Mumbrella: The winners and losers of Australia’s new privacy laws

This article first appeared in Mumbrella.

By Rebecca White, Queensland Agency Director, Revium

Australia’s years as the “wild, wild west” of data protection are officially over as of Thursday, with the Australian Government announcing the most significant overhaul to our privacy laws since the 1980s. Of course, there are those who benefit from the new changes, but there are also those who will lose out, and lose out hard.  

Last week, the Federal Government released their response to the Privacy Act Review, agreeing to legislate 38 of its 116 recommendations as they have been proposed, including the right for Australians to sue for “serious” breaches. The report details in principle agreement to legislate 68 more recommendations after some additional refinement and consultation. In other words there are only 10 out of the 116 recommendations that the government has not confirmed they will adopt.

The biggest news however is the timeline – with a commitment that the legislation will be introduced next year, much earlier than some pundits had thought.

This makes it a more urgent priority for executives to start to grapple with the challenges these changes will present. They will need to work to understand where their organisation currently stands, how it is going to be affected, and ultimately how they can best prepare for the changes to come.

The government has said they will adopt in some form 106 of the 116 recommendations and they want to have legislation passed by next year.

Privacy Law Winners

1.       Customers:
Customers receive greater control over their privacy by requiring organisations to seek informed consent about the handling of personal information, which allows Australians to sue for “serious” breaches and enforcing the right to have their data be erased.

2.       Children:
Universally accepted as an important inclusion in changes to Privacy Laws, organisations will be prohibited from targeting and directly marketing to children, and trading in their personal information. The introduction of a Children’s Online Privacy Code will ensure their best interests are considered when their personal information is handled.

3.       Organisations that “trade” personal information:
Meta can breathe a sigh of relief here. Details are nuanced and subject to final legislation but, at first glance, it appears the Government has not agreed to adopt the report’s proposal to give customers the right to opt-out of targeted online advertising. It has announced in-principal agreement that individuals should have a right to opt-out of their personal information being used or disclosed for direct marketing purposes, subject to refining the definition of direct marketing.

4.       Political Parties:
The Labor Party has also opted to ignore recommendations from Attorney General Mark Dreyfus and will make Political Parties exempt from changes to Privacy Laws. This decision will likely leave consumers exposed to “misleading” tactics from political parties – so we won’t see an end to political party tricks like those seen in the lead up to Voice Referendum offering to facilitate postal votes as a ruse to acquire voter information.

Privacy Law Losers

1.       Small Business:
Small businesses with an annual turnover of up to $3 million will, for the first time in Australian history, be required to comply with the Privacy Act. This represents approximately 2.3 million small businesses that are often referred to as the engine room of the Australian economy. The concern here is that imposing more complexity and costs at a time when small businesses are already struggling will have serious detrimental impact to not only the businesses themselves but also the Australian economy. The good news here is that the Government has said that it will work with small businesses to gauge impacts and give them time and support to adjust; however. we don’t know what the specifics of this are yet.

2.       Organisations who break the law:
After almost a decade of inaction, the Australian Government is getting serious. The response indicates that the new Privacy Laws will increase penalties for repeated or serious privacy breaches, and provides the Australian Information Commissioner with greater powers to address privacy breaches. The current penalty for serious breaches of privacy is $50 million or 30% of an organisation’s domestic turnover (whichever is greater).

On the flip side to all this, millions of Australians previously impacted by data breaches compromising their personal health information, passport details and drivers’ licences should celebrate the proposed changes to our outdated privacy laws.

The changes will no doubt drive a lot of anxiety in board rooms across Australia and it will be the businesses who roll up their sleeves early to ensure they get ahead of the changes who will have the best chance to come out ahead when the new legislation comes into effect in 2024.