Submission: Privacy Act review

Update: The Privacy Act Review Report was released on 16 February 2023. NSWCCL was pleased to see that many of the recommendations the Council made in our submission were supported in the review.

A key recommendation in the review is ensuring the collection of, use and disclosure of personal information is fair and reasonable, including whether the “impact on privacy is proportionate to the benefit”. The Council supports the inclusion of non-exhaustive legislated factors that are relevant to determining whether the collection, use, or disclosure of personal information is fair and reasonable in the circumstances. However, it considers that clear guidance and examples of how these factors may apply in practice must be provided.

The standard of ‘fair and reasonable’ must be assessed by reference to the perspective of the individual, rather than being assessed from an APP entity’s perspective. We consider that having clear guidance from the outset, rather than waiting to see how the courts interpret such new provisions, will empower APP entities to appropriately assess whether any proposed data collection, use or disclosure would be unfairly prejudicial to, or unreasonable having consideration to the expectations of, the individual. In particular, to the extent that these factors do require consideration of what is ‘fair and reasonable’ from the perspective of the individual, the APP entity should be required to consider and satisfy each factor. This is because the protection of personal information and right to privacy should be fundamental to the Act, and should not be readily outweighed by business considerations.

The review has also proposed “direct right of action” that allows individuals to seek compensation in the Federal Court for a breach of privacy, which privacy advocates have long called for. To access the action, a claimant would first need to make a complaint to the Office of the Australian Information Commissioner (OAIC).

The Council supports the creation of a direct right of action. The NSWCCL considers it important that individuals can personally litigate a claim for breach of their privacy under the Privacy Act. However, the ability of individuals to do so is currently limited. The creation of a direct right of action would therefore give individuals greater control over their personal information by providing an additional avenue of redress under the Privacy Act. This, in turn, would encourage better compliance by APP entities of their privacy obligations under the Act.

However, the expansion of the OAIC’s funding is critical given that several proposals contained within the Discussion Paper involve the broadening of the OAIC’s current remit. Chronic underfunding will erode the effectiveness of any privacy protections the OAIC seeks to implement and support. To properly conduct both its existing and proposed activities, the OAIC must be adequately funded and consulted in respect of the resources it requires. The OAIC received limited funding to support its privacy initiatives in the 2021-2022 Federal Budget, despite a significant expansion in its activities with the onset of its Digital Economy Strategy.

NSWCCL made a submission to the Review of the Privacy Act 1988 advocating for urgent reform to modernise the Act and ensure it is fit for purpose in the digital economy. Privacy is a fundamental human right that is central to the maintenance of democratic societies and achieving respect for human dignity. In this regard, the NSWCCL submits that the right to privacy should be the paramount object of the Act and considers the two primary areas of concern in debates relating to privacy are:

  • (a) the intrusive observation of one’s actions (whether by surveillance, listening, data analysis or other mode); and
  • (b) the discussion and the misuse of personal information.

NSWCCL supports in-principle many of the proposals outlined in the Discussion Paper and commends the Attorney General’s Department for reflecting the legitimate privacy concerns of a broad spectrum of society. Many Australians are concerned about gaps and ambiguities in the existing privacy regime that undermine the right to privacy. This is especially important in the context of unprecedented integration of digital technology in our everyday lives.

The NSWCCL provided this submission with a view to further refining many of the proposals outlined in the Discussion Paper to ensure that reforms to Australia’s privacy framework are sufficiently protective of privacy and reflect the needs of individuals rather than the interests of business. Before delving into our specific feedback regarding the various proposals to modernise the Act, the NSWCCL would like to make the following overarching submission to be considered as this Privacy Act Review moves forward:

  • Failure to properly protect privacy results in a reduction in human autonomy and freedom,1 which can harm democratic processes. Enshrining the protection of an individual’s right to privacy as the paramount object of the Act is an important initial step, but the NSWCCL considers that the introduction of a carefully considered definition of ‘privacy’ is of equal importance.

  • The NSWCCL strongly agrees with the introduction of further organisational accountability requirements into the Act. In light of information and power asymmetries in the processing of personal information, individuals should not be expected to bear the burden of managing privacy risks themselves. Placing the burden of privacy protection onto the individual is unfair and impractical. It is the organisations that hold personal information governments and businesses that must bear responsibility for respecting the right to privacy.

  • The expansion of the OAIC’s funding is critical given that several proposals contained within the Discussion Paper involve the broadening of the OAIC’s current remit. Chronic underfunding will erode the effectiveness of any privacy protections the OAIC seeks to implement and support. To properly conduct both its existing and proposed activities, the OAIC must be adequately funded and consulted in respect of the resources it requires. The OAIC received limited funding to support its privacy initiatives in the 2021- 2022 Federal Budget, despite a significant expansion in its activities with the onset of its Digital Economy Strategy.

  • There are some practices so privacy invasive or socially damaging that even putative ‘consent’ should not be allowed to authorise them. The OAIC has proposed introducing a “general fairness requirement for the use and disclosure of personal information” as a way of addressing “the overarching issue of power imbalances between entities and consumers” and “protecting the privacy of vulnerable Australians including children”.

More information: Read our full submission