Privacy please! – the review of the Privacy Act

Daily, we are handing over and using our personal information to do simple tasks such as online shopping, using apps, signing up to services and in the current COVID-19 climate, when signing in at restaurants and venues. Though how is our personal information protected, and how can it be used? In turn, what obligations do agencies and organisations have concerning personal information? The Privacy Act 1988 (Cth) promotes the protection of individuals’ privacy and personal information.

After the ACCC’s Digital Platforms Inquiry – final report (2019), the Australian Government committed to review the Act. In October 2020, the Attorney-General’s Department released a Privacy Act Review – Issues Paper which detailed areas of review and invited submissions, which can now be reviewed on the A-G’s website. The issues paper looks at the adequacy and effectiveness of the Privacy Act, particularly in a time where we rely on technology, and some people are increasingly concerned about their privacy rights.

Personal Information – obligations, breaches and definition 

influence legal privacy
The review will include the promotion of good privacy practices and the potential for an independent certification scheme.

The Act has thirteen Australian Privacy Principles that set out how an entity or organisation can use, collect, manage and store personal information; it also sets out other obligations and enforcement mechanisms. In particular, the Act includes a notifiable data breach scheme which states when an organisation must notify the Office of the Australian Information Commissioner and affected individuals of a breach of personal information. As part of the review, the AG’s Department will be looking at the scheme and how it is currently working.

The definition of personal information will also form part of the review. Currently, the Act sets out a broad definition of personal information; personal information can range from an individual’s name, phone number and date of birth to their health information and religious views. Opinions also fall under personal information, irrespective of whether they are “true or not”. Definitions of personal information in overseas jurisdictions vary.

Other areas of review

The AG’s Department has also stated that the review will consider:

  • the scope and application of the Act – including any current exemptions;
  • if the Act adequately protects personal information and has a practical and proportionate framework to promote good privacy practices – including erasing data, consent to default privacy settings and overseas data flows;
  • the introduction of a statutory tort for serious invasions of privacy;
  • if individuals should be entitled to direct rights of action for the enforcement of privacy obligations;
  • the standard of enforcement and the interaction of the Act with other regulatory frameworks; and
  • the viability of an independent certification scheme.

 Following the Issues Paper, the AG’s Department has indicated the release of a discussion paper this year. The discussion paper will ask for further feedback about any preliminary outcomes and proposed reforms. The review will be an area to watch to see what reforms will be presented and potentially introduced under the Privacy Act.

Author: Sharna White, Graduate Lawyer. Sharna has recently finished her time with us to take up a great position – we wish her all the best!

Highlights of 2019 and areas to watch in 2020

 

Looking back on 2019

First major fines under the GDPR

If the introduction of the EU General Data Protection Regulation (GDPR) was the talking point for the world of privacy of 2018, the first rounds of serious fines issued under the regulation were definitely the talk of 2019.

We saw a number of unprecedented fines being given in response to the biggest privacy breaches and data leaks of the year, including:

  • hotel giant Marriott was fined $197 million for an ongoing data breach that exposed 5 million unencrypted passwords, 8 million credit card records, and impacted 30 million EU residents.
  • British Airways faced a record fine of $328 million for cyber-attack on their website which resulted in about 500,000 customer records, including credit card details, names, addresses and email addresses being extracted by the attackers.
  • Google was fined $80 million by France’s data regulator, CNIL, for failing to comply with its GDPR obligations due to a lack of transparency and consent in relation to Google’s advertising personalisation.

The nature and scale of the penalties enforced in 2019 indicate that the risks of non-compliance for international businesses, including Australian businesses, with an EU presence, is only likely to increase in 2020.

Mandatory text for defect warranties

In June 2019, we saw changes to Australian Consumer Law as amendments to the  Competition and Consumer Regulations 2010 (Cth) introduced new mandatory wording to be used by suppliers providing warranties against defects for services (or goods and services together). This amendment expands the scope of defect warranties for consumers as the ACL previously only prescribed mandatory text for warranties relating to goods.

