The Privacy, Data Protection and Cybersecurity Law Review: Australia

Overview

In Australia, the key legislation governing privacy and data protection is the Privacy Act 1988 (Cth) (the Privacy Act). It regulates the handling of personal information by:

  1. private sector organisations (with some exceptions; for example, businesses with an annual turnover of less than A$3 million); and
  2. federal government agencies (most state and territory government agencies are instead governed under various state-based regimes).

The Privacy Act is also the key legislation governing cybersecurity. However, as cybercrime is increasingly seen as a growing threat to Australia's economy and national security, lawmakers are increasingly addressing cyber issues through stand-alone legislation2 rather than by seeking amendments to the Privacy Act, which is principles-based and deals with cybersecurity only in relation to personal data (see Section IX).

There is no general charter of human rights in Australia, and as such there is no general recognition of privacy being a fundamental right under Australian law. However, some jurisdictions within Australia have enacted human rights legislation that recognises the protection of privacy as a human right.3

Privacy also receives some protection through developments to the common law, particularly developments in the law relating to confidential information.4 To date, the Australian courts have not recognised a specific cause of action to protect privacy, although there has been judicial suggestion that such a development may be open under common law.5

The introduction of a statutory tort for invasions of privacy has long been the subject of debate. Opponents of such a development point to Australia's lack of a clear, balancing statutory right of freedom of expression. The introduction of a statutory tort for invasions of privacy was recently recommended by the competition regulator, the Australian Competition and Consumer Commission (ACCC), as part of its Digital Platforms Inquiry. The proposal is under consideration by the federal government as part of its current review of the Privacy Act.

A statutory privacy tort is only one of many sweeping privacy reforms proposed by the ACCC and under review by the federal government. In parallel, we are seeing a better funded and increasingly active privacy regulator (the Office of the Australian Information Commissioner (OAIC)), as well as a competition regulator (ACCC) keen to weigh in on privacy matters in the competition and consumer context. Other regulators, such as the Australian Securities and Investments Commission (ASIC) and the Australian Prudential Regulatory Authority (APRA), are also increasingly focused on cybersecurity.

The year in review

Privacy and cybersecurity regulation in Australia is currently in a rapid state of development, which has seemingly accelerated over the past year.

In relation to privacy regulation, we have seen the following.

  1. The federal government's review of the Privacy Act (expected to result in a legislative overhaul).
  2. A number of significant enforcement actions by the OAIC (including by commencing proceedings against Facebook, seeking the imposition of pecuniary penalties for the first time).
  3. A continued interest in privacy and data handling issues by the competition and consumer regulator, the ACCC (including by successfully taking misleading conduct action against Google in relation to its collection of location data).

We have also continued to see Australian businesses grapple to navigate the extraterritorial operation of the EU's General Data Protection Regulation (but the focus of this chapter is Australian laws and regulations).

In relation to cybersecurity regulation, we have seen the following.

  1. The federal government's commitment of A$1.67 billion to uplift Australia's cybersecurity, including by strengthening Australia's cybersecurity regulatory regime. The proposals may include voluntary codes, a potential new director's duty and the broad expansion of the current critical infrastructure act.6
  2. The corporate and financial services regulator, ASIC, taking action alleging that cybersecurity issues gave rise to breaches of the Corporations Act 2001 (Cth) (an Australian first).
  3. APRA remaining focused on enforcing the comprehensive cybersecurity obligations placed on banks, insurers and superannuation entities under various prudential standards.
  4. A proposed expansion of the application of critical infrastructure legislation through the release of the Security Legislation Amendment (Critical Infrastructure) Bill 2020.

These developments are discussed in more detail throughout this chapter.

Regulatory framework

i Privacy and data protection legislation and standards

The Privacy Act protects personal information – that is, information or an opinion about an identified individual or an individual who is reasonably identifiable.7 It contains 13 Australian Privacy Principles (APPs) that apply throughout the information life cycle – from collection, use, storage and disclosure, through to destruction. The OAIC has published APP Guidelines (the Guidelines) to assist organisations in complying with the APPs. Although the Guidelines are not legally binding, they provide guidance as to how the APPs will be applied by the OAIC.

