James Patto (29 March 2019): In what could be one of the biggest overhauls of the Privacy Act 1988 (Cth) since the NPPs became the APPs, the Minister for Communications and the Arts, Mitch Fifield, and Attorney General, Christian Porter, have announced that the Federal Government is looking to make a number of significant changes to the privacy regime targeted at the social media and technology industry in Australia.1
Scrutiny on tech giants hits fever pitch The proposals come at a time when there is heightened scrutiny of privacy compliance in Australia (and internationally) in the aftermath of the livestreaming of the Christchurch massacre and as a result of several high profile incidents over the last 12 months, such as:
the PageUp data breach in May 2018;2
cyber attacks on Australia’s parliament; 3
Google’s €50 million fine for GDPR violations in France;4
ongoing scrutiny of Facebook and other social media services following the Cambridge Analytica incident and other potential security compromises;5; and
the Cathay Pacific data breach, which exposed personal information of up to 9.4 million passengers.6
Additionally, the ACCC has been running full steam ahead with its ‘Digital Platforms’ inquiry which has expanded in scope to cover a wide range of competition, media and privacy law issues generally, including those affecting online services. Let’s also not forget the heavily criticised Assistance and Access Act, which disproportionately impacts technology companies (and has just been sent to the Independent National Security Legislation Monitor to consider whether it appropriately safeguards individual rights, is proportionate to national security threats, and is necessary).
Resourcing and responsibility mismatch of the OAIC Part of the problem with any change to the privacy regime is the amount of resources required to administer legislation that imposes privacy regulations on sophisticated corporate giants with globally dispersed operations. Importantly, the OAIC is not a regulatory authority behemoth like APRA and ASIC. For example, its budget pales in comparison to that of ASIC and APRA, however it remains tasked with scrutinising the operations of some of the biggest and most complex organisations on the planet (including those scrutinised by ASIC and APRA).
Although the Attorney-General and Minister for Communications and the Arts have proposed a further $25 million in funding to the OAIC over the next three years, many believe that the scale of the task required of the OAIC is unreasonable given its current size. A possible solution that has been raised is to introduce a certification system whereby third parties (licensed or accredited by the OAIC) are engaged to allow entities to obtain certification of their privacy compliance (similar to Article 42 and 43 of the General Data Protection Regulation (EU) 2016/679 (‘GDPR’)) to take some pressure off the OAIC. The ACCC has floated this proposal in its preliminary report on the ‘Digital Platforms’ inquiry. While the Attorney-General’s announcement does not specifically mention this, it does flag that further changes may arise as a result of the ACCC’s ongoing inquiry.
What is to change?
The proposals appear to borrow heavily from some of the proposed recommendations made by the ACCC as part of the ‘Digital Platforms’ inquiry to date and the principles and mechanisms used in the GDPR. The below table sets out a description of the proposals, the author’s view on the corresponding provisions in the GDPR and some high level thoughts on the proposals based on the limited information available to date.
Proposed changes to the Privacy Act
Increase fines for serious or repeated privacy breaches from $2.1 million to the greater of: (a) $10 million; (b) three times the value of any benefit obtained through the misuse of information; or (c) 10 % of a company’s annual domestic turnover.
Comparable GDPR Provision: Fines of up to 4% of global annual turnover, depending on which provisions are breached.7
Thoughts: Under this regime, it is possible that the proposed changes to the Privacy Act could result in an entity receiving a fine that is greater than what they would be issued under the GDPR, particularly where the infringing entity carries out the majority of its business in Australia (in short, 10% is more than 4% and domestic turnover isn’t always less than global turnover). This move is sure to make the already heated discussions between customers and suppliers in relation to liability for privacy breach in their contracts (including in relation to caps on this type of liability) even more complex and contentious.
The OAIC will be provided with new powers to issue infringement notices to entities that fail to cooperate with efforts to resolve minor breaches, with penalties of up to $63,000 for bodies corporate and $12,600 for individuals.
Comparable GDPR Provision: Cooperation obligations on data processors and controllers in relation to performance of the supervisory authority’s tasks.8 Breach of this requirement would be subject to the penalties regime.
Thoughts: Excluding the provisions of Part IIIA, civil penalties under the Privacy Act are currently only available for serious or repeated interferences with privacy, so this broadens the scope of financial penalties under the Act.9 Watch this space. Everyone (well, maybe not everyone) will be looking to the draft legislation to answer the many questions in relation to this change that come to mind, some being:
What is a minor breach?
What will “cooperation” entail and will there be any restrictions on what can be required?
Who takes carriage of the resolution activities and will resolution need to be guaranteed?
Are there timing requirements for the cooperation?
When is a minor breach considered to be resolved, and does resolution stop the obligation to cooperate moving forward?
