INSIGHT

Privacy Act reforms: a new Online Privacy Code

Banking & Finance Cyber Data & Privacy Financial Services Risk & Compliance Technology & Outsourcing Technology, Media & Telecommunications

A focus on transparency and consent 9 min read

In late October, the Attorney-General's Department released a long-awaited Exposure Draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill (Online Privacy Bill) to amend the Privacy Act 1988 (Privacy Act).

The Online Privacy Bill proposed to establish a framework to develop, implement and enforce a binding online privacy code. It also proposed to update the OAIC’s enforcement powers (including penalties for breach) and to make other changes to the extraterritorial scope of the Privacy Act. The Exposure Draft was released alongside the Attorney-General's Privacy Act Review Discussion Paper, the next stage in the Government's review of the Privacy Act.

This Insight explores the new proposed Online Privacy Code (OP Code). In Privacy Act reforms: further consultation on the A-G's Privacy Act review, we provide further information about imminent changes to the OAIC's enforcement powers set out in the Online Privacy Bill, and the Discussion Paper more broadly.

For organisations captured by the future OP Code, it is likely to result in very significant changes to how organisations approach protection of personal information, engagement with individuals and governance.

Key takeaways

  • Submissions in response to the Exposure Draft and to the consultation on the Regulation Impact Statement are both due by
    6 December 2021.
  • If the Online Privacy Bill is introduced and an OP Code is adopted, social media companies, data brokerage companies and large online platforms will be subject to more prescriptive obligations in respect of existing Australian Privacy Principles (APPs), with a particular focus on consumer transparency and consent.
  • The OP Code will go further than the existing APPs – including introducing a new right for individuals to request that an OP organisation cease the use or disclosure of personal information, as well as stricter consent and verification requirements for social media services in relation to children and vulnerable groups.
  • The current proposed scope of the organisations captured by the OP Code is broad – extending beyond social media platforms and what may traditionally be considered to constitute a 'digital platform'. The Government is particularly seeking feedback on the scope of organisations that will be required to comply with the OP Code and the expected regulatory impact. This will be a critical issue to be resolved during consultation.

Background

The introduction of an Online Privacy Code is a key part of the Government's response to the ACCC's Digital Platforms Inquiry Report of June 2019 (DPI Report), which made extensive recommendations to strengthen privacy protections for individuals and improve transparency and accountability in data handling practices.

Since the publication of the DPI Report, the Government has strongly advocated for the increased regulation of digital platforms and the data-handling practices that underpin their business models.

The Government has cited the OAIC's landmark case against Facebook/Cambridge Analytica as a catalyst for the introduction of the Online Privacy Bill. This bill proposes a new binding code in order to address the specific challenges posed by social media platforms and other digital platforms, which collect a high volume of personal information or trade in personal information.

The release of the Exposure Draft means these changes are being commenced separately from, and in advance of, more wholesale changes that may arise following the completion of the Attorney-General's broader review of the Privacy Act. This reflects the Government's desire for the process of development of the new Online Privacy Code to commence immediately rather than waiting for the broader review to be undertaken first.

The Online Privacy Code

Development of the OP Code

The process for developing the OP Code is similar to those for the existing APP code and CR code-making processes. Following Royal Assent of the bill, the OP code will need to be developed and registered within 12 months.

Industry (being an OP organisation (see below), a group of OP organisations or a body or association representing one or more OP organisations) will have the first opportunity to develop the OP Code, on request of the Commissioner. However, if the Commissioner cannot identify an appropriate developer, or if the Code is not suitable, the Commissioner may develop the OP Code herself.

Who will the Online Privacy Code apply to?

The OP Code will apply to private sector organisations, already subject to the Privacy Act, that provide social media services, data brokerage services and large online platforms with at least 2.5 million end users in Australia (individually, an OP organisation). The Online Privacy Bill also gives the Minister the ability to designate, by legislative instrument, that specific organisations, or classes of organisations, are not an OP organisation or that specific organisations or classes of organisations are an OP organisation.

The OP Code is not intended to apply to:

  • services that enable content sharing/interactions as an additional feature or a secondary purpose (eg online feedback facilities for businesses);
  • customer loyalty schemes; and
  • Australian government agencies.

The Explanatory Paper has expressly identified certain organisations as being an OP organisation, and therefore subject to the code. This includes social media sites Facebook and Only Fans, dating app Bumble, communication services like Zoom and WhatsApp, and data brokerage companies like Quantium, Acxiom and Experian.

Of note is the application of the OP Code to 'large online platforms'. As drafted (and without specific exclusion) this would apply to organisations that had more than 2.5 million customers or users and who collected personal information in the course of providing that individual with access to information, goods or service by use of an electronic service (ie most large organisations with a consumer accessible online platform). The Government's intention with this category is to capture 'organisations that collect a high volume of personal information online'. This broad definition could include large online retailers, news sites and online streaming services. Whilst services which have the sole purpose of processing payments or providing access to a payment system are excluded, this is still likely to capture many online banking platforms (whether big banks or newcomer payment offerings) which these days offer much more than just a payment processing or payment system platform.

What is required under the OP Code?