The Privacy Act does not distinguish between entities that control and those that process personal information – any handling of personal information, whether holding, processing or otherwise, is regulated by the APPs. Special protection is afforded to 'sensitive information', such as information relating to health, political opinions, religious beliefs and sexual practices.

Under the Privacy Act, penalties of up to A$2.22 million can be imposed on corporations for 'serious' or 'repeated' interferences with privacy. The OAIC is active, and, as mentioned above, is currently pursuing pecuniary penalties for the first time (from Facebook). The OAIC regularly commences investigations and often seeks enforceable undertakings in response to findings of non-compliance. See Section VII for more details on recent enforcement actions by the OAIC.

In addition to the Privacy Act, data handling practices can also be regulated under the prohibitions against misleading or deceptive conduct in the Australian Consumer Law (ACL).8 For corporations, the maximum penalty per breach is the greater of A$10 million, three times the value of any benefit gained or 10 per cent of annual domestic turnover.

ii General obligations for data handlers

Collecting personal data

Entities can collect personal information only by lawful and fair means, and only where reasonably necessary for their functions or activities.9 In practice, this means that entities must minimise the personal information they collect so they do not hold data unnecessarily. In addition, sensitive data can be collected only with consent. Collecting entities also have obligations to notify individuals of certain prescribed matters when their information is collected.10

Using and disclosing personal data

Entities may only use or share personal information:

  1. with consent;
  2. for the purpose for which it was collected (the 'primary purpose');
  3. for a secondary purpose that is related to the primary purpose, where the individual would reasonably expect this; or
  4. if another exception applies (e.g., the use or disclosure is required by Australian law).11

In practice, this means that entities wishing to use or share personal information for secondary purposes beyond the primary purpose of collection must generally take steps to either:

  1. obtain the relevant individuals' consent; or
  2. ensure the secondary purposes are related to the primary purpose and that the individuals would reasonably expect the data handling.

Historically, many entities (particularly entities collecting data online) have tended to outline intended secondary uses or disclosures in a privacy policy or terms of use as a means of establishing consent to, or a reasonable expectation of, certain data handling. However, this approach is becoming increasingly risky, and it is likely that entities at large will be forced to change tack in the short to medium term. In 2019, in a determination against Flight Centre, the OAIC indicated that consents that are bundled or not sufficiently specific may not be valid, even where individuals have indicated their agreement to the handling of their information as set out in the privacy policy or other documentation.12 Further, the approach was criticised by the ACCC in its Digital Platforms Inquiry Final Report, and these issues are under review as part of the federal government's current review of the Privacy Act.

Special rules apply where personal information is used or shared for the purposes of direct marketing.13

Protecting personal data

Entities have a general obligation to take reasonable steps to protect information they hold from misuse, interference and loss, and unauthorised access, modification or disclosure.14 They must also destroy or de-identify information once it is no longer needed for a purpose for which it may lawfully be used under the APPs (see Section IX).

iii Data subject rights

Access

Individuals can request access to their personal information, and entities must comply with these requests subject to certain exceptions (for example, where giving access would pose a serious threat to another individual or would have an unreasonable impact on their privacy).15

Correction

Entities must take reasonable steps to correct personal information upon an individual's request.16

Erasure

According to the Guidelines, the 'reasonable steps' an entity must take to correct personal information on request may include 'making appropriate . . . deletions'. However, individuals do not have a right to require the erasure of their personal information. This is currently being considered as part of the current review of the Privacy Act.

Portability

The 'consumer data right' is now operational in the banking sector, facilitating data portability for banking customers. The energy sector will follow (this is currently being progressed by the ACCC). It is expected that the consumer data right will then be rolled out across other industries; for example, the telecommunications sector.

Redress and enforcement

Individuals do not have a direct cause of action against entities to seek redress for breaches of the APPs. However, an individual may complain to the OAIC, which can determine that compensation be paid to the individual.

As with the right of erasure, the federal government is currently considering whether a direct cause of action for individuals should be introduced.

iv Specific regulatory areas

The Privacy Act contains two key exemptions.