The new mandatory wording can be found on the Australian Competition & Consumer Commission (ACCC) website, here.

Amendments to Whistleblower Legislation

More than two years after its introduction to Parliament, the Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019 (the Act) came into effect on 1 July 2019.

The Act made significant amendments to the Corporations Act 2001 (Cth) and Taxation Administration Act 1953 (Cth), increasing both the protections afforded to whistleblowers and providing greater accountability companies to ensure compliance with whistleblowing obligations.

The key features of these amendments included:

  • widening the definitions of eligible whistleblowers’ and ‘eligible recipients’,
  • expanding the range of misconduct,
  • permitting anonymous disclosures,
  • implementing a whistleblower complaint policy for certain entities, and
  • increasing both civil and criminal penalties.

AI in Public Sector

Some significant implications of public sector use of AI and automation technologies were highlighted during the year.

In this case of Pintarich v Deputy Commissioner of Taxation, the Federal Court of Australia found that Mr. Pintarich remained liable for interest charges on a tax liability, even though he received a computer-generated letter remitting his liability from the Deputy Commissioner of Taxation.

Because of the automated nature of the computer-generated letter, the court ruled that there was no mental process involved in reaching the conclusion, and accordingly, Pintarich could not rely upon the letter.

As automation technologies become more widespread in the public sector, and automated programs begin to replace human mental processes in complex decision making, it will be interesting to see the implications of this case on administrative decision-making in 2020 and beyond. Recent developments include an issue, identified in January this year, with inaccurate ATO general interest charge notices.

Areas to watch this year

Government action in response to the ACCC’s Digital Platform Inquiry

In July, the ACCC released its final report for the Digital Platforms Inquiry, providing a number of recommendations concerning the market dominance of large digital platforms – namely, Google and Facebook. These recommendations included wide ranging regulatory changes to multiple areas, including competition and consumer law, privacy, copyright, and media regulation.

In light of the report, the Federal Government has provided its response, supporting 6 of the 23 recommendations made by the ACCC. The response outlines the government’s commitment to:

  • Allocating $26.9million over four years to establish a new special unit in the ACCC to monitor and report on the state of competition and consumer protection in digital platform markets.
  • Tasking the ACCC to facilitate the development of a voluntary code of conduct to address bargaining power concerns between digital platforms and media businesses.
  • Reforming media regulation to cover both online and offline delivery of media content to Australian consumers.
  • Further strengthening Privacy Act protections, subject to consultation and design of specific measures as well as conducting a review of the Privacy Act.

Introduction of the Consumer Data Right

In August 2019, the Federal Government passed the Treasury Laws Amendment (Consumer Data Right) Bill 2019 (CDR), amending the Competition and Consumer Act 2010 (Cth), Australian Information Commissioner Act 2010 (Cth) and Privacy Act 1988 (Cth).

The CDR will give consumers the right to safely access certain data about them held by businesses, allowing them to better access information on the products available to them, as well as being able to direct that this information be transferred to accredited, trusted third parties of their choice.

In December, the ACCC announced an updated timeline for the launch of the CDR. The launch has now been pushed back from February to July 2020 for the banking sector.  

The ACCC also announced that it would amend the CDR rules to reflect the revised timetables and consult other phases of the CDR, including its introduction into the energy and telecommunication sectors.

Reforming Australia’s designs system

Australia’s current design system has not been reviewed since the introduction of the Designs Act 2003 (Cth) in 2004. In response to recent concerns regarding its effectiveness and suitability, IP Australia has now commenced a two-phase approach to provide reforms to the system.

The first phase involves progressing and implementing the accepted recommendations from the former Advisory Council on Intellectual Property’s (ACIP) review of the Designs Act. IP Australia is aiming to introduce changes based on these recommendations in 2020.

The proposed changes fall into three topics:

  • examining the scope of design protection,
  • providing early flexibility for designers, and
  • simplifying and clarifying the designs system.

IP Australia aims to introduce changes based on these recommendations this year. 

