Better privacy protections for Australians on the cards

Dominic Giannini and Kat Wong | September 28, 2023

Australians will have better privacy protections and small businesses will need to invest more in data security under new laws flagged by the government.

Concerns over complex and lengthy privacy policies that led to Australians simply ticking the box to get their product or service without reading the disclaimers have led to Attorney-General Mark Dreyfus agreeing in principle to undertake reform.

A change would protect against “dark patterns” that nudge users to consent to more privacy intrusions than necessary, Mr Dreyfus says in a response to a review of privacy laws.

University of Technology academic Kate Bower said the reforms were a step in the right direction.

“Each day we delay is another day that Australians are vulnerable to privacy harm from high-risk technologies, such as facial recognition and artificial intelligence,” Dr Bower said.

The government has provided in-principle support to giving Australians a right to have their data erased, although any new laws would not override existing requirements, such as the retention of identification records or criminal records.

A ban on targeting marketing that is based on sensitive information, unless it is socially beneficial, is being considered by the government.

Children are to gain more protections, with entities set to be prohibited from directly marketing towards kids and trading their personal information.

A children’s online privacy code will ensure their best interests are considered when their personal information is handled.

The government also gave in-principle support to the notion that any targeting of children by an organisation would only be done if it is in the child’s best interest.

Small businesses could also lose their exemption to obligations on large corporations under the Privacy Act, and would need to invest more in keeping personal information secure and to notify consumers in the event of a data breach.

The government agrees in principle about removing the exemption, and the review recommended an appropriate support package for small businesses.

It will work with stakeholders on an impact analysis and evaluate a transition period to give businesses reasonable time to adapt.

Australian Small Business and Family Enterprise Ombudsman Bruce Billson welcomed the “right-sized” reforms.

Expanding what personal data is protected is also being examined, with online identifiers such as IP addresses and cookies providing a reasonable chance of identifying a person as new technologies become more integrated in public life.

It would expand on traditional protections that include keeping names and street addresses private.

There are also considerations for a right to be forgotten, where search engines remove certain results linked to a person’s name on limited grounds.

Mr Dreyfus said Australians handing over their data rightly had an expectation that it would be protected. 

“The Albanese government is committed to ensuring Australians can benefit from the latest technologies, while knowing that their personal information is safe and secure,” he said in a statement.

Of the 116 recommendations from the Privacy Act review, the government has agreed to 38, agreed in principle to a further 68 where more engagement will be undertaken before a final decision, and noted 10.

A proposal to narrow the exemption for politicians was one of the proposals noted.

Tech Council of Australia CEO Kate Pounder said she was pleased some of the proposals had been accepted.

“We see privacy reform as a key pillar of a credible response to improve Australia’s ability to safely and responsibly develop and adopt AI, to improve cyber security resilience and to enable the continued growth of the tech sector,” she said.

Privacy reforms are set to be introduced into parliament next year.