  1. Acts or practices that are directly related to a current or former employment relationship and that involve an employee record held by the employer are exempt under the employee records exemption.17 In practice, this means that many data handling activities of entities in relation to their own employees are exempt.
  2. Small businesses with an annual turnover of less than A$3 million per year are not bound by the provisions of the Privacy Act.

However, whether these exemptions should remain is one of the issues being considered as part of the current review of the Privacy Act.

Although the Privacy Act applies to the handling of personal data generally, certain categories are regulated under specifically drafted legislative regimes; for example:

  1. the handling of health information is regulated under a patchwork of state-based legislation applying across both private and public sectors;
  2. the handling of credit-related information by credit providers and credit bureaus is regulated under specific provisions in the Privacy Act (as is the handling of tax file numbers);
  3. the handling of data in the context of the consumer data right regime is regulated under the Competition and Consumer Act 2010 (Cth); and
  4. the handling of digital health records under the My Health Records system (an opt-out national electronic health records system) is regulated under the My Health Records Act 2012 (Cth).

Separate legislative regimes regulate electronic marketing and surveillance. Electronic marketing is regulated by the Spam Act 2003 (Cth), and surveillance (including workplace surveillance) is governed by various state-based legislation.

v Technological innovation

The Privacy Act is technologically neutral and its provisions apply to new technologies. Some examples are below.

Online behavioural advertising

The direct marketing principle, APP 7, has been taken by the OAIC18 to apply to online behavioural advertising (OBA). In consequence, the requirement of APP 7 to allow people to opt out of marketing communications could apply to advertisements appearing through use of OBA.

Cookies or other tracking technologies

Although Australia does not have any specific cookie legislation, the collection of data through the use of cookies or other tracking technologies could amount to the collection of personal information if the individual's identity is known or able to be reasonably determined by the collector or if cookie information is associated with other personal information. In these circumstances, the requirements of the APPs will apply accordingly.

Facial and speech recognition technologies

Because sensitive information under the Privacy Act includes biometric information that is used for the purpose of automated biometric identification, the use of automated facial and speech recognition technologies will require compliance with the obligations of the APPs relating to sensitive information. These obligations include the requirement to obtain consent before the information is collected.

Artificial intelligence

At present, there are no specific provisions in the Privacy Act or other legislation dealing with the disclosure of artificial intelligence or automated decision-making technologies. Entities using personal information to develop, train or test artificial intelligence technologies must ensure the use is fair and lawful under the Privacy Act, even if the data is only being used within an internal development environment.

International data transfer and data localisation

i Restrictions on international data transfers

The Privacy Act provides that, prior to disclosing personal information to an overseas recipient, an entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the personal information.19 This requirement does not apply if:

  1. the entity reasonably believes that the overseas recipient is bound by a law similar to the APPs that the individual can enforce;
  2. the individual consents to the disclosure of the personal information in a particular prescribed manner; or
  3. another exception applies (e.g., the disclosure is required by Australian law).

The consent has to be an informed consent and in many cases its requirements are difficult to satisfy in practice. Further, in many cases the overseas recipient will not be subject to a similar overseas law that is enforceable by the individual. Accordingly, in most cases the entity must take 'reasonable steps' to ensure that the overseas recipient does not breach the APPs prior to disclosing the information to the overseas recipient. The Guidelines indicate that taking reasonable steps usually involves the organisation obtaining a contractual commitment from the overseas recipient that it will handle the personal information in accordance with the APPs. Importantly, where the entity takes this reasonable steps option, it will be deemed liable for any breach of the APPs by the overseas recipient.20 Given this, it is common for entities sharing data overseas to seek indemnities or uncapped liability in relation to loss caused by privacy breaches (where they have the bargaining power to do so).

ii Data localisation requirements

There are three data localisation requirements under Australian law, all of which apply to particular entities charged with managing specific data sets.

  1. Credit bureaus must store the credit reporting information they compile in Australia.21
  2. Organisations that manage the My Health Records system must store digital health records in Australia.22
  3. Cloud service providers storing land information under the Electronic Conveyance National Law must store the data in Australia.23

Company policies and practices

An entity must have a clearly expressed and up-to-date policy about its management of personal information.24 Certain prescribed matters must be addressed, and the policy must be made available free of charge (generally online).

