OAIC wants stronger accountability measures in upcoming revised Privacy Act

The Office of Australian Information Commissioner (OAIC) has called for more data accountability measures across the board in light of the Attorney-General’s Department (AGD) seeking consultation for its review of the Privacy Act.

The AGD began its review into the country’s Privacy Act at the end of 2020 as part of the Commonwealth’s response to the Australian Competition and Consumer Commission’s (ACCC) Digital Platforms Inquiry, which found the laws needed to be updated to adequately protect consumers and their data.

Among those measures [PDF] recommended by the OAIC is a central obligation to collect, use, and disclose personal information fairly and reasonably for entities under the scope of Australia’s Privacy Principles (APP). The OAIC envisions this would entail providing consumers with the right to erasure, meaningful consent through requiring them to be properly and clearly be informed about how their personal information will be handled, and the right to notification when their personal information is collected.

Information Commissioner Angelene Falk said the introduction of such accountability measures would raise the standard of data handling to help prevent harms and remove the privacy burden from consumers.

“Establishing a positive duty on organisations to handle personal information fairly and reasonably will require them to take a proactive approach to meeting their obligations, as they are best equipped to consider the impacts of the complex information handling flows and practices of their business,” she said.

The OAIC has also recommended for APP entities to be prohibited from taking steps to re-identify information that they collected in an anonymised state unless it is for research involving cryptology, information security, and data analysis.

In terms of when entities should notify consumers when their personal information is collected, the OAIC recommends that this should occur when there is unauthorised access to or unauthorised disclosure of anonymised information, or a loss of anonymised information, or when information is re-identified.

The commissioner also wants to see banning of practices such as profiling, online personalisation, and behavioural advertising using children’s personal information, inappropriate surveillance or monitoring of an individual through audio or video functionality of the individual’s mobile phone or other personal devices, commercial use of automated biometric identification systems, and personal information scraping from online platforms.

When it comes to enforcing these measures, the OAIC has said it would like its regulatory powers to be expanded through the creation of more types of civil penalties. The agency explained that an expanded range of penalties would mean that there is more likely to be a suitable penalty for an infringement, regardless of the extent of its severity.

“We have recommended changes to the Privacy Act enforcement framework to give the OAIC a greater range of effective tools to uphold the law and respond to emerging threats in a proportionate and pragmatic way,” Commissioner Falk said.

“This can occur through a simplified civil penalty regime, supported by infringement notices as a quick and cost-effective way to deter non-compliant behaviour without the need for court proceedings.

In recommending additional civil penalties, it also wants to overhaul how the OAIC attains orders for civil penalties when it comes to cases of serious or repeated interference with privacy by an entity. According to the OAIC, the current Privacy Act imposes unnecessary thresholds that the OAIC must demonstrate before orders for civil penalties can be made by the courts.

It has also recommended that the Federal Court be given the express power to make any orders it sees fit when it comes to Privacy Act contraventions.

“Allowing the Court to make the same orders as the Commissioner under section 52 [of the Privacy Act] will promote clarity and certainty for APP entities and allow the Commissioner to pursue, and the Federal Court to order, tailored remedies that are more appropriate for a particular matter,” the OAIC said.

The AGD’s consultation is occurring alongside its other consultation on the exposure draft of the Online Privacy Bill. The Online Privacy Bill is looking to introduce a binding online privacy code for social media and certain other online platforms as well as stronger penalties and enforcement measures.

Cracking down on tech has been big on the federal government’s agenda as late, with the Prime Minister three months ago saying social media platforms are a “coward’s palace” and that they would be viewed as publishers if they are unwilling to identify users that post foul and offensive content.

The interim report comes off the heels of Australia announcing various initiatives in recent months to address issues residing in social media platforms and cyber. In December alone, Australia announced the Online Safety Youth Advisory Council, passed “Magnitsky-style” and Critical Infrastructure cyber attack laws, and proposed anti-trolling laws. 

RELATED COVERAGE

• Google claims no instances of foreign interference campaigns targeting Australia
• ASPI suggests government work with platforms to fight disinformation for hire
• Social media platforms being regulated as telcos under discussion in Australia
• Australian Online Privacy Bill to make social media age verification mandatory for tech giants, Reddit, Zoom, gaming platforms
• Social media platforms need complaints schemes to avoid defamation under Aussie anti-troll Bill
• Australia to establish youth advisory council for countering online child exploitation