TRANSCRIPT
Australians will now have the right to sue for serious breaches of privacy. The government has agreed to a series of reforms that intend to bolster the privacy of personal information, following two years of extensive review into the Privacy Act.
Key to these reforms is centring the protection of personal information and recognising the public interest in protecting privacy. This means the regulatory privacy body will develop guidelines to destroy or de-identify personal information, as well as guidance for new technologies and emerging privacy risks.
Nicole Stephensen is Partner and Privacy Lead at Information Integrity Solutions ((I-S-S)) Partners, which made a submission to the review. She welcomes the government's response, in particular the re-defining of an individual's personal information.
“Look probably the biggest win is the agreement of the government that the definition of personal information needs to be rendered fit for purpose. So in today's landscape of digital and data and everything connected and data broking and surveillance capitalism more broadly, what we had was a definition for personal information that individuals can be recognised as distinct from others, and traced on and tracked as a result, even if their precise identity is not known."
The government agreed to 38 of the 116 recommendations, including introducing a new code to protect children's online privacy, particularly on popular social media platforms like TikTok.
However, they only agreed in-principle to 68 further recommendations, and effectively shelved 10 others.
One of the key in-principle agreements was to remove the exemption for small businesses under the Act, but only after an analysis of the impact on small businesses and a government support package.
Ms Stephensen says this is a fair proposal, as it must be countered with the ability for small businesses to be financially and logistically supported through this process.
“This is an area that has been a massive gap area in terms of the way in which e collect and manage personal information. And the fact we saw during the pandemic, through the rise of COVID, and the real new interaction between small businesses and their communities, including in online spaces, we saw that small businesses collect and house vast amounts of community personal information."
The government is looking to implement regulations around this issue of storing and destroying personal information. The report notes the Office of Australian Information Compliance should provide detailed guidance on reasonable steps undertaken to destroy or de-identify personal information.
Professor Asha Rao is a Professor of Mathematics and Cybersecurity at RMIT University in Melbourne, and says this is one of the highlights of the report.
“Enhancing the requirements to keep information secure, and to me more importantly destroying it when it's no longer needed. SO i was told that my data had been breached from 2009, because somebody who was handling the data from another company had kept it. And they said ok the good thing is your credit card from that time has expired. And I thought well I don't really think that's good enough. Why were they keeping information from 2009?"
Professor Rao says it's also important to consider the complexities around the government's reform to offer the right to file a civil lawsuit for privacy breaches. But she says it definitely helps deter organisations and companies from breaching privacy laws.
“A lawsuit is not, it's not cheap, but it opens out class actions. See it's more of the stick approach, saying there is a stick and that itself will reduce, they have to be, my complaint has always been strong regulations fro money laundering, we need stronger. And that is coming and that makes me really happy."
However, the government dismissed other recommendations, including allowing individuals to opt out of receiving targeted advertising.
They simply agreed in-principle to introduce definitions for direct marketing, targeting and trading of information, and to allow individuals to opt-out of personal information being used or disclosed for direct marketing purposes.
Ms Stephensen says it's a tricky area to regulate.
“What I'm hoping is that the move to vary the definition of personal information to include that concept of individuation in some way, I'm hoping that the changes at the front end in terms of the definition of personal information, impact how organisations that do this type of targeted advertising are even able to do so in the first place because of the nature of the definition of personal information. They might not have as much wiggle room in anymore."
Other exemptions are around media organisations and political parties.
The government is securing the journalism exemption and looking to balance the public interest in providing adequate safeguards for the handling of personal information and the public interest in allowing a free flow of information through the media.
Political parties will also be entirely exempt from the Privacy Act, covering any acts and practices in relation to an election, referendum or other political processes, citing the need for the freedom of political communication.
Professor Rao says this poses a concern.
“You know I'm really ambivalent about that, going off what's happening with the Voice and things like that, it's not just receiving SMS', I think we need stronger rules for the media as well. But again as I say can we do everything at once? Maybe we can't. We have to keep the pressure up."
The government is looking to explore issues around biometrics and facial recognition technology.
They are extending the requirement for privacy risk assessments for high privacy risk activities to the private sector, as Ms Stephensen explains.
“Doing this, requiring them to do privacy impact assessments closes quite a yawning gap for organisational deployments of technology solutions and services that are considered intrinsically high risk, relating to how they manage and collect personal information or where they present a risk of privacy harm to individuals and groups in the community. And whether ti includes heavier assessment for biometrics or facial recognition technology, that's a talking point now. So the government has agreed this needs to be considered as part of this discussion around privacy impact assessment."
However, there has been criticism from business representatives and artificial intelligence groups.
A-I Group said in a statement that they support the need to provide confidence to the public over data privacy, but say over-regulation has the potential to chill innovation and add costs to businesses.
The Australia
