What will the Australian privacy law review deliver?

Privacy law in Australia is currently being reviewed, part of the government’s response to the Australian Competition and Consumer Commission (ACCC) Digital Platforms Inquiry. The review will consider the scope of privacy regulations as well as the use of notifications, enforcements, and regulatory frameworks and whether Australia should introduce a statutory tort that would provide for damages in serious invasions of privacy.

However, with a looming federal election, there’s more uncertainty than usual about the outcome of the review and the form any new privacy regulations might take. Additionally, with many privacy regulations around the world influenced by the European Union’s GDPR regime, there are questions about whether new local regulations should align with the EU’s approach.

One of the most fundament aspects of privacy — and one that may or may not be enacted in any new laws — is the general right to privacy. As things stand, Australia doesn’t have a general right to privacy, which it makes it very challenging for people to go to court if something is causing them serious harm.

Many legal experts say Australia should have a right to privacy. For one, the Australian Law Reform Commission’s review recommended a tort of ‘serious invasion of privacy’. “Every law reform report for over a decade has concluded that we do,” says Graham Greenleaf, a professor of law and information systems at UNSW Sydney and founding codirector of the Australasian Legal Information Institute (AustLII).

Where Australian privacy regulation needs to be strengthened

One of the most pressing issues with this kind of review should be targeting and strengthening the weak spot in privacy regulations. Yet it’s not always a single point of focus. Because technologies and the way people use technologies constantly changes, privacy and data protection are constantly on the move.

Many experts believe it’s about every 10 to 15 years that major reforms need to be undertaken just to keep abreast of what’s happening with technology and in terms of regulation in other parts of the world. We’re at that point in time again, says Normann Witzleb, associate law professor at the Chinese University in Hong Kong and adjunct associate professor in law at Australia’s Monash University. “There have been some quite persistent weaknesses in the Australian regime that have been recognised as such for quite a long time, so hopefully they can be addressed,” he tells CSO Australia.

Specifically, he points to some of the terminology and even key concepts which need updating. “The foundational term of ‘personal information’ has become a bit doubtful, because it’s become perhaps a bit narrow as it was defined in Australia,” Witzleb says.

As one example, the increasing use of AI to generate information and create inferences means there’s a need to clarify that AI is also a way to create and generate personal information. “There’s other data that perhaps in the past we didn’t really have to take quite so seriously, like metadata, which is quite telling about what people do, that needs to be considered,” he says.

“Looking at notice and consent as a basis for data processing, there’s probably too much faith put in that as the basis for protecting people’s ability to decide what information they disclose and what happens with it,” Witzleb says, “The way it’s been used in practice means that consent has become quite meaningless because we simply consent, without knowing what we’re consenting to. We don’t understand it and we don’t have time to read privacy notices.”

There’s a need to establish certain baseline protections, even though there may be consent. It needs to protect situations where “the use of personal information isn’t unreasonable and doesn’t go against people’s expectations”, Witzleb says. Plus, “Australia has always been quite weak on enforcement too and this also needs to be strengthened in any new privacy regime.”

As things stand, until there’s draft legislation, there’s no firm idea about the direction and detail of any new privacy laws. “The discussion paper has some good suggestions that would make Australia much more convergent with the EU,” says UNSW Sydney’s Greenleaf.

If the relevant EU-inspired suggestions are adopted, “it would give Australia a modern data privacy law — and a much better one than we currently have. But there are also many alternatives in the discussion paper, so it’s not clear,” Greenleaf tells CSO Australia.

How Australia’s approach compares to GDPR

GDPR is seen globally as the standard for privacy protection. That’s clear in Australia where there’s so much reference to GDPR in the reform process. “The updated laws may not mimic GDPR but it’s certainly a reference point,” Witzleb says.

In the EU, there’s an emphasis on protecting the fundamental rights of citizens with a focus on personal data. In Australia, there’s protection for personal information about identified people, although there is no constitutional foundation for data protection.

Also, Witzleb notes that GDPR is complex and bureaucratic. “It’s also quite intimately bound up with the overall legal framework of the EU, so, when it comes to standards and principles, they’re based on fundamental rights protections. … Being a rights-focused way of approaching things, it doesn’t always work in countries like Australia that don’t have the same sensitivity towards rights dialogue and rights balancing. That balancing of conflicting interests and positions works within the EU, because that’s how the whole legal system is structured.”

Yet there are commonalities between GDPR and the Australian Privacy law as it currently stands. The Australian privacy regulator, the Office of the Australian Information Commissioner (OAIC), notes they share requirements to implement a privacy-by-design approach to compliance, the need to demonstrate compliance with privacy principles, and obligations and the more generalised need to have transparent information-handling practices.

Data breach notification and privacy impact assessments are other commonalities. Still, there are notable differences, when it comes to the rights of individuals (such as GDPR’s “right to be forgotten”) which do not have an equivalent right under Australia’s Privacy Act.

Witzleb says that taking a principles-based approach—which is more aligned to the Australian approach, versus the stronger rights-based approach of GDPR to regulation works—works quite well when supplemented by guidance from the regulator, which also happens in the GDPR. “Being too strict, laws can become rigid and out of date, so there needs to be a degree of flexibility and openness to adapt privacy requirements as technology and social practices develop.” With that in mind, both regimes are technology-neutral to remain relevant and applicable as technology and practices change.

When looking at aligning Australia’s updated privacy rules to the EU’s GDPR, it’s important to distinguish technically between convergence and adequacy in relation EU GDPR privacy requirements. Convergence is changing a non-EU country’s privacy regulations so they’re similar to the EU. Adequacy is about what’s required to get EU certification that a specific country’s rules achieve the aims of GDPR when dealing with EU citizens’ data held abroad.

The discussion paper asks for input on the question of the potential benefits or disadvantages of Australia seeking adequacy under the GDPR. However, Greenleaf notes, there’s one glaring omission that would be crucial to a positive EU adequacy decision: exemptions for small businesses, which covers the vast majority of businesses in Australia. “Without that being changed, they won’t measure up to EU requirements.” And that is not all, he says: “Then there’s employment information, political parties, all exempted. These exemptions need to go before there’s any real prospect of adequacy with EU requirements,” he says.

In the EU, the first privacy regulations were adopted in the 1980s. They have evolved over two further generations, culminating in GDPR, to include more and more principles for protecting privacy, Greenleaf says—now totalling 40 principles that have been implemented to varying degrees across the world. The top 75 countries outside the EU, based on gross domestic product, have a third to half of these principles in place. But “there are not many that get a score of 40 out of 40,” he says.

Even with the privacy review now under way, it’s not likely Australia would match the EU’s number of privacy principles, Greenleaf says. But “if Australia implemented the strong aspects of the discussion paper, that’s the league we’d be in. We wouldn’t be at the top of the class by any means, but we’d have a respectable third-generation privacy framework,” he says.