An entity must also take reasonable steps to implement practices, procedures and systems to ensure it complies with the APPs.25 This overarching obligation is generally understood as requiring entities to implement the principles of 'privacy by design'. The OAIC has published guidance on how it expects entities to comply with this general obligation.26 For example, entities should:

  1. undertake privacy impact assessments for new or changed data handling practices;
  2. implement risk management processes to identify and manage personal information security risks (including by assessing risks posed by third-party contractors);
  3. conduct regular internal privacy compliance training; and
  4. maintain internal policies such as:
    • a data breach response plan;
    • a data retention and destruction policy; and
    • an internal privacy policy setting out the responsibilities of personnel and reporting and governance arrangements.

Discovery and disclosure

Under the Privacy Act, personal information can generally only be used and disclosed for the purpose for which the information was collected or for a related secondary purpose that would be reasonably expected by the individual.27 The disclosure of information in response to national or foreign government requests, or in response to domestic or foreign discovery court orders or internal investigations, would not normally satisfy this requirement. However, there are a number of exceptions that may, depending on the circumstances, be available to allow disclosure in response to such requests or orders.

In the case of Australian legal proceedings, disclosure is permitted if it is 'required or authorised by or under an Australian law or a court/tribunal order'.28 This will allow disclosures that are required or authorised under Australian rules of court.

In addition, disclosure is permitted where it is 'reasonably necessary for the establishment, exercise or defence of a legal or equitable claim'.29 Disclosure of information in the course of legal proceedings where the disclosure is necessary to either assert or defend a claim will accordingly be permitted. Further, disclosure is permitted where it is reasonably necessary for the purposes of a 'confidential alternative dispute resolution process'.30 This will permit disclosures in the course of confidential mediations and the like. However, these exceptions do not apply to the disclosure of information to someone outside Australia and so would not be available for claims being pursued in foreign courts.

One option that might be available in some circumstances would be to redact all personal information from the relevant document before the document is disclosed outside Australia. Whether a document that has been redacted in this way will still comply with the orders of the foreign court will depend on the circumstances.

With respect to disclosures outside Australia, acts done outside Australia do not interfere with privacy if the act is required by an applicable law of a foreign country.31 This exception may be of use where relevant personal information is already located outside Australia and, pursuant to the legal process in the place where it is located, it has to be disclosed to someone in that place. The exception will not be available with respect to information that is located in Australia.

To disclose information in response to the order of a foreign government or court, the disclosure will have to comply with both APP 6 (governing the use and disclosure of personal information) and APP 8 (the cross-border disclosure principle). There has been no binding Australian legal decision on the consequences of a person receiving, in Australia, an order from a foreign court requiring the disclosure of personal information outside Australia. To satisfy both APP 6 and APP 8, the party seeking disclosure of the information outside Australia is likely to have to apply under a relevant international treaty (such as the Hague Convention), to which Australia is a party and which has been implemented in Australian local law. If these conditions can be satisfied, then the disclosure of the information outside Australia will be 'required or authorised by or under an Australian law' and so will be permitted.32

The US introduced the Clarifying Lawful Overseas Use of Data Act (the CLOUD Act) to enable its foreign partners to enter into agreements with it to facilitate law enforcement cooperation. In 2019, the federal government announced it would be entering into negotiations with the US for a bilateral agreement under the CLOUD Act.33 On 24 June 2021, the Telecommunications Legislation Amendment (International Production Orders) Bill 2020 was passed, which facilitates Australia providing access to foreign law enforcement agencies to electronic information and communications data controlled by Australian communications providers. It also creates an expedited mechanism for Australian law enforcement agencies to request production of data from offshore communications providers (replacing the current Mutual Legal Assistance Treaty system). The new legislation also provides the legislative framework for Australia to give effect to future bilateral and multilateral agreements for cross-border access to electronic information and communications data (e.g., a bilateral agreement with the US under the CLOUD Act).