In the second phase, as part of its ‘Designs Review Project’, IP Australia has also begun a more holistic review considering broad and longer-term reforms to Australia’s designs system. IP Australia will continue its research and consultation with stakeholders throughout 2020, with the aim to further understand and improve design innovation, commercialisation, and the overall designs economy in Australia.

Author: Blake Motbey, Associate

 

Highlights of 2018 and areas to watch in 2019

2018 came and went in a flash. France celebrated glory in the FIFA World Cup in Russia; Banksy sold his ‘Girl With Balloon’ painting for $1.86 million before the artwork shredded itself seconds after the gavel dropped; and the online world was captivated by the World Record Egg. And as we say goodbye to summer and settle into the working year, why not take the chance to reminisce on some of the more important developments of 2018, and look forward to those that 2019 has in store?

Looking back on 2018

  • New obligations were enforced under the European Union General Data Protection Regulation (the GDPR). While the GDPR is an EU regulation, the obligations have a wide reach, applying to all Australian businesses who have an establishment in the EU, offer goods & services to the EU, or monitor the behaviour of individuals in the EU.
  • As part of the government’s safe harbour and insolvency reforms, we saw the introduction of the ipso facto insolvency reforms by way of the Treasury Laws Amendment (2017 Enterprise Incentives No.2) Act 2017. The reforms apply to contracts entered into on or after 1 July 2018, affecting the ability of contracting parties to exercise termination, enforcement or other rights that are triggered by a company restructuring or insolvency.
  • The European Parliament voted in favour of introducing the controversial EU Copyright Directive, a legislation designed to better meet the needs of copyright protection in the internet age. The proposed directive caused significant global debate around the detrimental effects of Articles 11 (the Link Tax) and 13 (the Meme Ban), headlined as the ‘death of the Internet’.
  • The ACCC highlighted its hard stance against franchises attempting to contract out of their obligations under the Franchising Code of Conduct and the Competition and Consumer Act. The ACCC’s case against Husqvarna Australia highlighted the importance of all companies that appoint dealers, distributors, licensees or similar, to confirm whether their contracts are in fact franchise agreements.
  • A Victorian Supreme Court cast some doubt over the enforceability of contractual provisions that attempt to limit the period in which parties can claim for misleading or deceptive conduct. This arose in the case of Brighton Australia Pty Ltd v Multiplex Constructions Pty Ltd [2018] VSC 246, where the court considered the enforceability of a contractual provision requiring claims (including for misleading or deceptive conduct) to be made within 7 days.Justice Riordan, deciding in contradiction to a number of NSW decisions, ruled in favour of the “no exclusion principle”, stating that allowing the enforceability of such time limitations on claims would be against the public policy underpinning the provisions of the Australian Consumer Law (ACL).

Some areas to watch in 2019

  • Discussions over the EU Copyright Directive continue, with negotiators for the European Parliament aiming to finalise the directive shortly. However, negotiations have broken down, with the three-way discussion between Council, Parliament and member states  derailed over the exact wording over Article 11 and Article 13. Consequently, the “trialogue” discussion that was set to take place on  23 January was cancelled. With upcoming EU elections in May, there likelihood of any closure on this matter in the near future is low, with a final vote likely to take place under the next parliament.
  • The Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, commonly referred to as the AA Bill, was passed in December of last year. The Bill’s aim is to compel various companies, especially those in communications industries, to assist Australian security and law enforcement agencies by allowing access to encrypted communications they believe may contain plans for illegal or terrorist activity. The implications of the Bill will be an interesting area to watch throughout the year, with a number of people, especially those within the tech and start-up communities expressing their concerns.
  • On 10 December 2018, the ACCC released its Digital Platforms Inquiry Preliminary Report. The ACCC’s report is founded on questioning the role and accountability of the global digital platforms (such as Facebook and Google) in the supply of advertising, news and journalism in Australia. The final report addressing these issues will be due on 3 June of this year.
  • There has been some debate globally and in Australia regarding the “hipster antitrust” laws, questioning the standards of competition law. The current foundation of competition law in Australia is focused on consumer welfare. However, concerns have been raised that this standard is too narrow and does not allow for prosecution of some types of conduct that some commentators believe competition law should cover.While this debate is likely to continue throughout the year, ACCC Chairman Rod Sims has reinforced Australia’s consumer welfare position, expressing their opposition to the introduction of broader interest considerations of public policy into competition law enforcement.

