[WG-ANCR] Re: Australian Government releases response to the Privacy Act Review Report

Thank you very much Paul, for this. Very helpful in positioning our work in terms of global activity. From: Paul Templeman Sent: Thursday, September 28, 2023 9:28 AM To: wg-ancr@kantarainitiative.org Subject: [WG-ANCR] Australian Government releases response to the Privacy Act Review Report Hi ANCR WG Thanks Mark and Sal for the opportunity to share the Australian perspective at 0PN Digital - Implementing Transparency & Consent to enable the Digital Commons last week. I have a bit of an update. The Australian Government has responded to the Privacy Act Review Report. See https://www.ag.gov.au/rights-and-protections/publications/government-respons e-privacy-act-review-report. Chapter 4 of the response is "Improve transparency and control" including consent, privacy policies and collection notices, individual rights, and ability for individuals to seek redress for interferences with privacy. An overview is below or the full report is available at https://www.ag.gov.au/rights-and-protections/publications/government-respons e-privacy-act-review-report. Privacy Reform - what is it? Consultation The Privacy Act Review was undertaken by the Attorney-General's Department and involved nearly three years of extensive consultation. The Report concluded that it is necessary to overhaul Australia's privacy laws, as many other countries have done, to ensure they remain fit-for-purpose in the digital age. Feedback following the release of the Report has reiterated a clear expectation that Government will strengthen privacy laws to ensure the collection, use and disclosure of people's personal information is reasonable, reflects community expectations and is adequately protected from unauthorised access and misuse. Industry and other stakeholders have acknowledged the importance of privacy reform and emphasised the need for reforms to strike an appropriate balance between enhanced privacy protections and impacts on regulated entities. What's next? The Government's response to the Privacy Act Review Report sets out the pathway for privacy reforms. The Government is committed to introducing legislation to protect the personal information of Australians in 2024. Of the 116 proposals in the Privacy Act Review Report, the Government response agrees to 38 proposals, agrees in-principle to 68 proposals and notes 10 proposals. 'Agrees in-principle' indicates that further engagement with entities and a comprehensive impact analysis is needed before the Government makes a final decision on implementation of a proposal. The Attorney-General's Department will lead the next stage of work, which will involve the development of legislative amendments informed by a detailed impact analysis and targeted consultations with stakeholders. This measured approach will ensure Government is informed of potential compliance costs for regulated entities and other potential economic costs or benefits (including for consumers) in finalising its decisions. The Government will also consider appropriate transition periods as part of the development of any legislation. While this work is underway the Attorney-General's Department will also progress implementation of non-legislative proposals, for example to develop a Children's Online Privacy Code and additional guidance to assist entities to meet their obligations. The Government will ensure there are meaningful opportunities to engage in this next phase of privacy reforms, noting there has been extensive consultation to date on many issues. Overview of themes The privacy reforms will complement other reforms being progressed by the Government, including Digital ID, the 2023-2030 Australian Cyber Security Strategy, the National Strategy for Identity Resilience, and Supporting Responsible AI in Australia The privacy reforms will be progressed under the following focus areas: Bring the Privacy Act into the digital age The reforms will bring the scope and application of the Privacy Act into the digital age by recognising the public interest in protecting privacy and exploring further how best to apply the Act to a broader range of information and entities which handle this information. Uplift protections The reforms will uplift the protections afforded by the Privacy Act by requiring entities to be accountable for handling individuals' information within community expectations, and enhancing requirements to keep information secure and destroy it when it is no longer needed. Reforms to the Notifiable Data Breaches scheme will assist with reducing harms which may result from data breaches and introduce new organisational accountability requirements to encourage entities to incorporate privacy-by-design into their operating processes. New specific protections will also apply to high privacy risk activities and more vulnerable groups including children. Increase clarity and simplicity for entities and individuals The reforms will provide entities with greater clarity on how to protect individuals' privacy, and simplify the obligations that apply to entities which handle personal information on behalf of another entity. The reforms will increase the flexibility of code-making under the Act, reduce inconsistency and improve coherence across different legal frameworks with privacy protections, and simplify requirements for transferring personal information overseas, particularly to those countries with substantially similar privacy laws. Improve control and transparency for individuals over their personal information The reforms will provide Individuals with greater transparency and control over their information through improved notice and consent mechanisms. The reforms will also explore the scope and application of new rights in relation to personal information and increased avenues to seek redress for interferences with privacy, through a direct right of action permitting individuals to apply to the courts for relief for interferences with privacy under the Privacy Act and a new statutory tort for serious invasions of privacy. Strengthen enforcement The reforms will increase enforcement powers for the OAIC, expand the scope of orders the court may make in civil penalty proceedings and empower the courts to consider applications for relief made directly by individuals. A strategic review of the OAIC and further consideration of its resourcing requirements, including investigating the effectiveness of an industry funding model and establishing litigation funds, will enhance the effectiveness of Australia's privacy regulator. Best Paul . Paul Templeman paul@templeman.co mailto:paul@templeman.co