New Report on Limits of “Consent” in Australia’s Data Protection Law
Authors: Dominic Paulger and Elizabeth Santhosh
Elizabeth Santhosh is a current law student at Singapore Management University and an FPF Global Privacy intern.
Introduction
Today, the Future of Privacy Forum (FPF) and Asian Business Law Institute (ABLI), as part of their ongoing joint research project: “From Consent-Centric Data Protection Frameworks to Responsible Data Practices and Privacy Accountability in Asia Pacific,” are publishing the fifth in a series of detailed jurisdiction reports on the status of “consent” and alternatives to consent as lawful bases for processing personal data in Asia Pacific (APAC).
This report provides a detailed overview of relevant laws and regulations in Australia, including:
- notice and consent requirements for processing personal data;
- the status of alternative legal bases for processing personal data which permit processing of personal data without consent if the data controller undertakes a risk impact assessment (e.g., legitimate interests); and
- statutory bases for processing personal data without consent and exceptions or derogations from consent requirements in laws and regulations,
The findings of this report and others in the series will inform a forthcoming comparative review paper which will make detailed recommendations for legal convergence in APAC.
Australia’s Data Protection Landscape
The cornerstone of Australia’s federal data protection framework is the Privacy Act of 1988, which was passed in 1988, commenced in 1989, and gives effect to the Organisation for Economic Co-operation and Development’s (OECD) 1980 Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, as well as Australia’s obligations under international human rights law to protect privacy.
The Privacy Act originally only applied to the public sector, but subsequent amendments to the Privacy Act over its 33-year lifespan have extended the scope of the Act so that the Act now covers the public sector and organizations in the private sector that either have an annual turnover of over AU$3 million or fall within certain prescribed industries.
Amendments made in 2010 to the Privacy Act established the Office of the Australian Privacy Commissioner (OAIC), which is responsible for, among others, issuing guidance on how organizations can comply with the Privacy Act. The Office also investigates and resolves complaints concerning organizations’ personal information practices, including, where necessary, issuing formal decisions known as determinations.
Major reforms to the Act’s privacy protections in 2014 introduced a unified set of Australian Privacy Principles (APPs) applying to both the public and private sectors. Any organization that is covered by the Privacy Act must comply with the 13 APPs, which broadly establish rights and obligations for:
- collection, use, and disclosure of personal information;
- anonymous and pseudonymous personal information;
- use of personal information for direct marketing;
- cross-border transfer of personal information;
- quality and security of personal information; and
- access and correction to personal information.
The latest amendments, in 2018, introduced a notifiable data breach scheme for organizations that are subject to security obligations under the Act.
In recent times, there has been significant discussion on the need to reform the Privacy Act, as well as Australia’s broader data protection framework, to respond to challenges to individuals’ privacy posed by the exponential growth in digital technologies, social media platforms, and the Internet of Things (IoT).
In 2019, the Australian Competition and Consumer Commission (ACCC) published its Digital Platforms Inquiry which highlighted risks from the business models of Big Tech companies and suggested the Australian government conduct a review. This eventually led the Attorney General’s Department (AGD) to release an issues paper in 2020 inviting public consultation on whether the Privacy Act and its enforcement mechanisms remain fit for purpose and possible avenues for reform, followed by a discussion paper with more detailed proposals one year later.
Alongside public consultation on reform to the Privacy Act, the AGD has also held consultation on a new bill, the “Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021” (Online Privacy Bill) which, if passed, would complement the Privacy Act by introducing a binding online privacy code with which social media and other online platforms would have to comply, or face legal penalties. The status of the Online Privacy Bill is currently uncertain following recent federal elections in Australia.
Role and status of consent in the jurisdiction
Consent plays an important role in the Privacy Act and is relevant to the operation of a number of APPs.
Though consent is not required for all collection of personal information under the APPs, consent is required for the collection of certain prescribed categories of “sensitive” personal information, unless an exception applies.
Consent also functions as an exception that permits certain acts in relation to personal information that would otherwise be prohibited under the APPs – namely:
- collection of personal information from a source other than the data subject;
- use or disclosure of personal information for a different purpose than the purpose for which the personal information was originally collected;
- use of personal information for direct marketing purposes; and
- cross-border transfer of personal information, without taking reasonable steps to ensure that the overseas recipient of personal information does not breach the APPs in relation to that information.
The APPs also impose detailed notification and notice requirements which operate independently of consent requirements. Organizations that are subject to the Privacy Act are generally required to maintain a privacy policy providing information about the organization’s activities in relation to personal information as well as how individuals may exercise their rights under the APPs in relation to their information. Additionally, organizations are required by default to notify individuals of certain prescribed matters when the individual’s personal information is collected or as soon as reasonably possible after collection.
These existing consent and notification requirements have been the subject of much discussion during consultation on reform to the Privacy Act as there is widespread recognition that organizations over-rely on consent. The general direction of reform proposals seems to be in favor of strengthening the legal test for what constitutes valid consent, while at the same time reducing the frequency with which, or circumstances under which, individuals are asked to provide consent. However, there are signs stemming from the consultations on the potential reform of the Privacy Act that Australia may ultimately move away from a “privacy self-management” approach and towards an approach that places greater accountability on organizations by requiring that collection, use, or disclosure of personal information must be fair and reasonable in the circumstances. It remains to be seen how these proposals will evolve in the future.
Read the previous reports in the series:
New Report on Limits of “Consent” in South Korea’s Data Protection Law
New Report on Limits of “Consent” in Hong Kong’s Data Protection Law
New Report on Limits of “Consent” in New Zealand’s Data Protection Law