Author: Blake Motbey, Paralegal.

Highlights of 2017 and areas to watch in 2018

Here is a round-up of some key developments in 2017:

  • The Competition and Consumer Amendment (Misuse of Market Power) Act 2017 came into effect, implementing Harper reforms in the area of misuse of market power, adding an effects test as well as the purpose test.
  • The Telecommunications Sector Security Reforms were enacted and are now in a 12 month implementation period. These reforms impose obligations on carriers and carriage service providers to take steps to ensure the security of networks and notify breaches, and provide powers to the Attorney-General to issue directions relating to security risks.
  • Business gained useful guidance on the issue of unfair contract terms in small business contracts with a case in the waste management area which provided a detailed review of some common, and some less common, standard terms.
  • Consultations closed in December on a draft bill to implement aspects of the Government’s response to the Productivity Commission’s review of Australia’s IP arrangements.
  • A controversy in relation to the Olive Cotton Award highlighted issues around copyright, commissions and collaboration.
  • The Full Federal Court dismissed Vodafone’s application for judicial review in relation to the ACCC’s decision not to declare a domestic mobile roaming service. If a domestic mobile roaming service had been declared, this would have allowed carriers to access Telstra’s regional networks in areas not covered by their own networks.

Areas to watch this year:

  • With mandatory data breach notification coming into force later this month, and the EU General Data Protection Regulation taking effect in May, 2018 is the year of privacy compliance for Australian businesses.  Check out more details here and ensure that your privacy compliance systems are up to date.
  • Also in Europe, the Trade Secrets Directive, which harmonises trade secrets protection, will be implemented by member states by the middle of the year.
  • In the FOI area, submissions to the OAIC on the Freedom of information regulatory action policy close this Friday.
  • The ACCC has foreshadowed its 2018 priorities, including criminal cartel enforcement and deterrence. In an interview in the AFR, Chairman Rod Sims suggested that there would be 3 to 4 cartel actions in 2018, including the possibility of penalties for executives. This follows the ACCC’s successful actions in financial services and in the shipping industry, with a further shipping case to be heard in July.
  • Other ACCC priorities mentioned in the interview include bank interest rate decisions, and media sector mergers.
  • On the IP front, submissions on the Copyright Amendment (Service Providers) Bill, which would extend safe harbour provisions to educational and cultural institutions, libraries, archives and organisations assisting people with disabilities, close on 30 January.

Mandatory data breach notification toolkit

All businesses that are currently subject to the Privacy Act will have new mandatory data breach notification obligations from 22 February 2018.

With new obligations under the European Union General Data Protection Regulation (EU GDPR) also applying to many Australian businesses, now is the time to finalise your updated privacy procedures.

Step 1 – understand your obligations. You will need to have an understanding of the new mandatory data breach notification requirements and, if you handle EU customer information, of the GDPR requirements.

Step 2 – audit your existing systems. Do you have clear, simple plans for changing passwords, limiting access, editing or removing online information and notifying the right people internally? Assess the likely security risks in your organisation and consider possible weak points.

Step 3 – audit your suppliers. You will need to review vendor contracts, specifically for IT vendors, to check whether you have appropriate privacy requirements in place for your suppliers.  Have you identified suppliers you can call on to help you identify, cap and respond to breaches?

Step 4 – update your plan.  Many organisations will already have data breach response plans in place. Check whether these are up to date – current people, contact details and systems need to be added. Plans will need to be updated to reflect Australian mandatory reporting obligations and GDPR requirements.  In particular, for GDPR requirements, you need to note the 72 hour timeframe for notification. Ensure that your privacy policy is up to date – we see a lot of privacy policies that were drafted before the changes of the last few years and haven’t been updated.

