Australians and the economy, the small business exemption should be removed. This would require all Australian businesses to comply with the Act, regardless of annual turnover”
Robert commented: “removing the small business exemption threshold from the Privacy Act Reform is a positive step towards improving privacy protection for all individuals. However, it’s essential to ensure that small businesses are not unduly burdened by compliance requirements and the devil will be in the detail, should this proposal make its way into the exposure draft of the amending bill.
Overall, it’s essential to strike a balance between improving privacy protection and ensuring that small businesses can continue to operate and thrive.”
The final proposal discussed was the introduction of a right of erasure. The Report proposes introducing a right of erasure that would provide individuals with the ability to request the deletion of their personal information by business covered by the Privacy Act. Individuals will be able to exercise this right in relation to any category of personal information. The Report also proposes a right of de-indexation. This would allow individuals to require search engines to de-index online search results where the results are excessive in volume, inaccurate, out of date, incomplete, irrelevant or misleading..
Robert commented: “This right will give individuals greater control over their personal information, extending existing obligations on the destruction of information.
Even if there isn’t a flood of erasure requests on day one, businesses need to prepare for just one request to be made or face significant consequences if they’re not ready.”
Robert left the attendees with three key messages: (1) change is coming and businesses need to get ready; (2) the regulators are getting more trigger happy and the penalties are getting bigger – you don’t want to be the next RI Advice; (3) see this is an opportunity to lead – start looking at your people, processes and technology now.
If you wish to learn more about the upcoming Privacy Act Reform, get in contact with Oper8 Global today.