Yesterday, Mark Dreyfus (pictured), the Albanese government’s attorney-general announced the next stage in the reform of the Privacy Act, with three key updates for businesses around the country.
The first and the most pertinent for businesses across Australia was the removal of the small business exemption. Currently, companies that turnover less than $3 million per year are exempt from the Act’s rules around data gathering and notifying customers in the event of a data breach.
When the new Act comes into power, the exemption will be removed, though there would be a transition period to allow small businesses to get to grips with the updated rules.
However, for the advertising industry, much is still up in the air despite the government not agreeing to move forward with the proposal to allow internet users to opt out of targeted advertising. This proposal could have caused havoc with voluntary exclusion lists for people who did not wish to see alcohol or gambling adverts, for example.
“At first glance, it is pleasing to see that the Government has not agreed to adopt the report’s proposal to enable individuals to opt out of targeted advertising – that proposal simply would not have been workable,” said Gai Le Roy, CEO of IAB Australia.
The Act would also usher in an expanded definition of personal information including cookie identifiers and IP addresses, where an individual might be “reasonably identifiable” even if they are not named. The Act would also introduce a new “fair and reasonable” test for information collection, irrespective of consent. This would cover the common situation of “box-ticking” a lengthy privacy statement.
“Australians increasingly rely on digital technologies for work, education, health care and daily commercial transactions and to connect with loved ones,” said Dreyfus announcing the changes.
“But when they are asked to hand over their personal data they rightly expect it will be protected.”
Sarla Fernando, director of regulatory and advocacy at the Association for Data-Driven Marketers (ADMA) said that the announced changes to the law are far from set in stone and require some further fine-tuning.
“ADMA urges the government to continue its further consultation while actively involving the data-driven marketing industry in particular. This is essential as it looks to create clear and distinct definitions for targeting and direct marketing, to ensure the law is both pragmatic and efficient,” she explained.
“Our focus now will be in continuing to engage our member (and wider) community on a number of areas that require continued thought and consultation to mitigate the risk of drafted law not having the intended impact when applied in day-to-day business operations.
“In particular, ADMA will be keen to contribute to the ongoing conversations around targeted advertising and trading as the government’s response still leaves some room for clarification. The data-driven marketing and advertising industry will also be interested to better clarify the roles and responsibilities of data controllers and processors”.
The IAB also said that it would be looking to work with the government to clarify the definition of personal information and targeting, the fair and reasonable test and the requirements in relation to the trading of information.
The Act would also seek to introduce a Children’s Online Privacy Code and make entities accountable for handling information, and destroying data when no longer needed.
“We must also stress, the way this Act looks to be shaping up means that it isn’t a mere reiteration of GDPR. Therefore, any company making assumptions rooted in its current GDPR compliance could well not meet the requirements of the changing Australian law,” said Fernando.
The law is supposed to come into force sometime next year.
