The review of the Privacy Act 1988 could bring us closer to a solution to Australia’s byzantine privacy regulations
The Review of the Privacy Act 1988 is the Australian Government’s response to the recommendations made following the ACCC’s Digital Platforms Inquiry. The Inquiry’s final report was published in July 2019 and told us what we, by and large, already suspected: that individuals do not have adequate information about, or control over, their personal information—including where it goes or what it’s used for—and that the digital economy is a confusing and frequently opaque landscape upon which to apply privacy regulations in their current form.
In light of this, the ACCC made its recommendations, including (but not limited to) those for the strengthening and broadening of Australia’s privacy laws. These recommendations now form much of the matter under review.
Additionally, the Review of the Privacy Act 1988 creates an exciting opportunity to update, streamline and, importantly, clarify our existing regulations.
Australia’s privacy regulations in their current form represent a hefty encumbrance to organisations operating within their scope. Difficulties arise for organisations when they find that they are either subject to a multiplicity of (occasionally conflicting) regulations, or else that their status with regard to the law is not clear.
For example:
- The exact definition of ‘personal information’ across states and territories suffers from minor differences and inconsistencies, as does the status of publicly published business information. Many businesses now operate over the internet (an area which saw particular growth under the impetus of the past year and its COVID-19 lockdowns), in a manner that decouples their services from the physical location of their consumers across the country, leaving them potentially subject to different, overlapping regulations in different states and territories.
- Additionally, personal information handling is also regulated under state and territory laws that do not relate to privacy, such as regulations regarding freedom of information, or telecommunications legislation.
- In some specific arenas such as health and human services, current regulations are overlapping and labyrinthine. The Privacy Act 1988 currently applies to private sector health services, but not public sector ones, resulting in:
- a) some states and territories with no specific privacy legislation to cover health services;
- b) some in which legislation applies across the state to all health services, resulting in a multiplicity of obligations for private sector entities who must take care to adhere to two sets of overlapping regulations; and
- c) some in which there exists privacy legislation created only to apply to those public sector entities.
- There are exemptions under the Privacy Act 1988 which exist in theory to alleviate the burdens of compliance on those small businesses who may be unable to meet them, but in practice these exemptions are not necessarily still fit for purpose in the way they may once have been: many small businesses now manage stores of data from online interactions that they wouldn’t have had access to in years past, or operate under contract with larger businesses who fall outside the exemption anyway.
This is a short and non-exhaustive list of examples, but it serves to illustrate some of the ways in which understanding privacy in Australia can be fraught, both for individuals trying to understand their own rights—thoroughly dependent on where they are and with whom they interact—and for organisations trying to meet their obligations.
We know that the burden of privacy compliance is a necessary one. In a landscape where 94% of Australians are uncomfortable with how their personal information is collected and shared online, and 81% of the public said the potential risks they face because of data collection by companies outweigh the benefits, best-practice stewardship of customers’ information is key to their continued trust in an organisation. Consumers are aware of the value of and the danger to their data when they share it, and safekeeping their personal information represents an obligation that must be adequately discharged for reasons both moral and pragmatic.
However, the more multifaceted, layered, and complex compliance obligations become, the heavier the burden and the greater the likelihood of difficulty in meeting those obligations. It is vital that greater clarity, including between Commonwealth privacy legislation and other regulatory schemes, come before the strengthening and broadening of privacy legislation, however necessary, can be truly effective.
It is every organisation’s responsibility to ensure that it is acting in accordance with privacy regulations, and it is the responsibility of regulators to prevent that obligation from becoming an unduly onerous one.
About the Author
Martin Soley is Group General Manager Data Services and has over a decades experience across data quality, analytics and related technology in ANZ and abroad. Martin’s strategic insight and expertise drives commercial outcomes for DCA’s varied clients.