What you should know about Privacy Law in Australia – it’s changing.

And privacy law is changing around the world as well.

2023 Privacy Awareness Week was the first week of May.

Changes to Australian Privacy Law in December 2022

Privacy law is under review in Australia. In December 2022 the federal government pushed through the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 which was tabled in response to the Optus and Medibank personal data hacks.

The legislation was rushed due to several factors. Many people are upset because the Medibank hack perpetrators released all the collected data on the dark web in November 2022. Even politicians have been affected, and they want to take action during their first term to prevent a similar data breach from occurring again.

Cynically, it also provides the government with the potential to recover a little of the budget deficit if it gets to impose penalties at the higher rate, and it is no small jump in penalties. The Australian Information (OAIC/Privacy Commissioner) will have the opportunity to test these recent changes in the law in reviewing the Latitude Finance data breach, where it was discovered that some personal information had been held on to for almost 20 years, and well past Latitude’s legitimate business needs.

The main changes to Privacy law extending the Privacy Commissioner’s powers and increasing in penalties are:

• significant increase in penalties up to $50 million – see more below;
• extension of coverage to foreign entities that carry on a commercial activity in Australia, whether or not having any other Australian link;
• provide the OAIC with greater enforcement and information sharing powers; and
• provide the Australian Communications and Media Authority (ACMA – the body responsible for regulating anti-spam compliance) with greater information sharing powers.

One practical consequence is that conduct complained about as spam could now result in investigations into how the same company manages personal information, with potentially huge penalties for non-compliance.

Privacy Review Recommendations for 2023

Earlier in 2023 the federal government was calling for submissions on the Privacy Act Review Report,  published by the Attorney-General’s Department, which makes 116 recommendations for proposed changes to the Act.    

‘Small business’ is mentioned 207 times in the Report.

Some of the changes proposed to affect small business are:

1. that the exemption for small businesses with a turnover of $3 million or less be removed;
2. that the exemption for small businesses who have obtained consent to trade in the personal information they collect, be removed;
3. that protections be extended to private sector employees (noting that many of these employees are employed by small businesses);
4. OAICs powers to issue penalty notices be extended;
5. criminal offences be introduced;
6. introduce the right of a person to sue for ‘serious invasions of privacy’ and or for a ‘serious invasion of privacy’ to be a criminal offence;
7. Introduce an express requirement in APP 5 that requires collection notices to be clear, up-to-date, concise and understandable with appropriate accessibility measures; and
8. the requirement for risk assessments to be conducted for activities ‘with high privacy risks’. 

What do Changes in Australian Privacy Law mean for Small Business?

Given the changes in technology over the last 20 years and the amount of data collected by small businesses, it is likely the exemption will be lifted because the data collected does put individuals at risk.

One of the examples used in the report referred the amount of information collected by real estate agents in receiving tenancy applications. The risks to individuals relating to the type of information collected (photo identification, earnings, bank account details etc) by real estate agents was considered sufficiently high to warrant a positive obligation on the collecting party.

It was also mentioned that the lack of understanding of data handling practices by small businesses could increase the risk of a data breach occurring.

In our experience, many small business owners have not thought about what systems they use and how that impacts the personal information they collect.

Preparing for the Removal of the Small Business Privacy Law Exemption

Small business owners need to immediately increase their knowledge and understanding of the information you collect, how you collect it, what you do with it, how long you need it, and what you do with it when you no longer need it.

This also means small business owners will need to understand your privacy policies and whether the policy accurately reflects what you do, and whether it is clear enough for your customers to understand.

This means thinking about your customer base in a new way, regardless of whether they are likely to read your policy before the purchase or wait until they have a problem.

“When was the last time you read your privacy policy?”

When the small business privacy law exemptions are removed, as a small business owner you will be exposed to the risks of penalties from the OAIC, being charged with a criminal offence or being sued by an irate customer. 

If you don’t understand how you protect personal information, take the time to review now, and understand your existing systems, or implement new systems. 