Step 5 – test your plan. Run through possible scenarios to ensure that you have the right procedures and systems in place.

You should ensure that your procedures are ready during the next month.

We can help you with a privacy toolkit including details of the new requirements, updated policies, procedures and reviews to ensure that you are ready for February. If you would like to discuss our privacy toolkit, contact us.

The GDPR is coming – does it affect you?

Australian businesses of any size need to be aware of the new European Union General Data Protection Regulation, which will be implemented on 25 May 2018.

Small Australian businesses, with a turnover below $3 million, are used to being exempt from the Australian Privacy Act (unless they fall into specific categories). Many do not have privacy policies or procedures in place.

The GDPR does not exempt small businesses.

Which Australian businesses will be affected?

The GDPR will apply to all Australian businesses which:

  • have an establishment in the EU,
  • offer goods and services in the EU, or
  • monitor the behaviour of individuals in the EU.

The OAIC has provided some guidance, with examples of these criteria:

  • an Australian business with an office in the EU,
  • an Australian business with a website that targets EU customers,
  • an Australian business whose website mentions customers or users in the EU, or
  • an Australian business that tracks individuals in the EU online, and uses data processing techniques to profile them.

Examples of targeting EU customers include enabling the ordering of goods or services in a European language, or enabling payment in euros.

The European language factor appears broad, but the GDPR makes it clear that where a website uses a language that is generally used in the business’ home country, this will not necessarily mean that the GDPR will apply. Australian businesses offering services in community languages should be conscious of this issue, and, if necessary, make it clear that that their presence is only local.

The issue of “mentioning” customers or users in the EU arises from Recital 23 of the GDPR, which states that where a website mentions customers or users who are in the EU, this may make it apparent that a business envisages offering goods or services to EU data subjects.

What are the requirements?

Key new aspects of the GDPR are stricter accountability measures, including audits, privacy impact assessments, activity records, policy reviews, and the appointment of a data protection officer for large-scale data handling operations.

The GDPR and the Australian Privacy Act share many requirements, including the need:

  • to implement a “privacy by design” approach to compliance
  • to be able to demonstrate compliance with privacy obligations, and
  • to adopt transparent information handling practices.

There are also some significant differences.  These include data portability and a right of erasure which go considerably further than Privacy Act requirements.

What should Australian businesses do?

According to an ISACA survey of executives, as at 9 months before implementation, fewer than a third of those surveyed were satisfied with their organisation’s progress to prepare for GDPR; more disconcertingly, 35% were not aware of their organisation’s progress.

To put your business in better shape to meet this new regulatory framework, you should be acting now in the following areas.

If your business is currently below the Privacy Act threshold, but will be directly affected by the GDPR, you will need to kick start your compliance program.

To adapt a current privacy program to the GDPR, you will need to focus on the following areas:

  • compliance: classify personal data; conduct risk assessments; implement privacy protection practices for all business areas; identify an employee with responsibility for data protection, and, if your organisation handles significant amounts of data, appoint a data protection officer; implement compliance audits; and document all processes.
  • data handling: be aware that individuals under 16 cannot consent to the collection of their data; implement systems to delete data if it is no longer used for its initial purpose; delete data if the individual revokes consent.
  • transparency: put in place processes to provide individuals with full and clear information about the treatment of their personal data; review end user licence terms and customer terms; be prepared to notify regulators (within 72 hours) and affected individuals if a data breach occurs.

Even if your business is not directly affected, the ability of your EU business partners, distributors and corporate group members to provide you with information from their own operations will be affected, so you may need to adjust existing business practices to address this issue.

You should also consider whether your business relies on business data that is sourced from affected organisations.  Industry sources expect the GDPR, once implemented, will significantly affect the flow of business data which is currently processed and used for analysis by Australian businesses.

If you need help to develop privacy policies and processes, or to adapt your existing procedures to meet GDPR requirements, contact us.

