The landmark three-year review of Australia’s privacy law has recommended giving important new rights to individuals, including suing for privacy breaches, having their data erased and refusing targeted marketing.
A wide-ranging review of the privacy law was launched in 2020 by the former coalition government based on a recommendation from the Australian Competition and Consumer Commission (ACCC) last year.
The final report was handed over to the Labor government at the end of last year and was released Thursday morning by Attorney General Mark Dreyfus.
The 116 proposals, spanning 320 pages, include the introduction of a direct right of action and statutory tort for serious breaches of privacy, the inclusion of small businesses in the regulatory scheme, and greater powers for individuals to use their control your own personal information.
The purpose of the review was to examine whether the law is fit for purpose in the online world and to ensure that the benefits of data-driven technology are realized while protecting individual privacy.
“Privacy law has not kept pace with the changes in the digital world,” Dreyfus said.
“The Australian people rightly expect greater protection, transparency and control over their personal information and the release of this report begins the process of meeting those expectations.”
One of the most important recommendations from the report is the introduction of a direct action right and statutory tort for serious breaches of privacy.
This gives Australians “more freedom of choice to seek redress for invasion of privacy” through new avenues for seeking remedies in the courts.
The direct action right allows individuals and groups of individuals to seek redress in the courts for violations of the Privacy Act that have caused harm.
“Such a right would be an important measure to increase individuals’ control over their personal information and reflect current community expectations,” the report said.
“A direct right of action would increase the possibilities for persons who suffer damage as a result of an invasion of privacy to claim compensation. Empowering individuals in this way can also serve to increase consumers’ bargaining power with companies that collect and use their personal information.”
These claims will be heard in Federal Court, with all applicable remedies, including damages.
To access this claim, an individual must first submit a complaint to the Office of the Australian Information Commissioner and have it reviewed for possible resolution.
The report said the majority of petitioners supported it, including academics, regulators, grievance bodies, civil society, trade unions and financial groups.
Those opposed to it included digital platforms, telecommunications companies, media organizations and tech industry groups.
A statutory tort for serious invasion of privacy should also be introduced, the report said.
“An examination of existing frameworks points to clear gaps in current privacy protections and an individual’s ability to take steps to protect themselves and seek redress for privacy breaches,” the report said.
“These gaps are best addressed through a single privacy infraction designed to cover the field.”
The report also recommended introducing a new “fair and reasonable test” to support the activities of entities subject to privacy law when handling personal information.
Australia should follow the European General Data Protection Regulation (GDPR) and introduce a right to object, the right to request deletion and the de-indexing of search results, the report said.
The exemption for small companies from the law should also be removed, as it turned out after an impact analysis was carried out and these companies are able to meet the new obligations.
Despite calls to end the political exemption, the report recommended that it be maintained with new safeguards.
In terms of law enforcement, new levels of civil penalty provisions should be introduced to allow for more targeted responses, the review found.
This would include a mid-level civil penalty provision to cover privacy breaches with a serious element, and a low-level civil penalty provision for specific administrative breaches.
There should also be an unconditional right to opt out of targeted advertising and personal information released for direct marketing purposes, the review concluded.
The federal government is now seeking feedback on the final report to provide its response, with submissions due by the end of March.