Flurry of activity in the Privacy Act review, including tougher penalties and new online privacy framework

Online Privacy Bill

The Online Privacy Bill is intended to give effect to the Federal Government's commitment to strengthen the Privacy Act by increasing penalties and associated enforcement provisions, as well as enabling the introduction of a binding online privacy code for social media and certain other online platforms.

Substantial increases in penalties

The Online Privacy Bill proposes significantly increased penalties for serious or repeated interferences with privacy under the Privacy Act. For body corporates, the maximum penalty will increase to an amount not exceeding the greater of:

• $10 million;
• three times the value of the benefit obtained by the body corporate from the conduct constituting the serious or repeated interference with privacy; or
• 10% of domestic annual turnover.

This amounts to an almost five-fold increase from the current maximum penalty of A$2.22 million with regard to the dollar cap and potentially significantly more under the second and third limbs. The proposed penalties are similar to the maximum penalties under the Australian Consumer Law. In comparison, the monetary cap is still much less than the cap under the EU General Data Protection Regulation (GDPR), including the UK version post-Brexit, where the maximum penalty for serious infringements is the greater of €20 million (about A$31 million) or 4% of annual global turnover. However, for businesses with an annual turnover in excess of A$100 million, the 10% turnover cap should not be dismissed lightly.

The increase in the maximum penalty is intended to send a clear message to Australian and foreign entities subject to the Privacy Act that breaches will be treated seriously and are intended to reinforce need for compliance. This risk is further increased by separate proposals to introduce new compliance obligations under the Act and to expand the scope of foreign entities which will be subject to the Act. In order to manage the risks, privacy governance and compliance programs will need to be reviewed, or implemented where they are not already in place.

New online privacy code and framework

The Online Privacy Bill also proposes the introduction of a new online privacy code (the OP code) to regulate various categories of organisations which collect and commercialise personal information in course of providing electronic services. Collectively, the organisations will be called OP organisations and they will be required to comply with the OP code.

The OP code is yet to be developed and the government proposes that the OP code be developed by industry within a few months of the Bill becoming law. If industry groups are not able to develop the OP code, the Privacy Commissioner will be empowered to develop the OP code herself. An ambitious timetable has been proposed. The OP code is expected to be commissioned, developed, registered and implemented within 12 months of the Bill becoming law.

The OP code is intended to set out detailed obligations about how OP organisations must comply with the Australian Privacy Principles and how they must also comply with certain additional obligations. By using the OP code as a method of targeted law reform, OP organisations are likely to become subject to detailed and potentially far-reaching obligations. The draft Bill suggests that the OP code must address matters such as:

• Privacy Policies: how to set out and bring to individuals’ attention;
• Consent: how to ensure consent is informed, voluntary and specific, as well as a proposal to require refreshing of consent for sensitive information;
• Privacy Statements: how to give privacy statements at the time that personal information is collected;
• Children: specific detail as to how the OP code will apply to children and other vulnerable individuals, as well as a specific requirement for social media services to verify an individual’s age and obtain (and verify) parental consent for children under 16 years; and
• Right to be Forgotten? The OP code may include a requirement for OP organisations to take reasonable steps to cease using or disclosing the personal information of an individual if so requested by the individual. If implemented, this would amount to an entirely new privacy right for individuals and could be similar in scope to the “right to be forgotten” under the GDPR.

Some of these requirements are likely to require OP organisations to make substantial investments in new technology, processes and procedures. In particular, OP organisations are likely to need to substantially revise their privacy notices, customer on-boarding processes, and introduce an age verification process and consent management system.

What kinds of organisations must comply with the OP code?

It will therefore be critical for organisations to determine whether the draft Bill, if passed, would apply to them. The government has released an explanatory memorandum with the draft Bill that gives the following examples in respect of each category of OP organisation:

• Social media organisations: Organisations that provide social media services through an electronic service that has the sole or primary purpose of enabling online social interaction between two or more end-users, and allows interactions between end-users, and allows end-users to post material on the service. The examples given are social networking platforms (e.g. Facebook), dating applications (e.g. Bumble), online content services (e.g. Only Fans), online blogging or forum sites (e.g. Reddit), gaming platforms that enable end-users to interact with other end-users; and online messaging and videoconferencing platforms (e.g. WhatsApp and Zoom);
• Data brokerage organisations: Organisations that collect personal information for the sole or primary purpose of disclosing personal information, or information derived from personal information, in the course of providing a service. The examples given are Quantium, Acxiom, Experian and Nielsen Corporation; and
• Large online platforms: Organisations that collect personal information about individuals in the course of providing access to information, goods or services (other than a data brokerage service) by use of an electronic service (other than a social media service) and have over 2,500,000 end-users in Australia. The explanatory paper notes that an end-user would include individuals who use a search engine. The examples given are major global technology companies (e.g. Apple, Google and Amazon) and media sharing platforms (e.g. Spotify).

There are some important exemptions:

• Government agencies are not included as OP organisations;
• The mere operation of a customer loyalty scheme is not intended to cause an organisation to be considered to be an OP organisation;
• Online customer communications and feedback facilities which are merely incidental to a business will generally not be considered to be social media; and
• Broadcasting services and payment processing services are not intended to be covered.

Where to next?

Public consultation for the exposure draft of the Online Privacy Bill is open until 6 December 2021. The Government will then consider stakeholder feedback and develop a further draft of the Online Privacy Bill to introduce to Parliament.

The proposals under the draft Bill in respect of social media organisations, data brokerage organisations and large online platforms have the potential to create substantial compliance burdens. Combined with the proposed increased penalties, the compliance risks for OP organisations will be higher. We recommend that OP organisations engage with the consultation process and, if the Bill is passed, also participate in the development of the OP code where practicable.

If you would like any assistance with preparing a submission in response to the exposure draft, or otherwise managing your company’s compliance with the Privacy Act, please get in touch with a member of our team.