By Heidi Bruce, Clint Fillipou, Jennifer Andrade and Emma Farncomb

26 March 2024

After a suspenseful wait, the Australian Government finally released its response to the Privacy Act Review Report on 28th September 2023 (the “Government’s Response”). The Privacy Act Review Report (“Privacy Report”), released in February 2023, proposed 116 recommendations to reform the Privacy Act 1988 (Cth) (“Privacy Act”). After an extensive consultation process, the Government has now released its response which sets out its position on each of these changes. We now have a much clearer picture of the privacy reforms in store for Australia. Heidi Bruce, Principal Partner at Anisimoff Legal – Sydney, examined the practical limits and industry concerns with some of the recommendations of the Privacy Report in her article focusing on targeted advertising. Here, we review the Government’s response to the Privacy Report, and give a snapshot of the current status of Australian privacy reform and the big changes on the way. Notably, the Government’s decision to discard one of the most problematic proposals to the Privacy Act highlights the importance of industry consultation in shaping legislative reforms.

Why are the reforms needed?

The major drivers for the reforms to Australia’s privacy laws have been to bring them more into line with international standards of privacy protection and evolve with changes in the digital realm.

The overhaul of Australia’s privacy laws have been in the pipeline for some years now. Although such reforms do not explicitly adopt an EU framework, the proposed reforms will bring a greater alignment with the EU General Data Protection Regulation (“GDPR”). Strengthening Australia’s privacy laws will provide greater protection for individuals and also promote confidence with cross border disclosures.

Greater maximum penalties for breaching the Privacy Act were introduced in 2022 (for more information, see this article by Rohan Vasudevan), indicating an increased appetite for regulatory enforcement and control in this space. These further reforms represent a significant overhaul to the rules, so it is important to gain a practical working knowledge of the changes. Although the Government has committed to implement such reforms in 2024, it is not likely until late 2024 and is expected to be rolled out in stages. Regardless, we now have a much clearer picture of what the new landscape will look like so it is time to start preparing now.

The Government’s Decision

In its response, the Government has either ‘Agreed’, ‘Agreed in Principle’ or ‘Noted’ each of the 116 recommendations from the Privacy Report. Those that are ‘Agreed’ will be prepared and released for consultation and those that are ‘Agreed in Principle’ will be subject to further consultation and analysis. Below we discuss a number of the more significant proposals that media and advertising businesses can expect in the 2024 Privacy Act reforms:

1. Targeted Advertising

In the Privacy Report, the Government proposed to legislate into the Privacy Act an unqualified right for individuals to opt out of receiving targeted advertising. This proposal was highly contentious for agencies and brands, and indeed all within the media and advertising industry, due to the broad interpretation of ‘targeting’ and its critical value for advertising.

Targeted advertising is highly intricate in practice, and comes in many forms including highly personalised advertising and broader market segmentation, and often involves de-identified or non-identifiable aggregated data. The use of data for targeted advertising purposes may also be necessary for organisations to comply with other legal requirements; to provide free content or services online; or to distribute socially beneficial advertisements (such as those with a charitable cause). Thus, an unqualified right to opt out of targeted advertising would have been a serious disruption to advertising practices and in many ways, unworkable, as raised by many industry participants in their submissions including the IAB, the AANA, and the MFA.

Fortunately, the Government has merely ‘noted’ this proposal, signalling that it is unlikely to be legislated into the Privacy Act – a development that undoubtedly brings relief to industry members. Nevertheless, targeted advertising remains under scrutiny through other proposals ‘agreed in-principle’. These include the requirement that targeting should be ‘fair and reasonable in the circumstances’, and the prohibition of targeting ‘based on sensitive information’ except when promoting ‘socially beneficial content’. These proposals show the Government’s focus to reduce manipulative or exploitative targeted advertising practices.

2. Direct Marketing

The Government also proposed an unqualified right for individuals to opt-out of their personal information being used for direct marketing purposes. This proposal, (unlike the unqualified right for targeted advertising), has been ‘agreed in principle’. This means the proposal is expected to be legislated in 2024 subject to further consultation with industry members.

Direct marketing involves organisations distributing communications to promote their goods or services directly to individuals. So, once an individual objects to their personal information being used for direct marketing, the relevant organisation who receives notice would need to cease doing so immediately. This proposal aligns Australia with various international standards. The GDPR contains a ‘right to object’ enabling individuals to request that their personal information is no longer used for direct marketing. Therefore, once these reforms come into effect, organisations will need to ensure that they have an effective method in place to cease the use of personal information for direct marketing upon request.

Furthermore, the Government has ‘agreed in principle’ to refine the definition of ‘direct marketing’ which currently lacks clarity in the Privacy Act. As the phrase is now undefined in the Act, it is difficult to differentiate it from the targeting of personalised content and advertising online. A clearer definition will offer much-needed guidance in these overlapping areas and will hopefully be informed further by industry consultation.

