[This headline has been redacted]

Veronica Lenard

Federal Attorney-General Mark Dreyfus KC announced the release of the Privacy Act Review Report earlier this week. The review culminates the results of a review period that extended for more than two years and included over 200 submissions.

The Report contains 116 subproposals within 30 proposals which would significantly reform the current formulation of the Act to broaden the extent of the current act and introduce new protections.

The review proposes broadening what is considered personal information, and amends the definitions of de-identification and sensitive information. An updated definition of consent would extend beyond the current provision to require that it must be voluntary, informed, current, specific, and unambiguous. These terms are used substantially within many of the provisions of the Act.

A proposed amendment of the Act would require that the collection, use and disclosure of personal information be done in a manner that would be fair and reasonable in the circumstances, based on the objective perspective of a reasonable person. This would apply whether consent has or has not been obtained.

Several of the proposals would give individuals more control over their own privacy. The review outlines the creation or development of a right to access, object to the collection, use or disclosure, request the erasure and seek correction or de-indexing of personal information for individuals. A right to opt-out of both the use of personal information being used in targeted advertising and receiving targeted advertising is also recommended.

The proposals suggest an update of the Australian Privacy Principles to require collection notices to be clear, up-to-date, concise and understandable, which would be supported by publicly available templates for privacy policies and collection notices. The development of collection notices is particularly notable after the result of the Office of the Australian Information Commissioner’s review into Clearview AI, who had scraped images from third party sources to develop a facial recognition database based on an individual’s biometric information.

The review also outlines guidelines for the development and usage of substantially automated decisions of significant effect, including a right for individuals to request meaningful information about the decision. This could increase transparency of these largely opaque systems that tend to function as black boxes of decision making.

Other reforms suggested include removing or amending the small business, political, journalism and employee records exemptions, introducing a Children’s Online Privacy Code, updating the notifiable data breaches scheme, a review of the current civil penalties available, giving individuals a direct right of action relating to interference with privacy to seek relief from the courts and establishing a statutory tort for serious invasions of privacy.

The review has been underway since October 2020, when the issues paper was released. Submissions were collected during 2021 supported by the discussion paper. It is now open for feedback until 31 March 2023, which will inform the drafting of the reformed Act.

The proposed recommendations would move Australian privacy policy closer towards the more extensive General Data Protection Regulation in the European Union, which went into effect in 2018.