Depending on your lens, Australia either has a particularly good or a very bad reputation for privacy. Very good in that, contrary to the ravings of those who see fascists and despots everywhere they turn, you will not find the Federal Police knocking on your door in the middle of the night because you have posted a disparaging comment about the Prime Minister. Though, free speech does have its limits.
Very bad, because it participates in the Five, Nine and Fourteen Eyes intelligence-sharing agreements. Bad, only because while most SIGINT (signals intelligence) bodies — for example NSA, GCHQ, ASD — are not permitted to spy on their own citizens, they are permitted to spy on foreign nationals and then share that information. The result of this work, as the Electronic Frontier Foundation asserts, is to take advantage of “the lowest common privacy denominator.”
Into this febrile landscape the Department of the Attorney General has released (16 February 2023) proposals of the Privacy Act Review (the Review) which proposes changes to Privacy Act 1988 (the Act) with respect to Australian Privacy Principles (APPs) — think companies and government agencies.
While nigh impossible to effectively summarise a 320 page review in a short article, there are three key recommendations that are deserving of mention, and which I think convey the general timbre of the overall report.
1. Small Business Exemption
Subject to a number of exceptions, the Act does not apply to businesses with an annual turnover of $3 million or less. The Issues Paper sought feedback on whether the current scope of the Act strikes the right balance between protecting the privacy rights of individuals and imposing unnecessary regulation on small businesses. The Discussion Paper canvassed options to address this increased privacy risk, but did not put forward any specific proposals. There was a high level of interest in the exemption from submitters who generally took the view that advances in technology have shifted the way small businesses operate and increased the privacy risks they pose. The majority of submitters that addressed the small business exemption recommended the exemption should be removed. Some small business representatives acknowledged the importance of small businesses protecting individuals’ privacy but were opposed to the exemption being removed.— Review of the Privacy Act 1988
Having worked in small business for a number of years, and continuing to consult to their boards, I can apprehend the concern that accompanies additional regulation. This is felt particularly acutely by boards who have not even heard of a Cyber-Security Plan, let alone contemplated the implications of one for their organisation.
While time and education are clearly needed, an exemption is not. The reason is that with 92.6% of Australian businesses showing turnover of less than $2 million, it means there is a very large proportion of companies in Australia who likely capture personally identifiable information (PII) and yet are exempt from the Act.
This exemption may help directors of small business to sleep easier at night, but it can no longer be claimed it strikes the right balance in protecting people’s privacy. It is also increasingly hard to make the technical case for exemption.
Since the Snowden revelations, Facebook–Cambridge Analytica data scandal, and the myriad other headline events over the last decade, it is reasonable to assume enough is now in the public domain about cyber-security to remove the ability to argue ignorance. Added to which, changes by most big tech companies – Apple, Microsoft, Google et al – to list privacy and security as key features of their products makes it relatively easy for even sole traders to enact a cyber-security program.
2. A Direct Right of Action
The avenues available to individuals to litigate a claim for breach of their privacy under the Act are limited. Individuals may make a complaint to the IC about an alleged interference with their privacy and where a determination is made, it may be enforced in the Federal Court and FCFCOA. Individuals may apply to the Federal Court and the FCFCOA for injunctive relief for contraventions of the Act. The Act also allows a person who has suffered loss or damage as a result of contravention of certain credit reporting provisions to apply for a compensation order after the Federal Court or FCFCOA has made a civil penalty order or the entity has been found guilty of an offence. There is otherwise no mechanism by which a breach of the Act may be directly actioned by an individual in the courts.— Review of the Privacy Act 1988
At the start of the Covid pandemic, when anyone who could was being sent home to work online, a joke circulated asking the question ‘what has been the biggest driver of digital transformation in your company?’. There were then a series of check boxes next to IT Manager, Changes in Technology, Covid. The tick, and joke of course, was that Covid was the driver.
Anyone who worked from home prior to Covid, or longed to do so, knew the technology had existed for years. Thanks to the ubiquity of the technology, many, if not most, IT Managers had the budget. Yet it took self-interest to stimulate action. As Adam Smith observed:
Every man is, no doubt, by nature, first and principally recommended to his own care; and as he is fitter to take care of himself than of any other person, it is fit and right that it should be so.— Review of the Privacy Act 1988
Put another way, when self-interest, or self-preservation, can be sufficiently motivated, businesses will find a way. While I am no fan of big government, most business owners and executives I have worked with usually ask ‘what does the law require me to do?’ Once told, they will do up to that and seldom an iota more.
With self-interest often reigning supreme, the provision of a direct right to bring actions and class actions against APPs and seek compensatory damages for both financial and non-financial harm ‘suffered as a result of an interference with their privacy’, will perhaps prove as seminal as Covid in changing organisational approaches to cyber-security and privacy.
3. Rights of the Individual
Currently under the Act, individuals are provided limited transparency and control over their personal information through privacy notices (APP 5), privacy policies (APP 1.3), requirements for entities to implement practices, procedures and systems to deal with complaints and inquiries (APP 1.2), and some access rights (APP 12). The destruction requirement in APP 11 is expressed as an obligation on an entity to destroy personal information, but does not provide an individual with the ability to insist on earlier destruction.— Review of the Privacy Act 1988
In place of this limited control and transparency, the Review proposes a series of rights which would bring Australia more in line with overseas data protection frameworks, such as the GDPR. Specifically, the Review recommends:
Rights directed at improving transparency
- Right to access and explanation – a right to know what personal information is held, where it came from, and what is being done with it (including meaningful information about how automated decisions using an individual’s personal information are made).
- Right to object to the collection, use and disclosure of personal information – a right to challenge whether an APP entity’s handling of information complies with the Act.
Rights directed at giving individuals more control over their information
— Review of the Privacy Act 1988
- Right to erasure – a right to have information deleted.
- Right to correction – a right to require that information be accurate, up-to-date, complete, relevant and not misleading.
- Right to de-index certain search results
This clarity, regarding what changes to the Act may mean for individuals, is an essential part of the Review process as it takes pages of legalese and gives a succinct list of what to expect for individuals and APPs.
For individuals, they are entitled to greater transparency and more control regarding their data. For APPs, particularly small businesses, it gives a flavour of what their cyber-security practices and IT systems will need to provide in real terms to ensure compliance with the Act.
Though I have only cursorily addressed a handful of the recommendations, it is clear from the Review that serious overhauls of the Act are necessary to ensure APPs ‘collect, manage and dispose of personal information’ in a manner commensurate with the protection of an individual’s data. It is also clear, given the apparent lack of ramifications for APPs who have recently failed to protect their stakeholders from data breaches, that clear and sizeable ‘consequences for failing to meet these obligations’ are enforceable.
While there are costs, either in time or money, in complying with recommendations contained in the Review, there is the case to be made that this is not only the cost of doing business in the digital age but that, like environmental protections, there are great rewards to be reaped in improved quality of life.
Directors and Executives should be awake and aware to the implications of the suite of recommendations contained in the Review and, even in the case of organisations that were previously compliant, there will likely need to be a shift in the board’s role in the oversight of privacy practices.
If organisations take the initiative there is considerable potential upside for all parties. Sadly, some organisations may take the easy way out and start to avoid data altogether. Reverting to paper based practices. Such a reversion would be a distinct backwards step for society.
Good night, and good luck.