Australians could soon get a raft of new data privacy protections, including the right to sue for serious privacy breaches and the compliance of small businesses with existing laws.
Greater protections for children are also on the cards, but there are notable absences in changes to political party exemptions and consumer protections from targeted advertising.
The changes are set to come in next year now that the government has given its official response to a landmark review of the Privacy Act. The review, which was begun last year, made 116 recommended changes to the 1988 Act in an effort to bring it up to speed. They are the most sweeping reforms to individual privacy in over two decades.
“Australians increasingly rely on digital technologies for work, education, health care and daily commercial transactions and to connect with loved ones. But when they are asked to hand over their personal data, they rightly expect it will be protected,” Attorney-General Mark Dreyfus wrote in press materials.
“The Government’s response to the review agrees, or agrees in principle, with the majority of the review’s proposals.”
Specifically, the government has agreed to 38 of the 116 recommendations and agreed in principle to another 68. The changes agreed to will include restrictions on the collection of the personal information of children, the establishment of a children’s online privacy code, and restrictions on targeting people based on characteristics like race or sexuality.
In addition, individuals may also get the right to sue for serious breaches of privacy. This would include things like being filmed in a place where you’d expect the right to privacy.
Overall, the government has said its privacy strategy aims to bring the Privacy Act into the digital age, increase protections, make privacy laws clearer, give people more control over their personal information, and increase powers of enforcement.
Politicians Still Exempt From Privacy Act
However, not all of the recommendations have been agreed to. Ten recommendations were merely ‘noted’ in the response, and these are the ones that apply to political exemption from existing privacy laws.
Currently, political parties, small businesses with $3 million in annual turnover or less, and media companies do not have to comply with Privacy Act regulations. They are not required to keep personal information secure or tell people if they suffer a data breach.
For years, experts have called on successive governments to shut this loophole for political organisations, saying that they not only pose a threat to privacy but “to core democratic values.” Digital Rights Watch Australia has also previously warned that political parties holding unsecured electoral data is an accident waiting to happen.
It’s these laws that allow political parties to harvest your online data and target you with messaging. Owing to the fact they are also exempt from spam laws, they can pretty much say what they like. Clive Palmer texting “hundreds of thousands” of people before the 2020 Queensland election is one example of the kind of behaviour protected by these carve-outs.
A survey by the Office of the Australian Information Commissioner (OAIC) last month indicated that most Australians don’t really understand the current privacy laws but do want carve-outs for politicians removed. The survey was referenced in the government response, but it didn’t address this point.
The government have said that they will remove those exemptions for small businesses but not for media organisations or political parties. The government considered the impact on journalism to be too great to force compliance. However, journalists will now need to keep information secure, destroy it when it’s no longer needed, and report data breaches to the government.
In explaining why politicians are granted exemption from the rules, the Attorney-General said that doing so would “encourage freedom of political communication and enhance the operation of electoral and political processes in Australia.”
Related: ChatGPT Can Now See, Hear, and Speak