Will a sufficiently serious or repeated breach of these trigger the breach of the privacy fines referred to above?
Expand other options available to the OAIC to ensure breaches are addressed through third-party reviews, and/or publish prominent notices about specific breaches and ensure those directly affected are advised.
Comparable GDPR Provision: Supervisory authority’s broad investigative powers allow audits.10 Data breach notification regime and ability of supervisory authority to direct notification.11
Thoughts: The Commissioner already has rights under the Privacy Act to carry out an assessment in relation to an entity’s compliance with the APPs.12
It is not clear how the proposed third party review regime will differ from these current arrangements, although it would expected that there would be a broadening of current inspection rights. This may also tie in with the idea of a privacy mark, seal or other form of certification provided by a third party.
Currently, if an eligible data breach occurs, the relevant APP entity is required to notify those affected individuals.13 It is not clear how the proposed additional notification provisions will operate in light of the data breach notification scheme currently in the Act, particularly given the Commissioner already has existing powers to issue directions requiring notification under that scheme.
As with all of these proposals, it very much is a case of “wait and see” how these proposed changes are implemented, and whether the legislation adequately considers the interests of all parties. Key questions are:
Which third parties will be involved in the reviews and how will conflicts be managed?
Who pays for the third party review?
How will the results of third party reviews be presented and shared?
Further, the inclusion of the right for the OAIC to publish details of specific data breaches could cut across the ability of an entity to manage the notification process mandated under the current data breach notification scheme.
Further, it is likely to get increasingly difficult for companies to manage the various notification obligations to which they are subject if there are an additional set of overlapping requirements – for example the current notifiable data breach scheme, this new proposal, requirements to report information security under industry-specific legislation (ie. APRA CPS234 standard), ASX listing rules, under other laws (ie. GDPR) or under contract (ie. obligations imposed by customers).
Require social media and online platforms to stop using or disclosing an individual’s personal information upon request.
Comparable GDPR Provision: Data controller must erase personal data on request of the data subject.14
Thoughts: Much has been said about the GDPR ‘right to be forgotten’ and whether something of this nature should be ported into Australian legislation. Nothing like this currently exists, as Australian legislation allows an entity to retain personal information provided to it where it is still being used for its primary purpose or an eligible secondary purpose.15 The current proposal appears to fall slightly short of a GDPR style ‘right to be forgotten’, however we will need to wait for the drafting in the legislation to see if this is the case.
Introduce specific rules to protect the personal information of children and other vulnerable groups.
Comparable GDPR Provision: A number of sections in the GDPR relate to management of children’s personal data (sometimes referred to GDPR-K) which includes specific consent requirements for children under 16.16 It is important to note that the Children’s Online Privacy Protection Act (USA) and the Personal Information Security Specification (China) also regulate management and collection of children’s personal information.
Thoughts: This is an area that has been of significant concern as, unlike the GDPR, the Privacy Act does not specify an age after which individuals can make their own privacy decisions (OAIC guidance does suggest entities can assume someone over 15 or over has capacity to consent).
Some studies state that as many as 85% of parents with teenage children aged 13 to 17 report that their child have a social networking profile and up to 50% of 11 and 12 year old children have a social media profile (despite a minimum age of 13 for most platforms).
The ultimate result of this is that these providers hold a large amount of personal information of children, without clear guidance under the legislation as to how it should be treating that information. A key question on this regime will be whether and how any change addresses the issue of when a service is ‘directed to’ or ‘available to’ children.
Given the inclusion of ‘other vulnerable groups’ in this proposal, there is little doubt that the capability of an individual to consent will be a key part of this proposal.
It is not clear to the author what will be expected from companies in terms of assessing the vulnerability of particular individuals given the limited interaction between technology companies and their users. For example, it could be difficult for a social platform to determine whether a new user signing up for an account is affected by circumstances or some form of disability which renders them ‘vulnerable’.
In the meantime, we all wait with bated breath for the draft legislation to be released for consultation in the second half of 2019, although with a Federal election just around the corner, things can change very quickly.
The content of this publication is for general information purposes only. This content does not constitute legal advice and should not be relied upon as such. Legal advice about your specific circumstances should always be obtained before taking any action based on this publication.
 See media release at https://www.attorneygeneral.gov.au/Media/Pages/Tougher-penalties-to-keep-australians-safe-online-19.aspx.
 Article 83 of the GDPR.
 Article 31 of the GDPR.
 Section 13G of the Privacy Act.
 Article 58 of the GDPR.
 Article 33 and 34 of the GDPR.
 Section 40 of the Privacy Act.
 Part IIIC of the Privacy Act.
 Article 17 of the GDPR.
Australian Privacy Principles 6 and 11 contained in Schedule 1 to the Privacy Act.
Article 8 of the GDPR.