Public and private enforcement

i Enforcement agencies

The OAIC

The regulator responsible for enforcing the Privacy Act is the OAIC.

If an individual makes a privacy complaint, the OAIC has the power to attempt, by conciliation, to effect a settlement of the matter. The OAIC can also make a determination that:

  1. the entity has interfered with the privacy of an individual and must cease the conduct;
  2. the individual is entitled to compensation for loss or damage suffered (including for injury to feelings or for humiliation); and
  3. the entity must take reasonable actions to redress any loss or damage suffered by the individual.

Where such a determination is made, the individual or the OAIC may commence proceedings in court to enforce the determination.

The OAIC also has the power to accept enforceable undertakings from entities under investigation. These undertakings are enforceable by the OAIC in the Federal Court. An enforceable undertaking may be offered by the entity in the course of resolving an OAIC investigation.

The OAIC also has the power to audit organisations, develop and register binding privacy codes and seek injunctive relief in respect of contraventions of the Privacy Act.

Finally, the OAIC may apply to the Federal Court or Federal Circuit Court for a penalty (currently, up to A$444,000 for individuals or A$2.22 million for corporations) to be imposed for 'serious' or 'repeated' interferences with privacy. These penalties constitute regulatory fines and cannot be used to compensate individuals for breaches of the Privacy Act. Pecuniary penalties had never been sought until 2020, when the OAIC commenced proceedings against Facebook. The proceedings are ongoing, but it seems the OAIC may attempt to seek the maximum penalty of A$2.22 million in relation to each individual severe breach of the APPs. These proceedings against Facebook are discussed in more detail below.

Other regulators

Privacy and data security issues are increasingly coming under scrutiny from other regulators. The ACCC is increasingly taking action on privacy and data handling issues under its competition and consumer law powers. Further, in an Australian first, the corporate and financial services regulator (ASIC) recently commenced proceedings alleging that various cybersecurity issues gave rise to breaches of the Corporations Act 2001 (Cth).34

In addition, APRA, the body charged with overseeing banks, insurers and superannuation entities to promote financial stability in Australia, has enacted various prudential standards placing comprehensive cybersecurity obligations on regulated entities. APRA is active in enforcing these requirements (see Section IX).

ii Recent enforcement cases

OAIC determination against Uber35

In July 2021, the OAIC published its determination against Uber Technologies, Inc and Uber BV, which found that they interfered with the privacy of an estimated 1.2 million Australians by failing to comply with:

  1. the requirement in APP 11.1 to take reasonable steps to protect personal information against unauthorised access; and
  2. the requirement in APP 11.2 to take reasonable steps to delete or de-identify personal information that is no longer needed for a permitted purpose.

The OAIC also found that the Uber companies failed to comply with the requirement in APP 1.2 to take reasonable steps to implement practices, procedures and systems to ensure compliance with the APPs.

The OAIC's investigation into Uber was prompted by a cyberattack experienced by Uber in 2016.

The OAIC made a number of declarations, including that the Uber companies must prepare relevant policies (such as data retention and destruction policies) and engage an independent third party to report on compliance.

The OAIC did not award compensation, stating that it is not authorised under the Privacy Act to award compensation simply because an organisation has breached the Act – an affected individual must supply evidence of loss or damage to be entitled to a remedy.

OAIC determination against the Department of Home Affairs36

In January 2021, the OAIC published its determination against the Department of Home Affairs (a federal government agency), which found that the Department had interfered with the privacy of 9,231 detainees in immigration detention by mistakenly publishing their information on a public website. This was determined to be an unauthorised disclosure of personal information and a failure to take reasonable steps to protect personal information.

This determination is significant because it was the first representative action where the OAIC awarded compensation for non-economic loss to individuals affected by a mass data breach. The compensation ranged from A$500 to A$20,000 per person, depending on the severity of the impact on each individual.

