Australia’s privacy laws look set for a significant shakeup following the ACCC’s inquiry into digital platforms.
As part of the government’s response to the Digital Platforms Inquiry it recommended a review of the Privacy Act, with promises to strengthen consumer protections.
Australia’s Privacy Act has been amended almost 90 times since it was introduced in 1989. However, the upcoming review will likely see the most significant changes yet.
Many argue that current laws are outdated and do not carry tough enough penalties for businesses that have failed to protect customer’s privacy.
The Office of the Australian information Commissioner (OAIC) recently found that privacy is a major concern for 70 per cent of Australians, while 90 per cent revealed they want more control over their personal information.
The report also highlighted the public’s lack of understanding of the existing laws. 34 per cent of Australians revealed they had never heard of the Privacy Act, while 58 per cent had heard of it but could not name it.
As it stands today, the Privacy Act regulates how Australian Government agencies and organisations with an annual turnover of more than $3 million (with some exceptions) handle personal data.
The Privacy Act has 13 Australian Privacy Principles (APPs), which deal with how personal information is processed, standards of collection, disclosure, quality and security of personal information.
As of 2018, the Office of the Australian information Commissioner now requires individuals to be notified if they are affected by a data breach under the Notifiable Data Breaches scheme.
Many have tipped the government to come up with ‘GDPR-like’ regulation, following the review of the Privacy Act, which will promote principles such as data minimisation, transparency and security.
While GDPR was a leader in terms of its timing, this does not necessarily mean it has led the way in terms of effectiveness.
Early data shows that while the regulation is strict on paper, in practice, it has (so far) lacked teeth. Of the $US63 million in fines handed out under the GDPR as of June 2020, $US57 million was issued to Google. This is despite the fact there have been 89,000 data breaches recorded.
In some ways, Australia is in the privileged position of being a couple of years behind Europe in terms of data regulation. This means we are able to build upon these global frameworks when creating new legislation.
Speaking recently, NSW minister for customer service Victor Dominello, suggested Australia ‘cherry-pick’ from the best parts of these global laws.
“My view is we reform to our own standards here. Based on our own temperature. So we pick the best out of the GDPR, but we craft it to [Australia]. Because they’re [the EU] obviously leading. But we craft it to Australian conditions,” he told a conference.
The Attorney-General’s Department has released an issues paper on the review, which raises topics such as redefining “personal information” to include technical data such as location and a “right to erasure” – similar to GDPR’s ‘right to be forgotten’.
It also asks whether these potential changes “strike the right balance” between privacy rights and the ability of businesses to conduct direct marketing, as well as avoiding unnecessary compliance costs.
While it does make business sense to have rigorous data protection policies, there is the risk of over regulation stifling business.
For example, a 2019 study in Germany found that GDPR had negative impacts on startup innovation in Europe, including innovation-constraining effects, entrepreneurial encouragement and data minimisation. This was partially offset by positive impacts such as compliance innovation and regulation-exploiting innovation.
There is also the significant financial cost of implementing these sweeping changes.
The Australian government should consider these potential consequences as part of its review into the Privacy Act.
Whether it be through our data audit service or working with clients to create a more streamlined and compliant data strategy, at smrtr, we are prepared for any new data privacy laws that may emerge in the coming months.
If you’d like to learn more please, contact us and we’ll be in touch within the next business day.
By Boris Guennewig, Co-Founder and CTO at smrtr