This article was co-authored with India Bennett.
After months of waiting for the current review of the 1988 Privacy Protection Act (Cth), the federal government galvanized Australia’s privacy landscape with two significant developments.
First, the government released a discussion paper on reforming the Privacy Act. The discussion paper takes into account stakeholder comments on the discussion paper released in October 2020 and invites additional comments on potential changes to the Privacy Act. Public consultation for this discussion paper is open until January 10, 2022. In the coming weeks, we will be sharing with you our thoughts on the 217-page discussion paper.
Second, the government issued an exposure draft of the Amendment to privacy legislation (strengthening online privacy and other measures) Bill 2021, otherwise known as “Online privacy invoiceâ. In this article, we provide a brief overview of what businesses should consider when it comes to the online privacy bill.
Online privacy invoice
The Online Privacy Protection Bill seeks to give effect to the federal government’s commitment to strengthen privacy law by increasing penalties and associated enforcement provisions, as well as allowing the introduction of a binding online privacy code for social media and certain other online platforms.
Substantial increases in penalties
The Online Privacy Protection Bill proposes significantly increased penalties for serious or repeated privacy breaches under the Privacy Act. For legal persons, the maximum penalty will be increased to an amount not exceeding the greater of the following amounts:
- $ 10 million;
- three times the value of the benefit derived by the legal person from the behavior constituting the serious or repeated invasion of privacy; Where
- 10% of national annual turnover.
This is equivalent to nearly five times the current maximum penalty of A $ 2.22 million for the dollar cap and potentially much more for the second and third prongs. The proposed penalties are similar to the maximum penalties under Australian Consumer Law. In comparison, the monetary cap is still well below the cap under the EU’s General Data Protection Regulation (GDPR), including the post-Brexit UK version, where the maximum penalty for serious breaches is highest. high of 20 million euros (approximately 31 $ A. million euros) or 4% of annual worldwide sales. However, for companies with annual sales exceeding AU $ 100 million, the 10% sales cap should not be lightly dismissed.
The increase in the maximum penalty is intended to send a clear message to Australian and foreign entities subject to privacy law that breaches will be treated seriously and are intended to reinforce the need for compliance. This risk is further heightened by separate proposals to introduce new compliance obligations under the Act and to expand the scope of foreign entities that will be subject to the Act. In order to manage risk, privacy governance and compliance programs will need to be reviewed or implemented where they are not already in place.
New online privacy code and framework
The online privacy bill also proposes the introduction of a new online privacy code (the OP code) to regulate various categories of organizations that collect and market personal information in connection with the provision of electronic services. Collectively, the organizations will be called PO organizations and they will be required to comply with the OP code.
The OP code has not yet been developed and the government is proposing that the OP code be developed by industry within a few months of the bill being passed. If industry groups are unable to develop the OP code, the Privacy Commissioner will be empowered to develop the OP code itself. An ambitious timetable has been proposed. The OP code is expected to be ordered, developed, registered and implemented within 12 months of the bill coming into force.
The OP Code is intended to set out detailed obligations on how PO organizations must comply with Australian privacy principles and how they must also comply with certain additional obligations. By using the PO code as a method of targeted legislative reform, PO organizations are likely to become subject to detailed and potentially far-reaching obligations. The bill suggests that the OP code should address issues such as:
- Privacy policies: how to display and bring to the attention of individuals;
- Consent: how to ensure that consent is informed, voluntary and specific, as well as a proposal to require updating of consent for sensitive information;
- Privacy statements: how to make privacy statements at the time personal information is collected;
- Children: specific details on how the OP code will apply to children and other vulnerable people, as well as a specific requirement for social media services to verify a person’s age and obtain (and verify) Parental consent for children under 16; and
- Right to be forgotten? The OP Code may include a requirement for OP organizations to take reasonable steps to stop using or disclosing an individual’s personal information if the individual so requests. If implemented, this would amount to a whole new right to privacy for individuals and could have a similar scope to the âright to be forgottenâ under the GDPR.
Some of these requirements are likely to force PO organizations to make substantial investments in new technologies, processes and procedures. In particular, PO organizations are likely to need to overhaul their privacy notices, their customer onboarding processes, and introduce an age verification process and consent management system.
What types of organizations must comply with the OP code?
It will therefore be essential for organizations to determine whether the bill, if passed, will apply to them. The government published an explanatory memorandum with the bill which gives the following examples for each category of organization of the PO:
- Social media organizations: Organizations that provide social media services through an electronic service whose sole or primary purpose is to enable online social interaction between two or more end users, and enable interactions between end users and allow end users to post material on the service. Examples given are social media platforms (e.g. Facebook), dating apps (e.g. Bumble), online content services (e.g. Only Fans), blogging or online forum sites (e.g. Reddit), gaming platforms that allow end users to interact with other end users. -users; and online messaging and video conferencing platforms (eg WhatsApp and Zoom);
- Data brokerage organizations: Organizations that collect personal information for the sole or primary purpose of disclosing personal information, or information derived from personal information, as part of the provision of a service. Examples given are Quantium, Acxiom, Experian and Nielsen Corporation; and
- Large online platforms: Organizations that collect personal information about individuals in the course of providing access to information, goods, or services (other than a data brokerage service) using an electronic service (other than a social media service) and have over 2,500,000 end users in Australia. The explanatory document notes that an end user would include people who use a search engine. Examples given are large global technology companies (eg Apple, Google and Amazon) and media sharing platforms (eg Spotify).
There are important exceptions:
- Government agencies are not included as PO organizations;
- The mere operation of a customer loyalty program is not intended to qualify an organization as a PO organization;
- Online communications with customers and feedback facilities that are only incidental to a business will generally not be considered social media; and
- Streaming services and payment processing services are not intended to be covered.
Public consultation for the Exposure Draft of the Online Privacy Protection Bill is open until December 6, 2021. The government will then consider stakeholder comments and develop another bill on online privacy protection to be presented to Parliament.
The proposals in the bill regarding social media organizations, data brokerage organizations and large online platforms have the potential to create substantial compliance burdens. Combined with the proposed increased penalties, the compliance risks for PO organizations will be higher. We recommend that PO organizations engage in the consultation process and, if the bill is passed, also participate in the development of the PO code to the extent possible.
If you would like assistance in preparing a submission in response to the Exposure Draft, or in managing your company’s compliance with the Privacy Act, please contact a member of our team.