A New Report to Government Says You Should
The Government published the recommendations of a review into Australia’s privacy laws this week. The review was asked to consider how privacy laws should be updated to include digital privacy. Its recommendations include legal rights to object to the collection of information, opt out of targeted ads, and erase personal information online. Here’s what you need to know.
The right to privacy in Australia is established by the Privacy Act. That Act was enacted in 1989, and while it has been updated since then, it has been slow to adapt to new online privacy risks. In 2020, the Coalition Government commissioned a review to consider how to update the Act. The final report of that review was published this past week. The Government is considering its response to the recommendations but has made a general commitment to pursue changes to privacy laws.
One recommendation of the review is to broaden the types of personal information covered by existing legal privacy rights. This includes specifying legal protection for online info such as IP addresses or geolocation data that can be used to identify someone. It also includes protections for “inferred” info – something a website learns about you even though you did not actively provide it.
The review also emphasises the importance of gaining a user’s consent before collecting personal information. It suggests requiring consent forms to be designed in a way that supports “voluntary, informed, current, specific, and unambiguous” consent, with the option to also withdraw this consent. In addition, it recommends companies should be held to a legal “reasonableness test,” considering whether an individual would reasonably expect their data to be collected and used, whether collection is necessary, and whether there is a risk of harm.
A range of new rights are recommended, including a right to object to the collection or use of personal information or to its provision to third parties. The review also recommends a right to erase, correct, or “de-index” from search engines any personal information online, to request any information a website has collected on you, and to opt out of direct marketing and targeted advertising. For children, the review suggests direct marketing and targeted advertising be disallowed by default.
The review recommends placing limits on how long companies can keep data and stronger rules around “de-identified” data which a hacker could use to identify someone. It also suggested tighter rules on privacy practices for small businesses (which are currently exempt), political parties, and media organisations.
The review suggests some exceptions to these rights and rules would be required in circumstances of public interest. For example, it suggests personal data should be “quarantined” rather than erased if it could be required for law enforcement purposes.