Proposed amendments
The proposed amendments would:
- increase the scope of the Privacy Act by expanding the types of information captured by the definition of 'personal information' to include technical and inferred information;
- impose a higher standard for organisations to meet in respect of 'de-identified', anonymised or pseudonymised data; and
- likely require substantial operational and legal uplift by organisations, particularly those that currently rely on data de-identification to use or share information.
Expanding the definition of personal information
Technical and inferred information
The Discussion Paper proposes to amend the definition of 'personal information' so that it could capture:
- technical personal information such as IP addresses, location data and other online identifiers commonly collected and used for targeted advertising persons; and
- inferred personal information such as personal information about an individual derived from their activities, like online transaction data.
This would be done by amending the definition so that it relates to an identified individual or an individual who is reasonably identifiable, rather than being about such an individual. An individual would be 'reasonably identifiable' if they are capable of being directly, or indirectly, identified. In addition, a non-exhaustive list of types of information capable of falling within the definition, and a list of objective factors to assist organisations to assess whether an individual is 'reasonably identifiable' would also be included. This would mean that technical information would still be subject to the test of whether it reasonably identifies an individual, but would not be subject to the additional complexity of determining whether the information was about the individual or something else.1
Although we do not anticipate these changes will significantly alter the definition at law, they would codify existing guidance and the position of the OAIC in respect of information that may be 'personal information'. This is particularly relevant given ambiguity about what constitutes 'personal information' following the Federal Court's decision in Privacy Commissioner v Telstra Corporation Ltd [2017] FCAFC 4 (Grubb). It will also broadly align the Privacy Act's definition of personal information with the European Union's General Data Protection Regulation (GDPR).
Sensitive information
The Discussion Paper noted suggestions to expand the definition to cover types of personal information that could be employed as proxies for sensitive information. This includes financial information such as transaction histories, which could be used to indicate an individual's gender, or location information that could reveal an individual's health conditions or religious beliefs.
Whilst the Discussion Paper has not put forward any proposals to amend the definition of sensitive information, it is still possible changes could be made in the next stages of the review. This is likely to be of particular interest to fintechs and financial institutions that collect, use and share transaction data and other financial information.
Re-identification and anonymisation
The Discussion Paper proposes that:
- personal information be required to be made anonymous, rather than de-identified, before it is no longer protected by the Privacy Act; and
- the Privacy Amendment (Re-identification) Offence Bill 2016, with appropriate amendments, be re-introduced in order to effectively penalise malicious re-identification of information.2
This amendment is likely to create a substantially more onerous threshold for businesses to meet when seeking to make use of personal information for data analytics purposes. Whilst de-identification requires an individual not be 'reasonably identifiable', a requirement for data to be truly anonymous requires it to be no longer possible to identify someone. Despite the Discussion Paper suggesting this would not impose an absolute or unworkably high standard, we expect this may make it harder for businesses to derive value from information sets that are currently de-identified by using unique identifiers. By way of example, it is likely that matching processes using hashed unique identifiers would now be clearly regulated by the Privacy Act.
For businesses that rely on de-identified information for particular data uses, this is likely to require significant review and investment to ensure data used is fully anonymised. Alternatively, organisations may need to amend their practices to enable collection, use and disclosure of such information in compliance with the Privacy Act and the APPs.
Exemptions
Although the Discussion Paper nods in favour of narrowing (or else abolishing) the existing employee records and small business exemptions under the Privacy Act, the Attorney-General has not yet made any formal recommendations in relation to these exemptions. The Attorney-General intends to revisit these exemptions once there is further certainty as to the other proposed changes to the Privacy Act. The paper indicates that it would be difficult to assess the potential impact on currently exempt practices without understanding what the amended Privacy Act will require, including of small businesses.
Extraterritorial application of the Privacy Act
The Online Privacy Bill will remove the requirement that an organisation has to collect or hold information from sources inside Australia in order for the Act to apply to that organisation.
If adopted, the amendment would expand the extraterritorial application of the Privacy Act. This follows various disputes over the extraterritorial application of the Privacy Act in the OAIC's current proceedings against Facebook, whose entities are established overseas; a case that may be demonstrative for similar multinational organisations. We provide an in-depth analysis of the proceedings in our Insight.
More broadly, this would mean that any foreign organisations, and potentially any digital or online businesses, that transact with their users from overseas-based companies would be subject to the Privacy Act despite not having directly received or obtained the information from an individual in Australia.
Footnotes
-
To remove uncertainty following the Grubb case (Privacy Commissioner v Telstra Corporation Ltd 2017 FCAFC 4).
-
Discission Paper, 31.