OAIC determination against Flight Centre37

In December 2020, the OAIC published its determination against Flight Centre Travel Group Ltd, which found that Flight Centre had interfered with the privacy of almost 7,000 customers by failing to comply with:

  1. the requirement in APP 1.2 to take reasonable steps to implement practices, procedures and systems to ensure compliance with the APPs;
  2. the requirement in APP 6.1, by disclosing personal information to third parties without consent, for a purpose other than the primary purpose of collection; and
  3. the requirement in APP 11.1 to take reasonable steps to protect personal information against misuse and loss and from unauthorised access, modification or disclosure.

Flight Centre had accidentally disclosed personal information (including credit card and passport information) to third parties without consent, during a 'design jam'.

The OAIC declared that Flight Centre must not repeat the conduct but did not take any other action (perhaps due to Flight Centre's prompt response to the incident, cooperation with the OAIC and attempts to lessen the impact on individuals (including by making payments to replace passports)).

As mentioned above, this determination has implications for data collection and use practices (see Section III.ii).

ACCC proceedings against Google in relation to location data

In 2020, the ACCC commenced proceedings against Google LLC,38 alleging it had engaged in misleading conduct and had made false representations to consumers about how and when it collects and uses their personal information in relation to location data. It was the first case brought globally to probe Google's approach to location data collection.

In April 2021, the Federal Court of Australia found that Google did engage in misleading conduct because of the way it presented its collection, storage and use of users' personal location data in its privacy statements.

The Court's finding makes clear to businesses that representations made in their privacy policies and privacy settings could lead to liability under the ACL.

The ACCC has also commenced a second misleading conduct case against Google in relation to the 2016 changes to its privacy policies regarding its decision to combine DoubleClick data with other user data held by Google. This second case is listed for hearing at the end of 2021.

OAIC proceedings against Facebook following the Cambridge Analytica scandal39

In March 2020, the OAIC commenced proceedings against Facebook, Inc and Facebook Ireland Ltd (Facebook) for breaches of the APPs identified by the OAIC following the Cambridge Analytica scandal.

The OAIC is alleging that Facebook breached, in relation to 311,127 Australian Facebook users, both:

  1. APP 6.1, by disclosing personal information for a purpose other than the primary purpose of collection, without obtaining adequate consent or otherwise ensuring the users were adequately informed of the disclosures that would occur; and
  2. APP 11.1, by failing to have adequate practices and systems in place to ensure information was being disclosed appropriately.

The case is still ongoing and will likely have major implications for digital businesses operating from offshore entities. Critically, this case will set precedents for determining both the quantum of future penalties under, and the scope of the extraterritorial application of, the Privacy Act.

iii Private litigation

In general, privacy legislation is only enforceable in Australia by the relevant authority. However, some limited private rights of action do exist; particularly, a general right under the Privacy Act for anyone to seek an injunction to restrain conduct that would be a contravention of the Act.40

Considerations for foreign organisations

i Extraterritorial application of the Privacy Act

The Privacy Act has a broad extraterritorial application. It applies to the overseas activities of Australian organisations as well as to foreign organisations that have an 'Australian link'.41 However, if an organisation's overseas activity is required by the law of a foreign country, then that activity is not taken to amount to an interference with the privacy of an individual.42

An organisation is considered to have an Australian link if there is an organisational link43 (for example, the organisation is a company incorporated in Australia or the organisation carries on business in Australia and collects or holds personal information in Australia).44 This has been interpreted as including an organisation that has a website that offers goods or services to countries including Australia.45

The OAIC's June 2021 determination against Uber (see Section VII.ii) is a clear indication of the OAIC's expansive view of the application of the extraterritorial application test under the Privacy Act. Further, the OAIC's proceedings against Facebook are likely to set a precedent for determining the scope of this extraterritorial application. In September 2020, the Federal Court rejected Facebook's assertion that it did not have an Australian link as it did not carry on business in Australia, or collect or hold personal information in Australia. Facebook is appealing this decision.

ii Decryption laws

The Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) allows law enforcement and security agencies to seek assistance from a broad range of entities that supply communications services and devices in Australia (for example, entities that install or maintain data processing devices). Such assistance may include decrypting communications and facilitating access (physical and online) to data processing devices.

Cybersecurity and data breaches

i Privacy Act – cybersecurity

As mentioned above, APP 11 requires an organisation to:

  1. take such steps as are reasonable in the circumstances to protect information from misuse, interference and loss; and from unauthorised access, modification or disclosure; and
  2. delete or de-identify personal information once it is no longer needed.

