G20 nation moves to modernised privacy code for online platforms, including binding rules. The proposed scope – and stakes for industry players – is substantial.
On 25 October 2021, the Australian Attorney-General’s department released, for public consultation, an exposure draft bill introducing amendments to the Privacy Act 1988 (Cth) (the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Cth) “Online Privacy Bill”) and a discussion paper seeking submissions on broader reforms to Australian privacy legislation (“Discussion Paper“). Our overview of the Online Privacy Bill and Discussion Paper is available here.
One of the main amendments proposed by the Online Privacy Bill is the introduction of a framework allowing the Office of the Australian Information Commissioner (OAIC) to register an OAIC – or industry – developed, enforceable online privacy code (“OP Code”) that would be binding on all large online platforms, social media services and data brokerage services providers (“OP Organisations”). This would supplement the current provisions under Part IIIB of the Privacy Act dealing with the development and registration of, and compliance with, APP codes that set out how one or more of the Australian Privacy Principles (APPs) will apply to a particular entity or class of entities (and may impose additional requirements). Currently there are two registered APP codes: one developed by the OAIC for Australian government agencies, and one developed by the Association of Market and Social Research Organisations (now the Australian Data and Insights Association) for its members.
Large online platforms and social media services are broadly defined in the Online Privacy Bill. This means a wide range of organisations with online operations could be affected by the proposed OP Code, going beyond the ACCC’s recommendation in its 2019 digital platform inquiry final report to create a privacy code enforceable against social media platforms, search engines and other digital content aggregation platforms.
Along with the removal by the Bill of the condition that a foreign organisation has to collect or hold personal information in Australia to be subject to the Privacy Act, this would also include an organisation that collects personal information of Australians from a digital platform that does not have servers in Australia.
Submissions on the new Online Privacy Bill close on 6 December 2021. In engaging with the consultation and preparing for the implementation of the OP code, impacted organisations should have regard to the following issues:
- The proposed OP Code will prescribe how OP Organisations must comply with certain APPs (including the description of uses and disclosures of personal information in privacy policies, as well as notice and consent requirements). It will also impose further requirements on OP Organisations to stop using or disclosing information on reasonable requests, and with respect to their interaction with children or other vulnerable individuals.
- Many of the changes that the Online Privacy Bill proposes to introduce through the OP Code in respect of OP Organisations echo similar reforms contemplated in the context of the discussion paper for the broader economy (e.g. introducing a right to object, and amending the Privacy Act to expressly provide that consent should be voluntary, informed, current, specific, and unambiguous and privacy notices be clear, current and understandable).
- A breach of the OP Code would be treated as an interference with the privacy of an individual, exposing OP Organisations to strengthened penalties (of up to the greater of $10 million, 3 times the value of that benefit if determinable or 10% of the relevant yearly turn over) and reinforced enforcement mechanisms otherwise contemplated in the Online Privacy Bill and the Discussion Paper.
- Particular restrictions regarding the use of the personal information of children align with similar rules under overseas data protection regimes including the EU General Data Protection Regulation (GDPR) and reflect a global regulatory focus on the safety of children using social media and the internet generally.
Our full briefing, which focuses on the implications under the Online Privacy Bill for a potential new OP Code and identifies the various types of organisations that will likely qualify as OP Organisations, can be found here.