Australians will gain a right to sue for “serious” breaches of privacy under reforms that would also require small businesses to comply with privacy laws for the first time.
Children will also gain extra privacy protection, but a broader right for adults to opt out of targeted advertising recommended by the attorney general’s department has been rejected by the Albanese government, a decision likely to disappoint consumer rights advocates.
On Thursday the attorney general, Mark Dreyfus, will respond to his department’s review of the Privacy Act, agreeing with 38 of its 116 recommendations and agreeing in principle to 68 more which will require further consultation before a final decision. The government intends to legislate the changes in 2024.
The government has merely “noted” – not accepted – 10 recommendations including to provide individuals with “an unqualified opt-out of receiving targeted advertising”, and the proposals to narrow the political exemption to the Privacy Act.
That decision will leave people exposed to “misleading” tactics including political parties or campaigns offering to facilitate postal votes in order to harvest their information, which the Australian Electoral Commission has complained about during the Indigenous voice referendum.
A document summarising the government’s response, distributed by Dreyfus’s office under embargo, explained parties are exempt “to encourage freedom of political communication and enhance the operation of electoral and political processes in Australia”. The independent MP Kate Chaney has put forward a private member’s bill that would end parties’ exemption to privacy laws.
Under the government’s plan, entities will be prohibited from targeting and directly marketing to children, and trading in the personal information of children. Labor has also agreed with the call for a children’s online privacy code that recognises the best interests of the child when handling their personal information.
It agreed in principle that entities should be prohibited from targeting individuals based on sensitive information – such as race or sexual orientation – unless it is socially beneficial content.
The government agreed in-principle with the right to sue for invasions of privacy that are “serious, preventing individuals from pursuing legal action over more trivial matters”.
This would allow people to seek compensation for serious misuse of private information or intrusion on seclusion, such as being filmed in circumstances where they would have a reasonable expectation of privacy.
Plaintiffs would need to show the interest in privacy outweighs any countervailing public interest, meaning that public interest journalism may not be actionable. The government intends to undertake further consultation with media companies.
After a fierce backlash about the effect on reporting, journalism will remain exempt from the Privacy Act, and media organisations will remain exempt from provisions compelling companies to tell individuals what information they hold about them, if requested.
Media companies had complained this could expose them to nuisance complaints or fishing expeditions designed to frustrate newsgathering by the subjects of public interest journalism.
But media organisations will need to keep information secure, destroy it when it is no longer needed and report eligible data breaches to the office of the Australian information commissioner.
Currently, most small businesses with an annual turnover of $3m or less are exempt from the Privacy Act and have no obligation to keep personal information secure or to notify affected individuals in the event of a data breach.
The government agreed in principle to remove this exemption, although the department recommended that an impact analysis, transition period and support package should be provided first.
The government agreed in principle that data collection should be “fair and reasonable” and to expand the definition of personal information to include data that could identify them, such as cookie identifiers and IP addresses.
The government agreed in principle with a proposed right of erasure but criminals would have not have a right to erase their records and the right would not override laws requiring companies to retain identification documents.
It also agreed in principle with the proposed limited right to request a search engine remove results from an internet search of the person’s name, but not to remove public reporting. De-indexing may make content harder to find on the internet, but will not remove the content at its source.