High-water mark: will an amended Privacy Act meet the bar set by the EU GDPR? Part one - Data Protection

The General Data Protection Regulation (GDPR) of the European Union (EU) has often been described as the 'gold standard' of data protection and privacy laws. Australia's Privacy Act 1988 (Cth) (Privacy Act) sets out a more extensive privacy regime than that which exists in many jurisdictions, however the level of protection it grants to personal information has, to date, not matched that given by the GDPR.

As we have previously discussed, the Attorney-General has proposed extensive reforms to the Privacy Act in its Privacy Act Review Report (Report) intended to strengthen Australia's privacy regime. In September 2023, the Federal Government issued its response to the 116 proposals set out in Report (Response), agreeing to 38 proposals (although targeted consultations will still be held on draft legislation), agreeing in-principle to a further 68 proposals (subject to further engagement with regulated entities and comprehensive impact analysis) and noting the remaining 10 proposals.

While this indicates that the Government has reserved judgement on the majority of the Report's proposals, the Response does signify that major reforms will be forthcoming and the Government has committed to introducing legislation in 2024. It is not yet clear the precise extent to which the reforms will bring the Privacy Act in line with the high-water mark set by the GDPR, however, in this two-part series, we will consider how the proposed reforms may compare.

This first instalment in our two-part series examines the proposals for introducing the concepts of 'controllers' and 'processors' into the Privacy Act, limiting exemptions to the Privacy Act and updating the Notifiable Data Breaches Scheme. In part two, we will take a look at proposals addressing overseas data flows, automated decision-making, rights of individuals and penalties. We will also look ahead at what it may mean for Australia if the reformed Privacy Act is, or is not, considered to be 'essentially equivalent' to the GDPR.

Controllers and processors

A noticeable difference between the Privacy Act and the GDPR is how each piece of legislation applies to the entities it regulates.

The GDPR distinguishes between 'controllers' and 'processors'. A controller is a party which ultimately decides how and why personal data is processed. They may do so independently or jointly with other controllers. A processor, on the other hand, is a party which processes personal data on behalf of a controller.

The GDPR places more rigorous obligations on controllers than processors. It also addresses the relationship between controllers and processors and prescribes that the parties must enter into a contract that contains a number of provisions described in Article 28 of the GDPR, such as a requirement that the processor will only process personal data on documented instructions from the controller.

The Privacy Act applies to 'APP entities', meaning agencies (such as Federal Government departments) and organisations (such as sole traders and companies), that 'hold' personal information (i.e. that have possession or control of personal information). Some obligations apply to both types of entity and others apply specifically to organisations or agencies only. State and Territory public agencies are governed separately by State and Territory-level legislation.

The Privacy Act does not currently differentiate between those that ultimately control personal information and those that handle it on their behalf. However, the Report proposes introducing the concepts of controllers and processors into the Privacy Act (Proposal 22.1). The Government has agreed in-principle to this proposal in the Response, acknowledging that the 'complexity and regulatory burden' for processor entities would likely increase once the proposed reforms have been implemented.

Exemptions

Small business exemption

Under the current law, small businesses with less than A$3 million in annual turnover are generally exempt from the Privacy Act. The exemption does not extend to certain types of small businesses, including health service providers and businesses that trade in personal information or provide services under a Commonwealth contract.

The Report recommends removing this exemption, as a result of the increasing privacy risks posed by small businesses, but only after conducting an impact analysis and consultation with the small business community to understand the impact of removing the exemption and develop appropriate guidance and support (Proposal 6.1).

Small businesses are not generally exempt from the GDPR, although the GDPR provides a limited exemption for organisations with less than 250 employees from maintaining records of processing activities as required by Article 30.

The removal of this exemption under the Privacy Act would bring the legislation in line with the GDPR in its general treatment of small businesses, however, the Response only agrees in-principle with this proposal. It therefore remains to be seen whether the Government will remove the exemption and require small businesses to comply with the Privacy Act in full or take an approach similar to Article 30 of the GDPR and modify certain obligations to reduce the burden on small businesses.