Although no specific security standards are mandated, the OAIC has published non-binding guidance on the reasonable steps entities are required to take to protect the personal information they hold, including in relation to the processing of information by third parties.46 This guidance is currently being refreshed by the OAIC after conducting a consultation process.

ii Privacy Act – data breach notification

The Privacy Act requires entities to notify the OAIC and affected individuals in the event of an 'eligible data breach'. An eligible data breach occurs when:

  1. there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation or agency holds;
  2. this is likely to result in serious harm to one or more individuals, and
  3. the entity has been unable to prevent the likely risk of serious harm with remedial action.

The OAIC has published guidance to assist entities in preparing for and responding to data breaches in accordance with these requirements.47

iii APRA-regulated entities – cybersecurity and security incident notification

In addition to the Privacy Act obligations described above, APRA-regulated entities (banks, insurers and superannuation entities) are bound by prudential standards issued by APRA.

  1. CPS 231 (Material Outsourcing) requires that all outsourcing of material business activities be subject to appropriate due diligence, approval and ongoing monitoring. Although it applies to outsourcings generally, it needs careful consideration when outsourcing business functions involving data handling and ICT systems.
  2. CPS 234 (Information Security) requires regulated entities to take measures to be resilient against information security incidents (including cyberattacks) by maintaining information security capabilities commensurate with vulnerabilities and threats. Importantly, CPS 234 requires entities to notify APRA of information security incidents within 72 hours of becoming aware of them.

APRA can enforce these prudential standards and has recently signalled that it will focus on ensuring that CPS 234 is fully complied with, including by requiring regulated entities to undergo cybersecurity reviews by independent auditors.48

Outlook

i Privacy developments

The coming year will be significant for privacy regulation in Australia. As mentioned throughout this chapter, the federal government is currently in the process of reviewing the Privacy Act. In late 2020, the government released the first issues paper for consultation, and industry is currently awaiting the release of a second issues paper.

The Attorney General's review is likely to result in significant reform to the Privacy Act, with issues such as the removal of the small business and employee records exemption being considered. Reforms are also likely to include significantly increased penalties and stronger enforcement powers for the OAIC, stricter requirements for when and how consent is obtained, an updated definition of 'personal information' to include technical data and online identifiers, and additional protections in relation to de-identified information. We expect that these changes could require entities to undergo technological change to comply.

ii Cybersecurity developments

The coming year will also be significant for cybersecurity regulation. At present, cybersecurity is largely governed by the general, principles-based security obligations in the Privacy Act. However, 2021 has seen the proposal of prescriptive, stand-alone cyber legislation as part of a broader strategy to strengthen the security of Australia's infrastructure.

Exposure drafts of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 have been released. The proposal is to expand the application of the Security of Critical Infrastructure Act 2018 (Cth) to cover a far broader cross-section of the Australian economy. It is likely to affect entities operating in a number of sectors including communications, data storage and processing, financial services and markets, energy, transport and healthcare.

In addition, the Australian Labor party has introduced a private members ransomware bill (the Ransomware Payments Bill) to facilitate the sharing of de-identified information to assist the law enforcement response to ransomware attacks. The proposal is to require entities making ransomware payments to notify the Australian Cyber Security Centre as soon as practicable.

In summary, privacy and cybersecurity regulation in Australia is in a rapid state of development. Entities conducting business in Australia will need to pay close attention to these developments in the short to medium term.

Footnotes

1 Gavin Smith is a partner and Emily Cravigan is a managing associate at Allens.

2 See, for example, the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and the Ransomware Payments Bill 2021.

3 Human Rights Act 2004 (ACT) Section 12; Charter of Human Rights and Responsibilities Act 2006 (Vic) Section 13; Human Rights Act 2019 (Qld) Section 25.