The OP Code will set out how OP organisations must comply with existing obligations under the APPs of the Privacy Act, in addition to imposing new obligations. These are expected to include a requirement to cease to use or disclose personal information upon request and the imposition of extra protections for vulnerable groups and children.

The Commissioner is given broad powers to determine the scope and content of the OP Code, including flexibility to respond to emerging privacy issues.1 We have outlined below some of the specific matters the OP Code intends to address.

Enhancing existing obligations under the APPs

The OP code will detail how an OP Organisation is to comply with:

  • APP 1 – eg privacy policies must be clear and simply explain the purposes for which the organisation collects, holds, uses and discloses personal information;
  • APP 3 and 6 - consent must be voluntary, informed, unambiguous, specific and current; and
  • APP 5 - notices to individuals must be clear, understandable, current and provided in a timely manner.

In practice, this means current APP guidance from the OAIC will be codified, with a clear focus on transparency of OP organisations’ collection, use and disclosure of individuals’ information. This goes hand in hand with further changes recommended in the Discussion Paper.

New obligation on organisations to cease the use or disclosure of personal information upon request

The OP Code will also require OP organisations to take reasonable steps to not use or disclose personal information where an individual makes such a request. Whilst there are specific legislated exceptions to this requirement (eg where required by law, or if a general permitted situation or health situation exists), these are narrow and it will be left to either the OP Code itself, or organisations, to determine when it is not reasonable to action an individual's request.

This could prove to be a highly significant new obligation, imposing considerable operationalisation burdens on OP organisations.

This obligation is intended to build on existing rights under APP 12 and 13 for individuals to request access to, and correction of, their personal information, without amounting to a ‘right of erasure’. In practice this request right could be seen as a legislated consent withdrawal and override mechanism, which will apply even where consent has not been used as the original mechanism to enable use or disclosure of personal information. For example, this could apply where the original use was for a purpose that is a reasonably expected secondary purpose related to the primary purpose. OP organisations will need to put in place measures both to track, implement and respond to individual requests, as well as to then segregate and remove data from particular uses or disclosures (eg data analytics). This could prove to be a highly significant new obligation, imposing considerable operationalisation burdens on OP organisations.

New obligation on organisations to protect children and vulnerable groups

Under the OP Code, all OP organisations will be required to take extra precautionary steps when dealing with personal information of children under 18 years of age, and vulnerable groups.

The OP Code will specify how consent may be obtained from these individuals (or their parents, guardians or representatives).

In addition, social media services will also need to:

  • take reasonable steps to verify the age of individuals who use the social media service2;
  • ensure that the collection, use or disclosure of a child's personal information is fair and reasonable in the circumstances, with the best interest of the child being the primary consideration for determining what is fair and reasonable3; and
  • obtain the express consent of a parent or guardian before collecting, using or disclosing personal information of a child under the age of 16.4

This is likely to have a substantial impact on social media services and OP organisations more generally, particularly in relation to any legacy data and accounts for which the organisation may not have requested information as to an individual's age. Organisations, the OAIC and the Government will also need to work through the means by which an organisation will obtain or verify the age of individuals and potential for increased risks to individuals in doing so - date of birth information is typically used to verify individuals' identify and may lead to a higher risk for individuals in case of a data breach.

The Discussion Paper is currently seeking feedback on whether organisations should be permitted to assess a child's capacity to provide consent on an individualised basis (rather than rely on the 'bright line' limit of 16 years old) where it is practical to do so, for instance in a healthcare setting as opposed to an online interaction or brief encounter.

How does the OP Code work alongside other privacy-related regimes?

The OP Code is an additional layer of privacy regulation for organisations, and interoperability with other privacy-related regimes will be critical. The Government has indicated that:

  • if an organisation is subject to both the OP Code and an APP code, the OP Code will prevail to the extent of any inconsistency; and
  • if an organisation is subject to both the OP code and the Consumer Data Right regime under the Competition and Consumer Act 2010 (Cth) (CDR), the CDR rules will prevail to the extent of inconsistency between the two regimes.5

The Discussion Paper also separately suggests the establishment of a working group to consider harmonisation of federal, state and territory privacy laws to address any inconsistencies. The new OP Code will therefore create a further layer of complexity and regulation in addition to the existing patchwork of legislation.

Next steps

Accompanying the Exposure Draft is an early assessment of the Regulation Impact Statement.

Submissions on the Exposure Draft and Regulation Impact Statement are due by 6 December 2021. Following this consultation period, the Government intends to prepare a final draft bill to present before Parliament.

We strongly recommend organisations that may fall within the scope of 'OP organisation' consider the Exposure Draft, Regulation Impact Statement and consider whether they wish to make submissions on the bill prior to it being presented to Parliament. In particular, it will be important for some large-scale businesses and consumer online platform operators to clarify the scope of organisations intended to be caught by the new OP Code.

Footnotes

  1. Online Privacy Bill, s 26KC(8).

  2. Online Privacy Bill, s 26KC(6)(a).

  3. Online Privacy Bill, s 26KC(6)(e) and (f).

  4. Online Privacy Bill, s 26KC(6)(b).

  5. Explanatory Paper, pg. 16.