Earlier this summer, I wrote about how reforms to Australian privacy laws were supposedly just around the corner. So you can imagine my anticipation when, late last week, the Australian Commonwealth government finally published its proposed bill to amend the Privacy Act of 1988.
To say the draft is underwhelming is an understatement.
It was back in February 2023 that the attorney-general suggested 116 changes to the law to make sure Australians are protected. That list then got whittled right down in the government official response in September 2023. Now, the current Bill only meets 23 of the original 116 suggested changes.
A failure to protect
Let’s start with what the Bill has failed to do:
- Australians will not have the right to demand their data is deleted by a company holding it. Considering the numerous and extensive data breaches Australians have been the victim of in the past two years, this is an opportunity missed.
- Australians will not be protected by the overarching requirement to process data “fairly and reasonably”. The government had previously said it would enact this proposal. This measure would have catapulted Australia into the lead over Western countries and given regulators a good stick to attack data companies processing data on dubious consent collection grounds. The latest US federal privacy bill has a similar concept.
- The Bill fails to address the shortcomings of Australian privacy law highlighted by the European Commission’s inadequacy decision, namely, the carve-outs of HR data and the small company exemption.
- The Bill has not brought Australia into line with most of the rest of the Western world by formally distinguishing between data controllers and data processors.
The first two points above were promised by the Australian Government in its proposals leading up to this Bill, so there remains hope that they will be addressed in the next tranche of reform. But with a Commonwealth election expected in the first half of 2025 it seems unlikely this will happen before then.
The latter two points are on most technology companies’ wish list, but are not likely to be law anytime soon.
What does the Bill, in fact, do?
- Gives the Office of the Australian Information Commissioner (OAIC) greater resources and powers to enforce the law, including more powers to fine for less serious offences. This is a welcome fillip for our regulator.
- Provides that there will be a Children’s Code for online companies to comply with, following the UK model. Combined with the Government’s announcement around age verification for social media, this means that Australian teenagers will enjoy protections from online harms that are arguably globally leading. Of course, we need to wait until the Children’s Code is published to make that judgement.
- Requires that consumers are informed when an automated decision will be made about them. This measure does not, however, go as far as the requirements of the UK and EU laws which make automated decision-making for legal or significant effects unlawful except with explicit consent and the right to appeal to a person. Given the Robodebt embarrassment in Australia, it is surprising that the proposed change to the Privacy Act is not going further.
- Introduces a couple of additional criminal offences around privacy, including doxxing (the intentional disclosure of someone’s personal data online without their permission). Arguably doxxing was illegal anyway, but clarification and express legislation is always helpful.
So there are undoubtedly some good things in the Bill that we look forward to becoming law.
Better than nothing—but not much
OAIC’s official response was revealing. At the same time as cautiously welcoming the additional powers given to it, the commission said it was looking forward to the next tranche of changes.
Translation: this Bill does not go anywhere near far enough.
Australian privacy law has long lagged behind European and other developed nations’ equivalents. This has led directly to Australian businesses not taking security as seriously as others, which has in turn led to the large number of data breaches here.
In the last couple of years we at IDVerse have seen our clients take privacy much more seriously. For example, ensuring that data retention is for as short a period as possible and performing in-depth analyses of our own security to ensure the protection of their customers’ data.
This is welcomed—but this change in security practices has come about mostly as a result of the data breaches here, and not from any action by the government.
We must insist on more
It is to the shame of successive governments that high-profile data breaches have more or less become the norm in Australia. Governments have failed to take the lead on privacy here, and the latest Bill is another example of that failure.
At IDVerse, an Australian-founded business, we tell our Australian clients that we meet the European GDPR standards because the Australian privacy standards fall short. That should be an embarrassing state of affairs for the Australian government.
We, like OAIC, also look forward to the next tranche of changes to the Privacy Act. It cannot come soon enough.
About the post:
Images and videos are generative AI-created. Prompt: A scared anthropomorphic bear in a vibrant winter coat and hat, nervous facial expression and posture, standing center frame on a frozen alpine lake, arms out trying to balance, cracks branching out from his feet, bright sunny day, scenic snow-capped mountains in background reminiscent of Lake Tahoe. Tools: Midjourney, Luma.
About the author:
Peter Violaris is Global DPO and Head of Legal EMEA for IDVerse. Peter is a commercial technology lawyer with a particular focus on biometrics, privacy, and AI learning. Peter has been in the identity space for 7 years and before that worked for London law firms.
