The Australian Parliament has approved the final passage of the Privacy Legislation Amendment Bill 2022. Under a new three-factor penalty model, the bill amends the Privacy Act of 1988 to enhance data breach fines to AU$ 50 million, or penalties depending on data monetization and 30% of adjusted quarterly sales. It seeks closer conformity with EU General Data Protection Regulation (GDPR) competition and consumer remedies, as well as enabling dialogue with local regulators and foreign peers to assist them in performing their regulatory responsibilities quickly and effectively.
The Bill also confers additional rights and abilities on the Australian Information Commissioner (OAIC) and the Australian Communications and Media Authority in terms of notice and settlement of privacy breaches. The OAIC must now be provided with additional information, and can now intervene more directly in case resolution, and both agencies have expanded their ability to communicate information with potentially harmed end users.
There are many more changes that are expected in the Australian privacy landscape. Some of these changes are mentioned below-
- Establishing Mid-Tier and Low-Tier Crimes for Small Invasions of Privacy
There are important reasons for distinguishing between contraventions, such as those committed by first-time offenders versus the second or repeat offenders, and thus, unless there are legitimate concerns that officials may abuse discretion, it is cost-effective for enforcement agencies to have the authority to choose between dismissing a case (with or without a warning) and initiating enforcement procedures. Moreover, it is in the interest of justice and good conscience that minor offenses not be dealt with as strictly as serious infringements are.
Personal information is defined differently in various privacy regulations, but it always refers to information that may be used to identify an individual, such as a name, home address, phone number, or even an IP address.
- Broadening the Scope of Personal Information to Include Inferred Personal Information Such as IP Addresses
As increasingly diversified data sets (e.g., aggregated from numerous sources) become available in the public domain, data may transition from anonymous to re-identifiable. Purchasing behaviors, which may not appear to be sensitive at first look, might expose extremely sensitive facts through data-driven inferences, such as an unhealthy lifestyle, geographical data, financial issues, and even unlawful conduct when analyzed over time. Another example is dynamic IP addresses, which are just now being treated as personal information. Furthermore, because government and regulation lag far behind the industry, people’s conceptions of personal data may differ (particularly new devices which interact with a range of personal data). A greater understanding of such challenges is critical for policy and legislative drafting since it may serve as the foundation for how data can be stored and processed legally.
- Data Anonymization
The technique of securing private or sensitive information by removing or encrypting identifiers that link an individual to stored data is known as data anonymization. For example, you may run Personally Identifiable Information (PII) like names, social security numbers, and addresses through a data anonymization process that maintains the data but conceals the source.
Even if you remove identifiers from data, attackers can utilize de-anonymization methods to retrace the data anonymization process. De-anonymization techniques can cross-reference the sources and disclose personal information because data typically go via numerous sources, some of which are accessible to the public.
- Standardising Templates for Asking Consent to Acquire Personal Information
Protecting data, particularly private, sensitive information, is critical in a complicated environment when so much is at stake. The most critical step for governments to do to secure their citizens’ data is to require company owners to post a concise and transparent Privacy Policy.
So, a solid Privacy Policy should detail what data is being gathered and explain why it is being collected, who has access to it, and how long it will be stored. It should also identify any third parties with whom the firm exchanges personal or private information, as well as any security precautions used.
If the new privacy safeguards are not enabled by default and consumers must navigate a maze of clicks to obtain them, then little has been achieved.
- Mandating Pro-Privacy Settings in Websites, Software and Mobile Applications
Default pro-privacy settings are important. As default settings that allow easy access to personal information for businesses make people’s data more vulnerable as they are less likely to change the settings.
As per famous research, several possible reasons for not changing the default settings exist cognitive and physical laziness; perceiving the default as correct, perceiving endorsement from the provider; using the default as a justification for choice, lacking transparency of implication, or lacking skill.
Thus, by mandating a law that puts an obligation on the companies to incorporate pro-privacy policies, the Government will follow a simple golden rule for privacy: companies should put the interests of the people whose data is about ahead of their own.
- Reforming Employee Record Exemptions
An employee record is a record of personal information about the employee’s employment. However, due to the restricted scope of this definition, not all exchanges with personal information in the workplace are excluded. Personal information gathered from rejected job seekers, contractors, or volunteers, for example, is not covered by the exception.
It has frequently been claimed that the law should oblige private sector employers to take reasonable efforts to secure the information against abuse, interference, and loss, as well as unauthorized access, alteration, and disclosure. Individuals may face severe danger if sensitive information (e.g., police background checks, health information, wage data) is mismanaged during an employment engagement. There are some difficulties as well. Allowing workers to access and modify their personal information, for example, may hinder workplace investigations or performance management processes.
- Right to Erasure
It has frequently been claimed that the law should oblige private sector employers to take reasonable efforts to secure the information against abuse, interference, and loss, as well as unauthorized access, alteration, and disclosure. Individuals may face severe danger if sensitive information (e.g., police background checks, health information, wage data) is mismanaged during an employment engagement. There are some difficulties as well. Allowing workers to access and modify their personal information, for example, may hinder workplace investigations or performance management processes.
When it comes to data gathered from children, there is a strong focus on the right to have personal data deleted.
- A Direct Right to Action
A direct right of action, in particular, provides individuals with greater agency and control over the management of their personal information. Limiting the direct right of action to “severe” breaches will prevent many people from obtaining legal redress for breaches of their privacy. A direct right of action is thought to put the Australian privacy framework in line with other international jurisdictions such as the United Kingdom, New Zealand, Japan, Singapore, and the European Union. In estimating such judgments of damages, the decided instances show that compensation should be constrained but not minimum, and not so low as to undermine the legislation’s regard for public policy.
Conclusion
Thus, it can be seen that despite some welcome amendments, Australian law still has a long way to go before it becomes ideal for protecting the data of the citizens. Many important principles still need to be included and many rights have to be conferred, in addition to placing obligations on the businesses for lawfully collecting data.
Stay updated with us. Get a grasp on guidelines for better Privacy management and administration are straightforward once you understand them. Once they become ingrained in your behaviour, they will aid in defending you from frequent scam tactics. Get in touch with us at info@tsaaro.com If you want to run an audit of your consent practices, check out our Regulatory Compliance Service, and Schedule a call with our experts by clicking here.Take the first step towards a secure your organization’s data by scheduling a call with our privacy expert team at Tsaaro Solutions today.
