Depending on your lens, Australia either has a particularly good or a very bad reputation for privacy. Very good in that, contrary to the ravings of those who see fascists and despots everywhere they turn, you will not find the Federal Police knocking on your door in the middle of the night because you have posted a disparaging comment about the Prime Minister. Though, free speech does have its limits.
Very bad, because it participates in the Five, Nine and Fourteen Eyes intelligence-sharing agreements. Bad, only because while most SIGINT (signals intelligence) bodies — for example NSA, GCHQ, ASD — are not permitted to spy on their own citizens, they are permitted to spy on foreign nationals and then share that information. The result of this work, as the Electronic Frontier Foundation asserts, is to take advantage of “the lowest common privacy denominator.”
Into this febrile landscape the Department of the Attorney General has released (16 February 2023) proposals of the Privacy Act Review (the Review) which proposes changes to Privacy Act 1988 (the Act) with respect to Australian Privacy Principles (APPs) — think companies and government agencies.
While nigh impossible to effectively summarise a 320 page review in a short article, there are three key recommendations that are deserving of mention, and which I think convey the general timbre of the overall report.
1. Small Business Exemption
Subject to a number of exceptions, the Act does not apply to businesses with an annual turnover of $3 million or less. The Issues Paper sought feedback on whether the current scope of the Act strikes the right balance between protecting the privacy rights of individuals and imposing unnecessary regulation on small businesses. The Discussion Paper canvassed options to address this increased privacy risk, but did not put forward any specific proposals. There was a high level of interest in the exemption from submitters who generally took the view that advances in technology have shifted the way small businesses operate and increased the privacy risks they pose. The majority of submitters that addressed the small business exemption recommended the exemption should be removed. Some small business representatives acknowledged the importance of small businesses protecting individuals’ privacy but were opposed to the exemption being removed.
— Review of the Privacy Act 1988
Having worked in small business for a number of years, and continuing to consult to their boards, I can apprehend the concern that accompanies additional regulation. This is felt particularly acutely by boards who have not even heard of a Cyber-Security Plan, let alone contemplated the implications of one for their organisation.