4 See in particular Giller v. Procopets [2008] VSCA 236.

5 See Australian Broadcasting Corporation v. Lenah Game Meats Pty Ltd (2001) 208 CLR 199.

6 Department of Home Affairs, Australia's Cyber Security Strategy 2020 (6 August 2020), 8.

7 Privacy Act 1988 (Cth) Section 6(1).

8 The Australian Consumer Law is found in the Competition and Consumer Act 2010 (Cth).

9 Privacy Act APP 3.

10 Privacy Act APP 5.

11 Privacy Act APP 6.

12 Flight Centre Travel Group (Privacy) [2020] AICmr 57 (25 November 2020).

13 See Privacy Act APP 7. The Spam Act 2003 (Cth) and the Do Not Call Register Act 2006 (Cth) may also be relevant, depending on the circumstances.

14 Privacy Act APP 11.

15 Privacy Act APP 12.

16 Privacy Act APP 13.

17 Privacy Act Section 7B(3).

18 Office of the Australian Information Commissioner (OAIC), 'Australian Privacy Principles guidelines', Chapter 7: Australian Privacy Principle 7 – Direct marketing (Privacy Guidelines, 22 July 2019), https://www.oaic.gov.au/privacy/australian-privacy-principles-guidelines/chapter-7-app-7-direct-marketing/.

19 Privacy Act APP 8.

20 Privacy Act Section 16C.

21 Privacy Act Section 20Q.

22 My Health Records Act 2012 (Cth) Section 77.

23 Electronic Conveyance National Law, as implemented in each state and territory's national law and operating requirements.

24 Privacy Act APP 1.3.

25 Privacy Act APP 1.2.

26 OAIC, 'Privacy management framework: enabling compliance and encouraging good practice' (Privacy Guidelines, 4 May 2015), https://www.oaic.gov.au/privacy/guidance-and-advice/privacy-management-framework-enabling-compliance-and-encouraging-good-practice/.

27 Privacy Act APP 6.

28 Privacy Act APP 6.2(b).

29 Privacy Act Section 16A(i)(4).

30 Privacy Act Section 16A(i)(5).

31 Privacy Act Section 13D(1).

32 That is, permitted under both Privacy Act APP 6.2(b) and APP 8.2(c).

33 Peter Dutton, 'Joint Statement Announcing United States and Australian Negotiation of a CLOUD Act Agreement by U.S. Attorney General William Barr and Minister for Home Affairs Peter Dutton' (Media Release, 7 October 2019).

34 See Australian Securities and Investments Commission, '20-191MR ASIC commences proceedings against RI Advice Group Pty Ltd for alleged failure to have adequate cyber security systems', (Media Release 20-191MR, 21 August 2020).

35 Commissioner Initiated Investigation into Uber Technologies, Inc. & Uber B.V. (Privacy) [2021] AICmr 34 (30 June 2021).

36 'WP' and Secretary to the Department of Home Affairs (Privacy) [2021] AICmr 2.

37 Flight Centre Travel Group (Privacy) [2020] AICmr 57 (25 November 2020).

38 ACCC v. Google LLC (No. 2) [2021] FCA 367.

39 Office of the Australian Information Commissioner, 'Commissioner launches Federal Court action against Facebook' (9 March 2020), https://www.oaic.gov.au/updates/news-and-media/commissioner-launches-federal-court-action-against-facebook/.

40 Privacy Act Section 98.

41 Privacy Act Section 5B(1A).

42 Privacy Act Section 13D(1).

43 Privacy Act Section 5B(2).

44 Privacy Act Section 5B(3).

45 OAIC, Chapter B: Key concepts (Privacy Guidelines, 22 July 2019), https://www.oaic.gov.au/privacy/australian-privacy-principles-guidelines/chapter-b-key-concepts/.

46 OAIC, 'Guide to securing personal information' (Privacy Guidelines, 5 June 2018), https://www.oaic.gov.au/privacy/guidance-and-advice/guide-to-securing-personal-information/.

48 Geoff Summerhayes, 'Executive Board Member Geoff Summerhayes – speech to Financial Services Assurance Forum' (Speeches, 26 November 2020), https://www.apra.gov.au/news-and-publications/executive-board-member-geoff-summerhayes-speech-to-financial-services.

Get unlimited access to all The Law Reviews content