Inquiry into the Privacy and Other Legislation Amendment Bill 2024 [Provisions]

Introduction

The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to make a submission to the Committee’s inquiry into the Privacy and Other Legislation Amendment Bill 2024 (the Bill).

The Bill is an important first step in strengthening Australia’s privacy framework. The Bill will, among other measures, make significant enhancements to the OAIC’s enforcement toolkit and strengthen online privacy protections for children. This submission provides further commentary about these key initiatives.

The OAIC also welcomes the Government’s commitment to developing the next tranche of privacy reform over the coming months for targeted consultation, including draft provisions. Without wider reform of the Privacy Act 1988 (Privacy Act), the OAIC will continue to face challenges achieving efficient and effective regulatory outcomes for the Australian community under the existing framework. We take this opportunity to highlight certain targeted measures that were agreed-in-principle in the Government response to the Privacy Act Review Report that we consider should be progressed as a matter of urgency.[1]

Enhanced enforcement framework

To be effective, regulators need to have a range of regulatory levers and the ability to move between them as required to effectively respond to privacy harms and emerging threats in a strategic and proportionate way. The Bill contains a range of enhancements to the OAIC’s enforcement toolkit, including a new tiered civil penalty regime which would consist of the following reforms:

• Repeal of the ‘repeated’ element from the existing civil penalty provision in s 13G of the Privacy Act so that it applies to ‘serious’ interferences with privacy and introduction of a non-exhaustive list of factors which the court may consider in determining whether an interference is serious
• Introduction of a new mid-tier civil penalty for interferences with privacy that do not meet the ‘serious’ threshold, and
• Introduction of a lower-level civil penalty which attached infringement notice powers for administrative breaches of the Australian Privacy Principles (APPs) (such as an entity failing to have a privacy policy under APP 1.3), or non-compliant data breach statements.

The enhanced civil penalty framework would provide more enforcement options to deter non-compliance and fill a gap where previously the Commissioner was only able to seek civil penalties for serious and repeated interferences with privacy, while the new infringement notice regime for administrative breaches of the Act would be a quick and cost-effective way for the OAIC to respond to non-compliant behaviour without the need for court proceedings.

The Bill also contains a suite of other important reforms to the Privacy Act’s enforcement framework including:

• Amendments to s 52 (Determination of the Commissioner) to enable the Commissioner to make a declaration in a determination, following an investigation into a complaint or after a Commissioner-initiated investigation, for a respondent to perform any reasonable act or course of conduct to prevent or reduce any reasonably foreseeable loss or damage that is likely to be suffered. The intention of this reform is to enable the Commissioner to require a respondent to be more proactive following a privacy breach. For example, if a determination found that an entity had breached APP 11 (Security of personal information) because of a data breach, the Commissioner could make a declaration requiring the entity to engage service providers such as identity theft and cyber support providers to assist affected individuals for a certain time period after the incident.[2]
• Enabling the OAIC to use the general investigation and monitoring powers under Parts 2 and 3 of the Regulatory Powers (Standard Provisions) Act 2014, which would bring the OAIC’s powers into line with other domestic regulators and increase legal certainty for entities that are subject to those powers.
• Expansion of the jurisdiction of the Federal Court of Australia and the Federal Circuit and Family Court of Australia beyond pecuniary penalties to make any orders they consider appropriate in the circumstances (for example, awarding compensation to individuals or ordering an entity to perform any reasonable act or course of conduct to redress any actual or likely loss or damage suffered as a result of the contravention).
• Empowering the Commissioner to conduct public inquiries into matters relating to privacy on the direction or approval of the Minister.

The OAIC will exercise these enhanced enforcement powers, alongside our existing suite of regulatory tools, in line with our statement of regulatory approach and guiding principles, in a consistent, transparent and proportionate manner.[3] The OAIC uses both encouragement and deterrence to promote and protect privacy and we will take regulatory action to encourage and support compliance by regulated entities while addressing high-risk matters with the greatest potential for harm.

Strengthened privacy protections for children

Young Australians frequently rely on digital and social media platforms in their everyday lives. However, online services designed to appeal to young people may not always be safe, appropriate or privacy protective. This issue is of particular concern to the Australian community. The OAIC’s 2023 Australian Community Attitudes to Privacy Survey found that 94% of parents were concerned about the protection of their child’s personal information, while 84% of parents believe children must be empowered to use the internet and online services, but their data privacy must be protected.[4]

The Bill would amend the Privacy Act to require the OAIC to develop and register a Children’s Online Privacy Code (the Code) to strengthen privacy protections for children. The Code would be an enforceable APP code, meaning a breach of its provisions constitutes an interference with privacy, which enlivens the Commissioner’s enforcement powers under the Privacy Act.

The Code will apply to a wide range of online services likely to be accessed by children including, but not limited to, social media services, websites, apps, instant messaging services, and online gaming services.[5] The Code would not apply to entities providing a health service (such as online counselling and advice services, and telehealth) which ensures the code is not a barrier to providing essential services to children.

The Code must set out how one or more of the APPs are to be applied or complied with in relation to children. It can impose additional requirements provided those requirements are not inconsistent with the existing APPs. In this way, the requirements in the Code must be grounded in the APPs. For example, under the APPs, organisations have obligations to have a privacy policy and to provide collection notices. The Code might set out how organisations should tailor privacy policies and collection notices for a child so that they are clear and easy to understand, for example, by using graphics, video and audio content, rather than relying solely on written communication.[6]

To the extent possible, the OAIC as code developer will seek to align with the UK’s Age Appropriate Design Code, which will help to harmonise protections with those that children already benefit from overseas. We intend to adopt a transparent and collaborative approach during the code development process and will consult widely with children, parents, child development experts, child welfare advocates, civil society, other regulators and across the online industry to ensure different voices are heard and represented throughout the process.