Do you know how to complete a risk assessment on the types of information you collect, 

What are the Penalties for Serious Breaches of the Privacy Act?

Penalties for serious breaches of privacy obligations have increased.

For individuals, such as sole traders and independent contractors, to a maximum of $2.5 million (from $440k).

And, for bodies corporate, such as companies and incorporated associations, from $2.22 million to a maximum of:

• $50 million
• three times the value of any benefit obtained through the misuse of information
• if the value of the benefit cannot be determined, 30% of the body corporate’s adjusted turnover (revenue in Australia) in the relevant period.

As a Small Business Owner, do I need a Privacy Policy?

If you fall within a small business exemption, then before mid-year 2023 you will not be legally required to have one. Your customers or clients might have different expectations.

Proposals for changes in legislation are under consideration in 2023. The government responded to the Optus and Medibank breaches within a few short months, with legislation that had immediate effect. It is likely that changes to small business privacy obligations with have a 6 – 12 month lead time before they become effective.

You can act now to be prepared, or wait for the last minute rush. Again, it might be worthwhile surveying your client base to find out what their expectations are of the systems you have in place to protect their privacy.

Can Small Business Owners just use template Privacy Policies?

Some business owners have a high-risk tolerance and just want to get on with business without worrying too much about compliance issues, and are more inclined to ask for forgiveness rather than consent.

Other business owners are low risk and want to get everything right before they start trading.

Most small businesses are somewhere in between.

The highest risk is copying and pasting something from a source that is not relevant to your country, or from someone else’s website without understanding the implications on your business. If you get it wrong, you can potentially create higher liability than you are legally required to, or no protection at all.

One of the most common problems with privacy policies is that people try and use them without understanding them. If a template comes from a trusted provider and mentions your local laws, and you understand it, and it reflects what you actually do in your business, then it may be appropriate for your business.

We are unable to specifically say if something is right for your business or not without reviewing your business and the terms of the privacy policy. You can book a consultation with one of our team to check any website legal terms you have in place by making an appointment.

What about ChatGPT Privacy Policies?

We have tested ChatGPT and the draft policies it generated were not 100% compliant with privacy laws of any jurisdiction. They were more geared toward the United States law.

The United States does not have a single consistent approach to privacy protection. Laws are different in each state, so there is no clear guidance on compliance, which is probably why the ChatGPT version is a bit vague.

Who Cares about Privacy Laws?

There is privacy, and then there are privacy laws.

Someone wanting privacy may be considering time away from the public eye, and no being disturbed by other people. That is not what privacy law is about.

Privacy law is not about stopping someone from stalking you on social media or keeping someone out of your home or away from your family. As much as you might sometimes like to, privacy law does not support you in telling someone to “keep your nose out of my business”.

Australian privacy law is specific to the protection of personal information.

Personal information is something that can identify you or be combined with other available information to identify you. A photo, an address, a phone number, and all the same information that some social media users freely give away when being asked to participate in a quiz to determine their Star Wars identity.

Many businesses want as much information they can get from a customer or potential customer so that they can target products or advertising to that person. The question is, is the collection of all that information necessary?

The Office of the Australian Information Commissioner completed a survey in 2020 (pre- Optus and Medibank hacks) suggesting that 70% of Australians were concerned for the use of their personal information and 87% wanted more control and choice over the collection and use of their personal information.

In addition, the recommendations for changes to privacy laws include enabling individuals to have their personal information erased, and propose giving individuals the right to sue controllers or processers of personal information for serious invasions of privacy.

It is also likely that there will be penalties for collecting more personal information than is reasonably required for the services being delivered, and for coercing people to provide personal information, such as using provisions that do not entitle someone to obtain a free quote unless they provide their name and email address.

If you worry about what is happening every time you give another business your personal information, then imagine how your customers feel. Now is the right time, before there are significant consequences for non-compliance, to consider reviewing and updating your privacy policy and procedures.

This article contains general legal information and should not be relied upon without seeking appropriate legal advice specific to your circumstances.