The Australian government is planning to introduce new laws aimed at bolstering privacy protections for citizens and imposing stricter data security requirements on small businesses.
Attorney-General Mark Dreyfus has expressed concerns about the current trend of Australians mindlessly accepting lengthy and convoluted privacy policies without thoroughly reviewing the associated disclaimers.
To address these issues, the proposed reforms include safeguards against “dark patterns” that manipulate users into granting excessive privacy permissions. University of Technology academic Kate Bower views these reforms as a positive step, emphasizing the urgency of protecting Australians from potential privacy breaches resulting from advanced technologies.
One significant aspect of these legislative changes is the potential introduction of a right for Australians to have their personal data erased, although this right would not override existing legal obligations such as the retention of identification and criminal records. Additionally, the government is contemplating a ban on targeted marketing based on sensitive information unless it can be deemed socially beneficial.
Children are also set to benefit from enhanced privacy protections. Entities would be prohibited from directly marketing to children and trading their personal information, with the implementation of a children’s online privacy code ensuring that their best interests are always taken into account.
Small businesses may no longer enjoy exemptions from privacy obligations applicable to large corporations, potentially necessitating increased investments in safeguarding personal information and the mandatory notification of consumers in the event of a data breach. While Australian Small Business and Family Enterprise Ombudsman Bruce Billson applauds these reforms as appropriately scaled, shadow attorney-general Michaelia Cash expresses concerns that they might place additional complexity and financial burdens on already struggling small businesses.
Furthermore, the government is exploring the expansion of personal data protections, particularly in the context of online identifiers like IP addresses and cookies. As modern technologies continue to integrate into public life, these expanded protections would go beyond the traditional safeguarding of names and street addresses.
Another noteworthy consideration is the potential introduction of a “right to be forgotten,” allowing individuals to request the removal of certain search engine results associated with their names under specific circumstances. Attorney-General Dreyfus emphasizes that Australians have a legitimate expectation that their data will be adequately safeguarded.
While some commend these legislative efforts, think tank Reset.Tech believes that more comprehensive measures are required and criticizes what it sees as the government’s yielding to pressure from large businesses. Executive director Alice Dawkins asserts that participation in the digital world is essential and that individuals’ rights should not be violated during their day-to-day online activities.
Of the 116 recommendations stemming from the Privacy Act review, the government has agreed to 38, offered in-principle support for 68, and noted 10. Notably, the proposal to narrow the exemption for politicians was among those noted. These privacy reforms are expected to be introduced into parliament in 2024.
Innes Willox, Chief Executive of the national employer association Ai Group, has expressed support for the importance of ensuring public confidence in the safe and responsible handling of privacy and data. However, Willox also voiced concerns about the potential consequences of over-regulation, which could hinder innovation and increase costs for businesses.
One major concern relates to the proposed removal of the exemption for Small and Medium Enterprises (SMEs) under the Privacy Act. Willox highlights that any modification to the employee records exemption could have wide-ranging implications, affecting how employers manage the employment relationship and comply with workplace laws, especially considering recent Industrial Relations (IR) reforms.
Willox emphasizes that what may appear to be a modest and targeted adjustment to the employee exemption could lead to unintended consequences, potentially impacting employee and community safety.
While acknowledging the support being offered to assist SMEs in complying with new regulations, Willox emphasizes that compliance is an ongoing process, as technology and business practices evolve. He underscores the need for a long-term partnership between the government and industry to address privacy concerns without stifling innovation.
Willox also commends the government’s commitment to consulting with industry stakeholders on this issue and expresses Ai Group’s readiness to collaborate with the government to find a balanced solution.
In addition to concerns about SME exemptions, Ai Group raises issues related to the introduction of a Data Protection Officer requirement and a Data Impact Statement. There is a concern that these measures could increase the regulatory burden on Australian businesses, particularly those in the public-facing sector. Ai Group calls for extensive consultation with various organizations to prevent regulatory overreach.
Ai Group advocates for the principle of Data Stewardship, which emphasizes the obligations and responsibilities of businesses, regardless of their size or industry, in managing data collected as part of their usual business operations or business models. This approach covers governance requirements, responsible data utilization, technological and behavioral strategies, and the secure disposal of data when it is no longer needed.
Bruce Billson, the Australian Small Business and Family Enterprise Ombudsman, emphasizes the importance of safeguarding personal information collected by businesses, irrespective of their size. He supports Attorney-General Mark Dreyfus’s recent decision to eliminate the privacy exemption for small businesses and is collaborating with the Australian Government to ensure the implementation of appropriately scaled and clear regulations.
Mr. Billson asserts that it is unrealistic for small businesses to have a blanket exemption from providing necessary and suitable protection for the personal information they hold about their customers, employees, and business partners. He acknowledges that applying the full suite of privacy principles, as required for larger businesses and government agencies, is impractical for small and family businesses due to resource constraints.
While recognizing the unique circumstances of small businesses, Mr. Billson welcomes the Attorney-General’s acknowledgment of their limited time and resources. He emphasizes that the exemption will only be removed after conducting an impact analysis, determining suitable replacements through consultation with the small business community, considering support packages, and establishing a transition period for small businesses to prepare.
Mr. Billson highlights the need for clear guidance and actionable steps that small businesses can take to protect personal information. This may involve providing procedural templates, information guides, and checklists to help them meet their privacy obligations. He also suggests integrating these efforts with other important reforms related to cyber risk management, Digital ID, payment times, digital engagement, and responsible artificial intelligence use.
Small businesses are acutely aware that losing customer confidence in their ability to protect personal information can result in lost business opportunities. Mr. Billson underscores the severe consequences of cyber hacks or malicious information releases, emphasizing that such incidents can irreparably damage a business’s operations and its relationships with employees, customers, suppliers, and partners.