Digital rights groups have broadly embraced reforms to Commonwealth privacy laws put forward after a two-year review but say the proposals could still be “watered down“ by lobbyists in another round of consultations.
The review, released on Thursday, makes 116 recommendations to improve privacy protections, including through a “right to erasure” that goes further than the European Union’s General Data Protection Regulation.
Digital Rights Watch said the recommendations were a “welcome step towards reclaiming our right to privacy”, but stressed that they were still only proposals, many of which have been 10 years in the making.
“We are pleased to see the Australian government has meaningfully engaged with the issues and shortcomings of the current Privacy Act, and has listened to many of the recommendations from privacy experts and civil society,” Digital Rights Watch program lead Samantha Floreani said.
“There are many promising proposals for privacy reform in this report, but currently they are just proposals, many of which have existed for almost a decade and been ignored.
“We hope that the ALP will stand their ground against tech and business lobbyists who will seek to water these proposals down, and push forward this reform agenda into actual legislative change for the public good.“
In addition to the right to erasure, the group said it is pleased to see proposals for a statutory tort for serious invasion of privacy and a direct right of action, which have long been recommended by the Australian Law Reform Commission.
“Our current privacy regulations are woefully inadequate, out of date, and not fit for purpose for the technical realities of the modern digital economy. People deserve meaningful privacy protections and a regulator who can enforce them properly,” Ms Floreani said.
“We are hopeful that this reform agenda will lay the path towards meaningful, robust reform of the Privacy Act.”
The Australian Privacy Foundation held similar concerns, with chair David Vaile saying that while it is difficult to digest the great detail of the report in a single day, his initial reactions is one of skepticism.
“We’ve now had six major reviews in 30 years which all said Australians should be able to enforce their privacy rights in court, to sue for breach of privacy, as in most other countries, but still no commitment to fix it,” he said.
“The devil is in the detail: Privacy law in Australia is often an exercise in backdoors and loopholes for abusers, hostile to giving power to individuals to protect themselves in a very unfair fight.”
Mr Vaile said “we now face a further long period before government responds”, in which time “every lobbyist under the sun can use time to white-ant recommendations their clients don’t like, and make up reasons why they’re not workable”.
The Australian Information Industry Association (AIIA) chief executive Simon Bush said the “significant report… paves the way for critical updates required for a modern digital economy, including meeting community expectations about data privacy”.
Proposed reforms to small businesses exemptions and the planned review of other laws requiring the retention of data, such as the telecommunications regimes, are among the recommendations the group supports.
It also supports the proposal to remove the word ‘repeated’ in data breach penalty laws and clarify that a ‘serious’ interference of privacy may include instances where sensitive information is involved, large groups of individuals are impacted or willful misconduct has occurred.
But the AIIA does not support a “wholesale right to erasure”, which it claims would require “significant technical challenges on industry”. If such a right is introduced, it has recommended a scheme that mirrors the GDPR.
“We look forward to considering in detail the full report and responding to the government to ensure that any new obligations placed on the technology industry are proportionate, do not result in regulatory duplication and effectively lead to the required uplift in protections,” Mr Bush added.
Norton Rose Fulbright partner Anna Gamvros, who is a member of the board of directors for the International Association of Privacy Professionals, also welcomed the report and congratulated the Attorney-General’s Department for its “thorough and reasoned approach to the reforms”.
“The full suite of reforms you would expect to bring Australia’s privacy laws in to line with both international standards and the reality of our data-based economy are there,” she said in a statement.
Ms Gamvros said the direct right of action would be “of significant concern to Australian businesses, and of great interest to class action funders and firms”. In giving rise to regulation by courts, it could also “negatively impact innovation in digital businesses”.
“This is particularly more acute in Australia when considered in light of some of the other proposed reforms, such as the narrowing of what is considered to be valid consent and the introduction of a new standard ‘fair and reasonable’ for collection and processing,” she said.
With Brandon How
