How to write a submission to the Privacy Act Review

After over two years of consultation and review of the Privacy Act, the Attorney General’s Department has released the final report and is currently seeking feedback that will shape the direction of the legislation.

Now is the moment to send the Australian government a clear message: everyday people demand meaningful privacy protections. Making a submission is an important way to contribute to a public mandate for bold privacy reform. 

Below is a high-level overview of key areas for reform to the Privacy Act. We encourage you to use these points when writing your own submission. The goal is not to become a legal, technical or policy expert or get into the nitty-gritty details of privacy law. It’s about demonstrating that real people care about privacy reform, and expect the Australian government to put the right to privacy ahead of corporate interests. 

Tips for writing a submission 

• It doesn’t have to be long! A one page letter documenting your support for bold reform is enough.
• If you have personal or professional experience that is relevant, including that can be compelling. For example, if you were part of a data breach, or if you work for an organisation that handles people’s personal information. 
• You can reference submissions made by advocacy and expert organisations to express your support, for example: Digital Rights Watch, Electronic Frontiers Australia, the Australian Privacy Foundation, Choice, the Consumer Policy Research Centre, the Human Technolgy Institute and Salinger Privacy.   
• Submissions made to public consultations are generally made public and published online. If you want, can request your submission be made anonymous, but we suggest avoiding including any personal or sensitive information that you are not comfortable with being public.
• There are several ways to provide feedback 

Digital Rights Watch has set up a quick and easy submission-writing tool:

Or, you can make a submission by:

1. Respond to the AG’s survey 
2. Upload a written submission on the Department website. The link to upload a submission is at the bottom of the survey webpage. You do not have to complete the survey to upload a submission.
3. Submit via email to privacyactreview@ag.gov.au (make sure you advise whether you consent to publication, and if you require redaction of any information if it is published.)

WHY PRIVACY MATTERS

Protecting privacy is important for lots of reasons. One of them is that it can help to minimise the risk and potential consequences of a data leak such as the Optus and Medibank breaches. But protecting privacy is also essential to our democracy and to rein in the corporate power of data-extractive companies. 

• The right to privacy enables other rights. Without privacy it would be extremely hard to enjoy freedom of speech and expression, and the ability to organise, protest, and hold those in power accountable. There is no democracy without privacy! 
• Protecting privacy is a key way to fight back against harmful and invasive data practices of Big Tech (and other) companies. Privacy puts power and agency back in the hands of individuals and communities.

CONTEXT: A QUICK PRIMER ON THE LAW + REVIEW PROCESS 

• The Privacy Act is a federal law that currently applies to federal government agencies and private companies with an annual turnover of over $3 million. 
• It contains 13 Australian Privacy Principles (APPs) which govern how organisations can handle personal information. They are the cornerstone of Australia’s privacy protection framework. 
• The federal privacy regulator is the Office of the Australian Information Commissioner (OAIC). Their job is to enforce the Privacy Act, which includes conducting investigations, handling complaints, and advising organisations on how to comply with the Act. They are also responsible for developing policy guidance to help organisations.
• The Privacy Act was originally drafted in 1988. Aside from a few small changes here and there, it hasn’t been meaningfully revisited since then, despite ongoing calls from experts. In response to the Optus breach in late 2022 the Act was amended to increase fines, but this is not enough. Technology and data practices have come a long way since 1988, and the Act is no longer fit for purpose. 
• A review of the Privacy Act was started by the Coalition government in 2020. This is the third round of public consultation (and the first under a Labor government), and is likely to be the final opportunity to shape the direction of the review before draft legislation.

KEY AREAS FOR PRIVACY REFORM 

1. Privacy reform must prioritise data minimisation. The Optus and Medibank data breaches highlighted the danger of collecting and storing too much personal information. We know that perfect data security doesn’t exist, so the best way to keep personal information safe is not to have it. There is currently a culture of data-hoarding where organisations collect too much information “just in case” it may be useful or profitable in the future. We need the Privacy Act to challenge this culture by placing stricter limits on collection, use and disclosure of personal information, as well as stronger requirements to ensure it is not retained any longer than necessary.  

2. We need a robust, updated definition of ‘personal information’ that discourages surveillance and challenges the business models of data extraction and targeted advertising. The definition of personal information acts as a gatekeeper for protections offered by the Privacy Act. By expanding the definition we can expand the protections offered to everyday people. ‘Personal information’ should include technical data (like metadata), inferred or generated data (like when Facebook or TikTok can predict your political beliefs or sexuality from your behaviour), and other techniques that can distinguish individuals from a group (because privacy related harms can occur even if the organisation doesn’t know your name).

3. We must build an overarching ‘fair and reasonable’ threshold requirement for all forms of collection, use and disclosure of personal information. It’s close to impossible to interact in the modern digital economy without providing personal information to a growing number of government agencies, companies, and intermediaries. Placing the burden of responsibility upon individuals to protect their privacy is unrealistic. Organisations that collect, use, share and store our personal information should bear the brunt of this responsibility and be required as a bare minimum to do so in a fair and reasonable way. Organisations should not be able to use mechanisms such as consent to justify unfair or unreasonable practices. 

4. The law should require meaningful consent without manipulation. Consent is an essential component of personal agency and control over personal information, but it is often treated as a tick-box exercise or a catch-all to allow dubious practices. We need strengthened consent provisions so that consent is voluntary, informed, current, specific, unambiguous and indicated through clear action. Organisations should not be able to force, trick or manipulate people into giving consent, nor rely on a fuzzy notion of ‘implied’ consent.

5. The small business and political party exemptions should be abolished. At the moment, registered political parties and small businesses are not covered by the Privacy Act. It is more possible than ever for small businesses to collect, analyse, store, and share large amounts of personal information—especially by using off-the-shelf data collection and analytics software. People should have confidence that their personal information will be handled appropriately, regardless of the business they are providing it to. These exemptions create a dangerous gap in the protections offered by the Act and undermine Australia’s cyber security. What good are all these privacy protections if approximately 90% of Australian businesses are not required to comply? (Note: the Privacy Act is designed to be flexible, which means that it can be tailored to make sure it doesn’t create an unreasonable compliance burden on small businesses or political parties.)  

6. We need a direct right of action and a statutory tort for serious invasion of privacy. Currently, if an organisation invades your privacy or breaches the APPs, there are very few ways you can take action or seek redress (such as compensation). This system is not working—there is minimal accountability for organisations that do the wrong thing, and even less redress for people who suffer as a result. A direct right of action would create an avenue for individuals to litigate a claim for a breach of their privacy under the APPs, and a statutory tort would expand the ability of individuals or groups to lodge a case beyond the scope of the Privacy Act. These are two separate mechanisms, but both important ways to empower people to take their right to privacy into their own hands.

7. Privacy reform should increase the ability for people to exercise their rights. Providing additional rights to individuals is an important way to provide people with greater transparency and control over their personal information. We support improving Australia’s rights culture and the development of mechanisms for people to meaningfully exercise their rights. The report contains proposals to create or extend a range of individual rights, including:
   1. A right to access and explanation, 
   2. A right to object to the collection, use and disclosure of personal information, 
   3. A right to erasure, 
   4. A right to correction, and
   5. A right to de-index search results.

In addition to reforming the Privacy Act, we also need to properly fund the OAIC. An under-resourced regulator is a weak regulator. The OAIC has been woefully underfunded for decades, preventing them from being able to do their job. The policy and enforcement workload of the Information Commissioner is only going to increase as the Privacy Act is reformed, and as the creation, collection and use of personal information becomes increasingly complex through emerging technologies and the evolving digital economy.