In December 2019, the Australian Government announced it would conduct a review of the Privacy Act 1988 (Cth).
A year has almost passed and finally the Australian Government has publicly released details about the review. On 30 October 2020, the Australian Government released the Terms of Reference of the review. In particular, the review will cover:
- The scope and application of the Privacy Act
- Whether the Privacy Act effectively protects personal information and provides a practical and proportionate framework for promoting good privacy practices
- Whether individuals should have direct rights of action to enforce privacy obligations under the Privacy Act
- Whether a statutory tort for serious invasions of privacy should be introduced into Australian law
- The impact of the notifiable data breach scheme and its effectiveness in meeting its objectives
- The effectiveness of enforcement powers and mechanisms under the Privacy Act and how they interact with other Commonwealth regulatory frameworks
- The desirability and feasibility of an independent certification scheme to monitor and demonstrate compliance with Australian privacy laws.
The Australian Government has released an Issues Paper to seek feedback on potential issues relevant to the reform of the Privacy Act. Submissions in response to questions outlined in the Issues Paper or Terms of Reference should be submitted to the Attorney-General’s Department by 29 November 2020.
Interestingly, the Australian Government will consider issues that are regularly canvassed whenever the Privacy Act is reviewed. Yet again, the Australian Government is considering whether or not to introduce a statutory tort for the serious invasions of privacy and whether individuals should have a direct right of action to enforce privacy. Those who have been following our commentary or heard us speak over the years will not be surprised to learn that these issues remain on the privacy law reform radar in the medium term. If adopted, the inclusion of these rights in the Privacy Act would be a significant reform to privacy law in Australia and would significantly increase the potential avenues and forums for complaints against organisations for their privacy practices.
It appears from the Issues Paper the Australian Government is considering implementing the APEC Cross-Border Privacy Rules (CBPR) system, that provides a mechanism for governments and businesses to safeguard the free flow of data and demonstrate compliance with internationally recognised data privacy protections. Countries that adopt the CBPR system also maintain a domestic certification scheme and this is another issue under consideration. The third parties that undertake the certificationunder the CBPR system must be certified by APEC and may be a public or private sector entity.
In addition, the review provides the Australian Government with an opportunity to ensure Australia has privacy legislation that can operate in a fast paced and increasingly complex digital world, aligns with consumer expectations and can co-exist in a world with foreign privacy laws more akin to the EU GDPR.
We will be watching this review closely to see how it evolves and whether it will lead to any changes to the Privacy Act and compliance obligations. Stay tuned for more information as it comes to light.