Employee records exemption

Private sector employers also benefit from an exemption from the Privacy Act, in relation to records held about their current and former employees. The Report does not recommend removing this exemption altogether but instead recommends consulting with employer and employee representatives and providing enhanced protections for private sector employees, while highlighting that these considerations should be balanced against the need for employers to collect employee information for business purposes (Proposal 7.1). This means that employees may receive more privacy protections under the reforms, however, they will not benefit from the full extent of protections generally available under the Privacy Act.

The GDPR does not exempt employers from privacy obligations. Article 88 does give EU Member States the power to impose their own measures in relation to the processing of employment-related personal data, however, such measures must consist of 'more specific rules to ensure the protection of the rights and freedoms' of employees and 'include suitable and specific measures to safeguard' their interests.

The Response agrees in-principle with Proposal 7.1, however, this is not on the basis that it considers the proposal does not go far enough. It instead takes a more reserved tone and flags that consideration should be given to the interaction between privacy and workplace relations laws and the effect of reforming the employee records exemption on small businesses.

Journalism exemption

Acts of media organisations in the course of journalism are exempt from the Privacy Act, provided that the organisation has publicly committed to observing published privacy standards. The Report does not propose any changes to the entities and actions covered by the journalism exemption but recommends that media organisations be required to keep personal information secure, destroy it when it is no longer needed and report eligible data breaches to the Office of the Australian Information Commissioner (OAIC) (Proposals 9.4 – 9.5).

It also recommends that media organisations be subject to privacy standards developed and overseen by the Australian Communications and Media Authority (ACMA), the Australian Press Council (APC) or the Independent Media Council (IMC) or other standards that adequately deal with privacy (Proposal 9.1) and that, in consultation with industry and the ACMA, the OAIC should develop and publish criteria for adequate media privacy standards (Proposal 9.2). The Response agrees with Proposal 9.1, however, it has only agreed in-principle with Proposals 9.2 – 9.5.

The GDPR does not set out specific exceptions for journalistic activities but instead provides a general power for EU Member States to implement their own exemptions from a range of GDPR provisions in order to balance the protection of personal data with data processing carried out for the purposes of journalism or academic, artistic or literary expression (Article 85). While this appears broad, it is up to individual states to determine the extent of the exemption implemented under this power.

Notification of data breaches

Given the number of high-profile data breaches that have hit the news in Australia in recent years, it is no surprise that tightening the Notifiable Data Breaches (NDB) scheme has formed part of the agenda of the Report.

As it currently stands, under the Privacy Act, if an entity is aware of reasonable grounds to suspect it may have suffered an eligible data breach (i.e. a data breach resulting in a likelihood of serious harm to any of the impacted individuals) it must take reasonable steps to assess whether there are reasonable grounds for it to believe that such a breach has occurred within a maximum of 30 days. If this threshold is met, the entity must notify both the OAIC (in its capacity as regulator) and impacted individuals as soon as practicable.

This contrasts with the approach under the GDPR, which sets a different threshold for notification to a regulator versus impacted individuals. A controller is required to notify the relevant regulator of a data breach in all cases, unless the breach is 'unlikely to result in a risk' to an individual (Article 33). The threshold for notification to an individual is higher and only applies when the breach is 'likely to result in a high risk' to an individual (Article 34). If these thresholds are met, then the controller must notify 'without undue delay' and, where feasible in respect of the notification to regulators, no later than 72 hours after becoming aware of the breach.

While the Report does not propose a lower threshold for notification to the OAIC, it does propose a more prescriptive timeframe for notification of data breaches where an entity becomes aware that there are reasonable grounds to believe that it has suffered an eligible data breach. That timeframe reflects the 72-hour period set by the GDPR (Proposal 28.2). This proposal was agreed in-principle in the Response, with the Government stating that it will further explore appropriate timeframes for notifying the OAIC with stakeholders and alignment with other relevant reporting frameworks.

However, while the Report does discuss the 30-day assessment period, it does not specifically suggest any updates to this provision in the Privacy Act. Therefore, even if the Government implements a 72-hour notification period as described, if the assessment period remains in place, entities subject to the Privacy Act may still find a more lenient timeframe for them to notify the OAIC than under the GDPR.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.