Australia has been considering a reform of its 1988 Privacy Act for several years now. While important amendments have been introduced since, such as the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 which implemented increased fines for serious privacy breaches and enhanced enforcement powers for the Australian Privacy Regulator (Office of the Australian Information Commissioner – OAIC), these amendment did not prevent high-profile breaches that shook up the country in 2022 and 2023, particularly Optus, Medibank, and Latitude Financial.
With increasing pressure from industry to facilitate cross-border data flows and consumer expectations shifting in light of the data protection efforts in the EU and across the globe, Australia is making progress towards more substantial reforms. On March 31, 2023, the last public consultation period ended during which comments were invited on the Australian Attorney-General’s Department’s Privacy Act Review Report which has been in the making for 3 years. Word is that a Bill to amend the existing Privacy Act may be tabled in 2023 or 2024.
This article sets out the main reform proposals while focusing on the Report’s recommendations regarding data anonymization, pseudonymization, and de-identification. For a thorough run-through of the Privacy Review Report, review this excellent source.
Proposed reforms to the Privacy Act
Broadening the definition of “personal information”: The Review Report suggests amending the Privacy Act’s definition of personal information to encompass information that “relates to” an individual, bringing it closer to the GDPR’s definition. It also recommends providing guidance on determining when information relates to an individual and their reasonable identifiability.
Introducing the concepts of “controllers” and “processors”: The Report proposes incorporating these concepts into the Privacy Act, aligning it with data protection laws like the GDPR in this respect as well. This change would extend the Act’s scope to entities processing personal information on behalf of the entities that have a direct relationship with the individual to whom the information pertains. Yet, the obligations data processors are subjected to are limited.
Rights to be forgotten, erasure, and objection: The Review Report suggests adding new rights to the Privacy Act. This includes a right to be forgotten, allowing individuals to request erasure of their personal information. It also introduces a right to object to certain forms of processing, including automated decision making, on top of the existing rights to access and correction.
Privacy Impact Assessments (PIAs): The Report recommends a new requirement for conducting PIAs for high-risk activities. Entities would need to assess the potential privacy impact of such activities and provide the PIA to the OAIC upon request.
Transparency requirements for automated decision-making (ADM): The Review Report proposes heightened transparency requirements for ADM. Entities would be obligated to disclose the types of personal information used in substantially automated decisions with legal or significant effects and provide individuals with meaningful information about how such decisions are made.
Direct right of action and statutory tort: The Report suggests introducing a direct right of action for breaches of the Australian Privacy Principles (APPs) and a statutory tort for serious invasions of privacy. This would allow individuals to seek relief from the courts for privacy interferences and establish liability for intentional or reckless intrusions into privacy.
Removal of small business exemption: Currently, the Privacy Act exempts small businesses with an annual turnover below AU$3 million. The Review Report proposes removing this exemption, making privacy obligations applicable to all entities regardless of their annual turnover. However, being mindful of potential compliance challenges for these businesses, measures are proposed to be undertaken to ensure they can comply with the Act’s requirements, e.g., adapting the requirements in proportion to the privacy risk data is typically exposed to in the small business context.
Strengthened notice, consent, and transparency: The Report suggests clarifying and strengthening the requirements for providing notice, obtaining consent, and ensuring transparency. This includes clear, concise, and up-to-date notices, codifying consent standards, and providing explanations for refusals of requests related to personal information.
Children’s privacy: The proposed reforms aim to enhance children’s privacy by introducing specific provisions, such as a statutory definition of a “child” and regulations on consent and targeted marketing. The OAIC would develop a “Children’s Online Privacy Code” for online services accessed by children.
Cross-border data transfers: The Review Report recommends retaining the Privacy Act’s existing framework for cross-border data transfers and suggests additions such as assessing the adequacy of other countries’ protection, making standard contractual clauses available, and increasing notification requirements.
Data anonymization, de-identification, and pseudonymization
The Review Report discusses the topic of de-identified, anonymized, and pseudonymized information at length. It acknowledges that the current definition of “de-identified” in the Privacy Act refers to information that is no longer reasonably identifiable and is outside the Act’s protections. However, due to the evolving digital landscape and advancements in technology, achieving irreversible anonymization is often extremely difficult or impossible.
The Report presents varying perspectives on the need for additional protections for de-identified, anonymized, or pseudonymized information. Some stakeholders support the proposal to replace the definition of “de-identification” with a definition of “anonymous information,” while others oppose it. Concerns are raised regarding the practicality of complete anonymization, especially for certain types of information like genetic or genomic data, which may never be truly divorced from the individual to which it relates.
The Report emphasizes the contextual nature of de-identification and suggests that the appropriate level of technical de-identification should be determined by the specific circumstances and the risk of re-identification. It also highlights the importance of employing best practices and existing frameworks, such as the De-Identification Decision-Making Framework (DDF), to ensure proper de-identification.
To address the risks associated with de-identified information, the Report proposes extending certain protections of the Privacy Act to such information. It suggests that entities should take reasonable steps to protect de-identified information from misuse, interference, loss, and unauthorized re-identification. Additionally, when disclosing de-identified information overseas, entities should ensure that the recipient does not re-identify the information or undermine its de-identification effectiveness.
The Report also considers the introduction of a criminal offense for malicious re-identification of de-identified information, targeting individuals with the intention to harm or obtain illegitimate benefits. However, concerns are raised about potential impacts on research, cybersecurity efforts, and the effectiveness of such an offense in deterring the most malicious actors.
Furthermore, the Report suggests prohibiting entities from re-identifying de-identified information obtained from a source other than the individual to whom the information relates, with appropriate exceptions. This prohibition would work alongside the requirement for entities to consider the reasonable identifiability of information when disclosing it.
Overall, the proposed reforms aim to strike a balance between protecting privacy and allowing the utility and productivity of de-identified data for research and service improvement. They emphasize the importance of context, best practices, and proportionate protections to manage the risks associated with de-identified information.
Private AI’s redaction tool can help with data anonymization, and it is well equipped to consider context-specific requirements. For one, Private AI uses machine-learning models that are context aware. It detects more than 50 different entity types of personal data across 49 languages. The models achieve 99+% accuracy, with structured, semi-structured, as well as unstructured data. Secondly, Private AI’s linguists train these modules on locale-specific formats for numerical personal data and optimize them for the particularities of each language, as different languages pose different challenges to Machine Learning models. Thirdly, the product allows the user to toggle on and off certain entities that require redaction, or that need to be retained in identifiable form to ensure the desired data utility.
Conclusion
Australia’s proposed privacy reform represents a significant effort to update the country’s Privacy Act and align it with international standards, particularly the GDPR. By modernizing the Privacy Act, Australia aims to enhance privacy rights, increase transparency, and improve data governance in the evolving digital landscape. Whether Australia will succeed in obtaining an adequacy decision from the EU Commission with these reforms remains to be seen.