3. A ‘Privacy by Default’ Framework

Additionally, another significant amendment that has been ‘agreed in principle’ by the Government is the adoption of a ‘privacy by default’ framework. Currently in Australia, express or implied consent is enough to collect and use personal information, and businesses can rely on opt out mechanisms to show implied consent. Stronger consent requirements can apply in high privacy risk situations, such as where sensitive information is collected. The Government’s adoption of a ‘privacy by default’ system will mean a change to the definition of consent, to ensure that consent will need to be informed, unambiguous, current and voluntary, for the collection and use of personal information. It will also require that online privacy settings must reflect the privacy by default framework, and that entities providing online services must ensure all privacy settings are readily available and accessible to individuals. The ‘privacy by default’ principle (which is already adopted in the EU), requires that entities assume a ‘privacy first’ stance when developing default settings. Further guidance will be developed on how online consent requests will look and what layouts, wording or icons can be used.

The days may be numbered in Australia for the broad privacy collection statement with the opt out check box! Online businesses will need to revamp, as this will likely have a major impact on the inferred and implied consents currently broadly adopted by Australian businesses.

Although the ‘privacy by default’ system offers greater protection and transparency to individuals, this proposal still requires further consultation so that the practical concerns relating to the burden of compliance and the potential for ‘consent fatigue’ can be managed. Clear guidance from the Government on how companies can format their consent requests and adjust their internal processes to meet their obligations will be pivotal in ensuring Australia’s privacy laws can operate as intended. Regard should also be had to ensuring that the rules do not unduly restrain business or deprive consumers of content and benefits they expect.

4. Privacy Protections: Children

To address the rising concerns towards children’s safety within the online environment, the Government has promised to introduce a separate Children’s Online Privacy Code (“COPC”) and afford greater privacy protections to eliminate invasive forms of data collection used to target children. Similar to the UK’s ‘Age Appropriate Design: A Code of Practice for Online Services’, the COPC will ensure that in all circumstances, entities consider what is in the child’s best interest when using, collecting and handling children’s personal information. In support of this, the Government has further ‘agreed’ to define a ‘child’ as an individual under 18 years of age, clarifying the appropriate age of capacity to give consent. As ‘agreed’ recommendations, the Government will now begin drafting legislation in preparation for their implementation and enactment.

As children are vulnerable to manipulation and exploitative practices through advertising, the Government ‘agrees in principle’ to implement a strict prohibition against the use of children’s personal information for direct marketing and targeting (unless it is in the best interest of the child). Such changes will impose additional positive obligations upon digitised organisations to ensure they are aware of a person’s age where appropriate. This will involve monitoring the level of data that is collected from children, receiving informed consent if geolocation tracking data is used and ensuring that personal information is only used in circumstances where a child has voluntarily ‘enabled’ access via their privacy settings.

In the UK, with similar protections in place, TikTok was found to be inadequate in meeting its obligations to prevent underage users from creating TikTok accounts. Therefore, it is important for online entities to be aware of the consequences and fines for non-compliance that will be implemented. Although children’s privacy requires significant protection, the Government will need to strike a balance to ensure children’s freedom to participate in the online space is not jeopardised by restrictive regulations.

5. Removal of the Small Business Exemption

This is a major change to our privacy regime with a huge impact for small business currently out of scope of the privacy laws. Most small businesses with an annual turnover of $3 million or less are currently exempted from the Privacy Act. The Government agrees in-principle that the small business exemption should be removed in light of the privacy risks applicable in the digital environment. However, this should not occur until further consultation has been undertaken with small businesses and their representatives.

6. Trading of Personal Information

The Government agrees in-principle to introduce a requirement that an individual’s consent should be obtained to “trade” in their personal information, and to prohibit trading in the personal information of children. Very careful consideration will be needed by the Government here on the definition of ‘trading’. Industry concerns have been raised that if consent is to be required for trading, then this should not extend into any form of data sharing, or data set exchanges, to ensure that this is going to be workable for business.

Don’t Wait, Prepare Now!

Although various proposals are still under consultation, entities that operate within the online space should start preparing now by reviewing their privacy policies and internal arrangements to ensure they can more easily align with the intended changes. To minimise the operational burden and impact of these reforms, businesses are encouraged to evaluate their data governance processes to resolve the gaps in how they collect, manage or handle data. It is also important for businesses to understand how their consent framework operates and whether they have sufficient systems in place to address the potential costs associated with responding to increased individual rights and meeting data retention and destruction responsibilities. To stay prepared and avoid the risk of non-compliance, organisations will be well positioned if they are up-to-date with the Government’s latest reforms and actively re-evaluate their practices to adapt to the evolving privacy realm.

Contact us

If you would like further information on the upcoming changes to the Privacy Act and how it impacts on you or your business, please contact one of our experts below.