The Optus and Medibank breaches have demonstrated an urgent need for reform to the Privacy Act, but we need to make sure the changes are meaningful and address long-standing issues and are not just knee-jerk reactions. Below is a high-level overview of key areas for reform to the Privacy Act.
Please note that this is not an exhaustive list of necessary changes to the Privacy Act. Rather, this is a generalist guide that we’ve put together to help people understand the context and some of the core areas for reform.
WHY PRIVACY MATTERS
Protecting privacy is important for lots of reasons. One of them is that it can help to minimise the risk and potential consequences of a data leak such as the Optus breach. But protecting privacy is also essential to our democracy, and to rein in corporate power.
- The right to privacy enables other rights. Without privacy it would be extremely hard to enjoy freedom of speech and expression, and the ability to organise, protest, and hold those in power accountable. There is no democracy without privacy!
- Protecting privacy is a key way to fight back against harmful and invasive data practices of Big Tech (and other) companies. Privacy puts power and agency back in the hands of individuals and communities.
CONTEXT – A QUICK PRIMER ON THE LAW
- The Privacy Act is a federal law that currently applies to federal government agencies and private companies with an annual turnover of over $3 million.
- It contains 13 Australian Privacy Principles (APPs) which govern how entities can handle personal information. They are the cornerstone of Australia’s privacy protection framework.
- The federal privacy regulator is the Office of the Australian Information Commissioner (OAIC). Their job is to enforce the Privacy Act, which includes conducting investigations, handling complaints, and advising organisations on how to comply with the Act.
- The Privacy Act was originally drafted in 1988. Aside from a few small changes here and there, it hasn’t been meaningfully revisited since then, despite ongoing calls from experts. Technology and data practices have come a long way since 1988, and the Act is no longer fit for purpose. A review of the Privacy Act was started by the Coalition government in 2020, and the current Attorney General, Mark Dreyfus, has publicly committed to strengthening the law, but has been light on details so far.
KEY AREAS FOR PRIVACY REFORM
- Focus on data minimisation. The Optus data breach highlighted the danger of collecting and storing too much personal information. We know that perfect data security doesn’t exist, so the best way to keep personal information safe is not to have it. There is a culture of data-hoarding where companies collect too much information “just in case” it may be useful in the future. We need the Privacy Act to place stricter limits on collection, use and disclosure of personal information, as well as stronger requirements to ensure it is not retained any longer than necessary.
- Create a direct right of action and a statutory tort for serious invasion of privacy. Currently, if an organisation invades your privacy or breaches the APPs, individuals must go through the OAIC if they want to take action or pursue redress (such as compensation). Regulators can’t deal with this problem alone. A direct right of action and statutory tort would give people pathways for redress, including the right to lodge a case, without needing to go through the OAIC. This is an important way to empower people to take their right to privacy into their own hands.
- Update the definition of ‘personal information’ to include all information that distinguishes individuals from a group. The definition of personal information acts as a gatekeeper for any protections offered by the Privacy Act. By expanding the definition we can expand the protections offered to everyday people. ‘Personal information’ should include technical data (like metadata), inferred or generated data (like when Facebook or TikTok can predict your political beliefs or sexuality from your likes), and other techniques that can distinguish individuals from a group.
- Remove the small business and political party exemptions. At the moment, registered political parties and small businesses are not covered by the Privacy Act. It is more possible than ever for small businesses or groups to collect, analyse, store, and share personal information—especially by using off-the-shelf data collection and analytics software. These exemptions create a dangerous gap in the protections offered by the Act. (Note: the Privacy Act is designed to be flexible, so this means that it can be tailored to make sure it doesn’t create an unreasonable compliance burden on small businesses or organisations.)
- Build an overarching ‘fair and reasonable’ requirement for all forms of collection, use and disclosure of personal information. Consent doesn’t override your right to privacy. Companies should not be able to force, trick or manipulate people into giving consent for unethical, invasive or harmful data practices. We need to require entities to make sure they handle personal information in a fair and reasonable way, regardless if people consent or not. We wouldn’t be expected to consent to walk into a dangerous building, we would expect there to be rules and standards in place to ensure the building is safe for us to enter. The same should apply to privacy protections.
- Increase penalties for entities that breach the Privacy Act. Larger fines for organisations that breach the Privacy Act is a strong incentive for them to take our privacy and security seriously. The OAIC should also be enabled to levy fines without needing to go through the Federal Court, and individuals should be able to seek compensation when they have had their privacy breached, in line with other places around the world.
In addition to reforming the Privacy Act, we also need:
- To fund the OAIC properly. An under-resourced regulator is a weak regulator. The privacy regulator has been woefully underfunded for decades, which prevents them from being able to do their job. Even if we update the Privacy Act to make it stronger, it will be pointless if a regulator has limited ability to enforce it.
- A critical review into the anti-terror laws and metadata retention scheme. These laws force companies to retain vast amounts of information for long periods of time, which creates cyber security risk, and ultimately, could undermine our national cyber security.