Highlights of 2016 and areas to watch in 2017

Influence Legal ParliamentHere is a round-up of some key developments in 2016:

  • The Telecommunications Sector Security Reforms went through 2 rounds of public consultation and have now been referred to the Parliamentary Joint Committee for Intelligence and Security. These reforms will impose obligations on carriers and carriage service providers to take steps to ensure the security of networks and notify breaches, and provide powers to the Attorney-General to issue directions relating to security risks.
  • The Masters Bendigo case saw developments in relation to agreements to agree and good faith.
  • There were several key cases in the credit reporting area, including the Veda trade mark and SEO case, and the OAIC determination requiring Veda to improve accessibility of free credit reporting.
  • The Productivity Commission released its report on IP arrangements, prompting public debate in relation to fair use and the rights of copyright holders.
  • The OAIC consulted on its draft Big Data guide.
  • An exposure draft of the Harper review bill was released.
  • The unfair contracts rules for small business came into effect from 12 November.
  • The ACCC took landmark consent proceedings relating to attempted cartel conduct in the financial services industry.
  • The Federal Court found that Woolworths’ “Mind the Gap” payments were not unconscionable.

Areas to watch this year:

  • Data protection remains a key focus area with significant developments continuing in Australia (including the Notifiable Data Breaches Bill), the EU (the European Union General Data Protection Regulation will take effect in May 2018 and will significantly affect data relating to employees) and across the globe.
  • Trade secrets have become another focus area.  In 2016 the European Council approved the Trade Secrets Directive to harmonise European trade secrets protection. Member states will need to implement the directive by mid 2018. The US Defend Trade Secrets Act 2016 has created a federal jurisdiction for misappropriation of trade secrets including significant whistleblower protection which will need to be reflected in US employment and confidentiality agreements.
  • Ahead of the release of its 2017 priorities, we can anticipate that the ACCC will continue to focus on unfair contracts in business, cartel conduct (following the significant financial services case) and optional extra preselection in the airline industry. The ACCC is seeking submissions on a proposed FIFO airline alliance (due on 27 January) and on its draft decision for the declared superfast broadband access service (SBAS) and the local bitstream access service (LBAS) (due on 17 February).
  • CAANZ will report on the first Australian Consumer Law review by March.
  • Further legal and regulatory attention is likely in the problematic commercial VET sector, with reforms promised to address the significant consumer protection issues that were highlighted during 2016.
  • On the IP front, submissions are due by 22 January on the proposed IP Laws Amendment Bill.

Focus on privacy issues for IoT businesses

network-782707_1280-copyThe OAIC has recently reviewed privacy issues surrounding Internet of Things businesses in Australia.

The review was undertaken as part of the Global Privacy Enforcement Network’s (GPEN) fourth annual privacy sweep.  GPEN’s 2016 sweep included results from 25 national agencies and reviewed 314 businesses and devices such as wearables, smart TVs and health monitors.  The results showed significant numbers of those businesses failing to explain to consumers how their personal information is collected, used, disclosed and safeguarded.  Many also did not offer assistance to consumers to help them manage default settings, delete data or wipe their data if the device was lost.

For the Australian section of the sweep, the OAIC reviewed 45 different devices from existing and start-up businesses.  The devices reviewed ranged from fitness monitors to thermostats.  Of these devices, over 30 were considered to have inadequate or non-existing privacy policies to explain to consumers how their personal information would be managed.

The OAIC has foreshadowed that it will publish resources for start-ups to assist them in developing appropriate policies.

Like other businesses, IoT businesses need to be aware of the thresholds for privacy compliance, and also the reputational need for compliant privacy procedures.

Contact us if you would like to arrange a review of your privacy policy.

Submissions due on OAIC’s draft big data guide

The Office of the Australian Information Commissioner is calling for submissions on its draft Guide to big data and the Australian Privacy Principles.

The document will not be legally binding or replace the APPs, but will be used by the OAIC as a reference point. As such, some elements of the guide are broad-brush – such as the recommendation not to be “creepy” – while other recommendations are more specific.

Key recommendations in the draft include: Continue reading Submissions due on OAIC’s draft big data guide