The need for wider reform

The digital economy has generated significant benefits for consumers including new services and productivity gains. However, it has also led to the collection, use and disclosure of increasing amounts of Australians’ personal information in the online environment and the emergence of new privacy risks and harms. The Privacy Act has struggled to keep pace with advances in technology and business practices in the online environment.

A recent example which illustrates the challenges of enforcing an outdated Privacy Act in the digital age is in relation to TikTok’s use of tracking pixels. TikTok, like many other social media companies, offer tracking pixels, which harvest data about Australians’ online activities.[7] Pixels are one of many tracking tools, including cookies, that permit granular user surveillance across the internet and social media platforms.

The OAIC opened preliminary inquiries into TikTok’s use of tracking pixels, however, based on the information obtained during those inquiries, there was no obvious and clear contravention of the existing law that would have warranted opening an investigation into TikTok’s practices.[8] While many of these tracking tools are harmful, invasive and corrosive of online privacy, any further regulatory action would have been on uncertain legal footing under the existing privacy framework.

A key challenge is that obligations under the APPs are largely framed through the lens of what is ‘reasonably necessary’ for an entities’ activities. This enables entities to determine what and how much personal data they need, with no express obligation to consider the impacts that their data handling practices may have on individuals.

Without wider reform of the Act, the OAIC will continue to face challenges achieving efficient and effective regulatory outcomes for the Australian community under the existing framework. In these circumstances, we consider that the proposed amendments to the definition of personal information and the introduction of a fair and reasonable test, which were agreed-in-principle in the Government response, should be progressed as a matter of urgency.[9]

Amendments to the definition of personal information

The definition of personal information is a foundational concept that delineates the scope of what is regulated and sought to be protected under the Act.

There has been uncertainty in whether the definition of personal information captures technical information since Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4 (the Grubb case). The Government response agreed-in-principle to replace the word ‘about’ with ‘relates to’ in the definition of personal information, which would provide additional clarity on the face of the law as to what information is covered by the Privacy Act and address overly narrow interpretations of the definition (proposal 4.1). The Government also agreed-in-principle to introduce a non-exhaustive list of information which may be personal information would also provide additional clarity for entities around the types of information which could fall within the definition (proposal 4.2).

The proposals would promote interoperability and regulatory consistency by aligning the definition of personal information in the Privacy Act more closely with comparable international data protection laws such as Europe’s General Data Protection Regulation (GDPR) and domestic regimes such as the Consumer Data Right.

The change is not intended to significantly expand the meaning or application of the definition of ‘personal information’, which was always intended to be very expansive. The existing test of identifiability will continue to apply, so that information will only be personal information if it relates to an identified individual or an individual who is reasonably identifiable. As such, we consider that the regulatory impacts of this amendment on the regulated community will be low but would have a demonstrable impact on the OAIC’s ability to more clearly address problematic online data handling practices.

Fair and reasonable test

The introduction of a positive obligation on entities to ensure that their collection, use and disclosure of personal information is fair and reasonable would raise the general standard of personal information handling across the economy (proposal 12.1). It would address the current power imbalance inherent in the existing framework by shifting the responsibility to businesses to proactively consider the impact that their data handling practices may have on individuals. It would also prevent consent from being used to legitimise handling of personal information in a manner that is, objectively, unfair or unreasonable (proposal 12.3).

The test would be accompanied by a non-exhaustive list of factors to help entities determine whether a collection, use or disclosure is fair and reasonable in the circumstances (proposal 12.2). For instance, organisations would need to consider, among other matters, whether consumers would reasonably expect their personal information to be used in particular ways, and to take into account the risk of unjustified adverse impact or harm. For the majority of entities, these considerations are already built into their processes as part of considering reputational risk and maintaining customer trust.

Importantly, the fair and reasonable test will help to create a fairer digital environment that will benefit individuals, APP entities and the wider public interest. Entities that are trying to do the right thing will be able to innovate with confidence and know that they are not competitively disadvantaged when taking a privacy-protective approach to handling the personal information that they hold.

Conclusion

As set out above, the Bill is an important first step in strengthening Australia’s privacy framework. We welcome the Government’s commitment to developing the next tranche of privacy reform over the coming months. Wholesale reform of the Privacy Act is the most effective way of tackling the most harmful aspects of the digital ecosystem.

In the interim, the amendments to the definition of personal information and the introduction of a fair and reasonable test should be progressed as a matter of urgency. This would have a demonstrable impact on data handling practices, provide the OAIC with a stronger legal footing to take action in response to egregious practices of concern, and lay a strong foundation that could be built on with future privacy law reform.

^[1] See Government response to the Privacy Act Review Report | Attorney-General's Department (ag.gov.au).

^[2] Explanatory Memorandum, Privacy and Other Legislation Amendment Bill 2024, p 13.

^[3] Corporate plan 2024–25 | OAIC.

^[4] Australian Community Attitudes to Privacy Survey 2023, August 2023.

^[5] The framework in the Bill leverages existing broad definitions in the Online Safety Act 2021 so that the Code would apply to ‘social media services’, ‘relevant electronic services’ and ‘designated internet services’.

^[6] Explanatory Memorandum, Privacy and Other Legislation Amendment Bill 2024, p 40.

^[7] The Australian opinion piece – ‘New laws needed to stop TikTok and other social media giants ‘harvesting’ data’ | OAIC

^[8] Statement on TikTok preliminary inquiries | OAIC.

^[9] See Government response to the Privacy Act Review Report | Attorney-General's Department (ag.gov.au) (Proposals 4.1, 4.2, 12.1, 12.2 and 12.3).