Privacy Act review and Online Privacy Code

The Attorney-General’s Department has released for consultation a Discussion Paper on its review of the Privacy Act as well as an exposure draft Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021.

Online Privacy Code
The Online Privacy Bill will enable the introduction of a binding online privacy code to regulate social media services, data brokerage services and large online platforms that trade in personal information. It also increases penalties and enforcement measures.

It will apply to organisations that provide an ‘electronic service’ which term will capture a broad range of existing and future technologies, including hardware, software, websites, mobile applications, hosting services, peer-to-peer sharing platforms, instant messaging, email, SMS and MMS, chat services, and online gaming.

An ‘electronic service’ will not include:
* a ‘broadcasting service’ or ‘datacasting service’ (as defined in the Broadcasting Services Act 1992);
* a system that solely processes payments;
* a system with the sole purpose of providing access to a ‘payment system’ (as defined in the Payment
Systems Regulation Act 1998).

The OP code will require organisations subject to the OP code to take such steps (if any) as are reasonable in the circumstances to not use or disclose, or to not further use or disclose, an individual’s personal information upon request from that individual. An individual may choose to use this when, for example, they do not want an organisation to disclose their personal information for the purposes of direct marketing. This requirement is not intended to amount to a ‘right to erasure’ of the personal information.

The Bill will provide protections for children and vulnerable groups.

The Commissioner will have the power to investigate potential breaches of the OP code, either following a complaint or on the Commissioner’s own initiative. The Commissioner’s full range of enforcement powers will be available in the event that an investigation finds that a breach has occurred.

After the Bill receives Royal Assent, the OP code will need to be developed and registered within 12 months. The Commissioner will register the OP code after it has been developed, and once the OP code has been registered it must be complied with by OP organisations.

Increased penalty for serious and repeated interference with privacy
The Bill increases the maximum penalties of the Privacy Act to mirror the recently increased penalties for breaches of the Australian Consumer Law (ACL).

For a natural person, the Bill increases the maximum civil penalty for serious and repeated interference with privacy to 2,400 penalty units ($532,800 on current penalty unit values). For a body corporate, the maximum penalty will increase to an amount not exceeding the greater of:
* $10,000,000;
* three times the value of the benefit obtained by the body corporate from the conduct constituting the serious and repeated interference with privacy; or
* if the value cannot be determined, 10% of their domestic annual turnover. The Bill sets out how to calculate turnover for the purposes of this provision.

To enable the OAIC to resolve matters more efficiently, an infringement notice provision will be created.

Discussion paper proposals

The proposals are extensive including the scope and application of the Act, the protections contained in the Australian Privacy Principles and how the Act is regulated and enforced.

Specific proposals relate to:

  • Definition of personal information
  • Additional protections for collection, use and disclosure of personal information
  • Restricted and prohibited acts and practices
  • Pro-privacy default settings
  • Children and vulnerable individuals
  • Right to erasure of personal information
  • Direct marketing, targeted advertising and profiling
  • Automated decision-making
  • Organisational accountability
  • Overseas data flows
  • A statutory tort of privacy.

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.

David Jacobson

Author: David Jacobson
Principal, Bright Corporate Law
Email:
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.

 

Your Compliance Support Plan

We understand you need a cost-effective way to keep up to date with regulatory changes. Talk to us about our fixed price plans.