Australia's privacy laws

Australia’s privacy laws are getting an update — here’s what we recommend

Australians’ privacy hangs in the balance as the government reviews the Privacy Act 1988 and updates the law. Here are the key legal changes Australians should fight for. 

The future of privacy in Australia is taking shape, and now is the time to take a stand. The government review of the Privacy Act is crucial to protect Australians’ right to privacy and ensure people’s control of their information in the digital environment. The resulting law will determine how Australia will enforce data protection, which is key for its success. While the government’s  Discussion Paper has some good proposals, they’re not sufficient. We must push for additional improvements.

Access Now has submitted comments on the Privacy Act review, and you can read them in full here. We encourage fellow civil society organisations and human rights advocates to take advantage of all opportunities to push for changes that will shape the law for the better. Here are some of the most important changes we are calling for. 

Expand the definition of “personal information”

Today, Big Tech platforms, internet providers, and others routinely collect detailed information about us that can be leveraged for exploitation, manipulation, and worse. That’s one of the reasons it is  necessary to expand what is understood as “personal information” to meaningfully protect privacy. 

As the government’s Discussion Paper proposes, the provisions should explicitly include technical and inferred personal information. However, we recommend further clarification that “inferred” information includes “generated” information. This would ensure that when companies generate new information about an individual based on their data — such as predictions about their online behaviour — this new information would be protected as personal information. 

That means that the law would cover modern ways of tracking people, protecting things like your computer’s Internet Protocol (IP) address, your device identifiers, your communications metadata, your location data, and the patterns of your behaviour, like your shopping or browsing history, as well as the predictions a company makes about you based on that behaviour.

Lawmakers should widen the scope of the proposed Privacy Act to make sure certain types of personal information do not slip through the cracks. It should cover not only information that is “about” a person, but also any information that “relates” to them. Only “anonymous”  (not “de-identified”) information should be exempt from protection. It’s difficult to fully anonymise data, as it can often be traced back and attributed to an individual. That is what makes the higher threshold necessary.

Strengthen consent requirements 

When you give consent to uses of your personal information, it should be voluntary, informed, current, and specific, and granted through a clear action. Companies and other entities that process personal information should be required to offer informed, up-to-date, and specific opt-in, as opposed to an opt-out system with pre-selected options. 

This means that they should implement pro-privacy default settings. Apart from enabling individuals to make an active individual choice, pro-privacy default settings embody the principle of data protection by design and default, which bolsters data security and integrity. 

To further strengthen the consent framework, the new law should grant people the explicit right to withdraw their consent at any point in time.

Give people a direct right of action

If your right to privacy is infringed or violated, you should have a direct right of action to obtain remedy. The proposed Privacy Act does not sufficiently provide for that, yet it’s a crucial and necessary  reform to the law.  Non-governmental and non-profit organisations should have the right to represent people whose rights have been infringed, and to independently bring complaints and cases before the Office of the Australian Information Commissioner (OAIC) and courts. It can be prohibitively expensive for individuals to pursue cases on their own, and this will help mitigate the issue of accessibility to the right of action.

Since the OAIC’s assessment is a precondition to approaching the court, the law should require OAIC to complete its assessment of the complaint within a specified time period, to ensure that there are no delays and bottlenecks. Such assessment must be available in writing in the public domain for transparency and accountability.

Eliminate the political exemption 

Profiling and targeting people can be dangerous and destabilising for democracy. Yet the proposed law exempts registered political parties from its protections. This has to change. The exemption is obsolete and detrimental to people’s rights. 

People deserve a law that protects their privacy in the digital age in a holistic manner, without vast carve-outs, particularly for entities that play a crucial role in the democratic processes of the country and therefore must be accountable to the people. 

It’s time to stand up for your privacy!

If you care about the future of privacy in Australia, your participation in the review of the Privacy Act is crucial for a framework that strengthens and protects human rights. Its implications will not be limited to Australia, as countries often borrow from each other when developing data protection frameworks. In addition, unless strong data protection laws are in place, international data flows risk the security of our data. Collectively, we must continue to press for the necessary changes and refuse to settle for a privacy legislation that will not protect us.