07 Dec 2021

  • Data Compliance and Privacy

Australian Privacy law reform in a data-hungry age

An update on the Australian privacy, data and regulation landscape from newly re-appointed OAIC Commissioner Angelene Falk

Australia should seize the moment to reform its privacy laws and collaborate internationally to reign in “high privacy impact technologies”, says Australian Information Commissioner Angelene Falk.

Falk - who will lead the Office of the Australian Information Commission (OAIC) until August 2024 - told a meeting of the International Association of Privacy Professionals (IAPP) that her team is focused on:

  • PROTECTING PERSONAL INFORMATION: Giving the community more choice and control over their personal information and protecting them from data theft, scams and fraud by ramping up investigation and enforcement around the Notifiable Data Breach Scheme.
  • WORKING TOWARDS BROADER INFRINGEMENT POWERS, SIMILAR TO THE ACCC: The OAIC launched legal action against Uber, Clearview AI, Facebook and 7-Eleven between 2020 and 2021 for what Falk calls breaching community expectations. The OAIC signaled it wants the ability to act in the same way the ACCC does - for example, using infringement notices - to stop serious privacy and personal information breaches without the delays of lengthy court battles.
  • INTERNATIONAL & NATIONAL JOINT INVESTIGATIVE ACTIONS: Working with European, American and other countries’ regulators to act jointly against large platforms like Google and Facebook, as well as international companies like Clearview AI who are over-reaching beyond community expectations.
  • REFORMING AUSTRALIAN PRIVACY LAWS: The reform of Australia’s 1988 Privacy Act will involve considerable community and industry consultation, following the release of a detailed discussion paper and likely increases in fines and penalties for breaches of the Act.
  • DEVELOPING ONLINE PRIVACY CODE LEGISLATION FOR SOCIAL MEDIA AND OTHER DATA-HANDLING BUSINESSES: As part of the Privacy Act reforms, the OAIC will approve separate legislation for organisations that trade in personal information. This code is expected to outline how companies should obtain consent to use people’s personal information as well as how to draft privacy policies.

Falk says businesses face increased complexity around personal information but there are three key things that will protect Australians privacy, including:

  1. UPGRADING THE AUSTRALIAN PRIVACY FRAMEWORK: Creating the new online privacy code and reviewing the Privacy Act are part of the “strengthening” that Falk believes Australians need for their “technology-neutral” privacy principles.
  2. INCREASED ACCOUNTABILITY FOR ORGANISATIONS: Issuing higher penalties and allowing regulators like the OAIC to issue infringement notices to quickly nip poor practices in the bud.
  3. CREATING AN OVERARCHING STANDARD FOR INFORMATION HANDLING: Falk believes organisations that are trusted with citizens’ personal information should meet baseline standards around data handling. She argues responsible companies will not be looking to the legislation, regulation and penalties to see what they can get away with but take the opportunity to do better.

BIGGER FINES AND A REGIME ‘MORE IN LINE WITH THE EUROPEAN UNION’ IN AUSTRALIA

Falk also explained the “need to reform the civil penalty regime” and allow the OAIC to issue infringements and fines rather than go to the Federal Court to fight long legal battles.

“Currently. I need to go to the Federal Court - which you'll be aware I've done in the case of Facebook - and argue that the interference with privacy is the next level and it's serious and or repeated,” she says.

The Federal Court sometimes doesn’t have jurisdiction or the ability to make orders, so Falk says giving her office the same jurisdiction the ACCC has to regulate competition and consumer legislation is one way to strengthen the response.

Discussion paper options that have been canvassed include a tiered approach to fines, so that “serious and repeated threshold need not be reached in all cases”.

“As a regulator, we do need to be able to focus our resources on the higher risk and systemic issues,” she says.

“There’s real opportunities once we have those reforms to be much more aligned with some of the approaches that are taken across the European union.”

HOT BUTTON ISSUES: FACIAL RECOGNITION, DATA SCRAPING, CHILDREN AND GAMBLING ADS IN THE SPOTLIGHT

The introduction of new and innovative technologies like virtual and augmented reality - including new ‘smart glasses’ from Meta - will increasingly demand questions around what is fair and reasonable for businesses to collect in terms of personal information.

Falk flagged that facial recognition technology is under the spotlight, this was highlighted particularly in the 7-Eleven case where it was used without people’s consent and for marketing rather than legal reasons.

She also mentioned the OAIC has its eyes on the digital targeting used for gambling advertisements to people with gambling addictions.

Another big issue will be raising the ‘age of consent’ for children under 16 to use social media or share other personal information online.

Falk says her office will be working with the Age Appropriate Design Code developed in the UK and the Irish Data Protection Commissioner’s work - as well as Australia’s eSafety Comissioner - to make sure “activities undertaken by the service provider are in the best interest of the child”.

THE RISE OF AUSTRALIA’S ‘CO-REGULATORY’ REGULATORS

Falk explained that Australian regulators including APRA, ACMA, the eSafety Commissioner, ACCC and OAIC are ‘ merging’ to tackle regulation of big and small technology companies and raise privacy standards.

The Consumer Data Right legislation has been one “co-regulatory model” between the OAIC and the ACCC, which is now rolling out from banking to other sectors like energy and telecommunications.

Australian regulators are also taking a ‘big picture’ approach to working with their global counterparts to tackle big companies like Google and Facebook, as well as smaller companies like Clearview AI.

She says higher risk businesses - particularly social media companies and data brokers and artificial intelligence businesses - must be accountable the OAIC as the regulator, but also to consumers.

“We need to make privacy easy for all businesses,” she says, discussing that smaller businesses are likely to need to comply with reformed privacy laws given that they handle sensitive and personal information.

“What we are proposing is that there ought to be really provable accountability, so where you (a business) are engaging in higher risk activities, there's a responsibility to conduct a privacy impact assessment,” Falk says.

She said it’s vital that Australia has:

  • A secure digital economy;
  • A regulated online environment;
  • Recovers from the pandemic;
  • Deals with high risk and ‘high privacy impact’ technology.

Listen to the full Fireside Chat with  the Australian Information and Privacy Commissioner Angelene Falk at the IAPP ANZ Summit Online 2021.

Need more info?