We've put together a summary on the Privacy Act Review and the potential impacts for DSPs. If you prefer a PDF version, access it here.
Executive Summary
The Australian government is set to introduce significant amendments to the Privacy Act 1988, reflecting the need to adapt to the evolving digital landscape and align with global privacy standards.
This document provides an overview of the Act's changes and how they may impact Digital Service Providers (DSPs) and security
frameworks such as the ATO's Operational Security Framework and DSPANZ's Security Standard for Add-on Marketplaces (SSAM).
Introduction
The Privacy ACt 1988 is undergoing its most substantial revisions since its enactment, driven by technological advancements and increased digital data usage. The proposed amendments are designed to bolster personal data protection, enhance privacy rights, and, in some circumstances, better align the Act with international requirements such as the European Union's General Data Protection Regulation (GDPR).
It is important to note that the government has agreed to many of the proposed changes in principle, meaning the details are
still being worked out.
Analysis of Regulatory Changes & Potential Impacts
The proposed changes to the Privacy Act are expected to impact DSPs handling sensitive financial and personal data.
Overall, there are wide-ranging potential impacts for DSPs (as outlined below) that may drive compliance costs. While not
covered below, the government has indicated there will be changes to the small business and employee record exemptions.
Expanded Definition of Personal Information
| Proposed Change: | The expanded definition of personal information will include inferred and technical information (such as IP addresses) that can reasonably identify an individual. |
| Potential Impacts to DSPs: | DSPs will need to treat more types of data as personal information and update data handling and security protocols accordingly. |
Enhanced Consent
| Proposed Change: | There will be requirements to ensure consent is clear, informed and voluntary. |
| Potential Impacts to DSPs: | DSPs will need to ensure user interfaces and data collection processes make it easy for users to understand what they are consenting to. This may involve more detailed information prompts during sign-in and data collection processes. |
Increased Data Security Obligations
| Proposed Change: | The Act will include specific requirements and guidance on securing, destroying, or de-identifying personal information. |
| Potential Impacts to DSPs: | DSPs will need to ensure that data is adequately protected during use and suitably disposed of when no longer needed. This may include implementing data minimisation strategies where only essential data is collected and ensuring that privacy settings are set to high by default. |
Right to Erasure
| Proposed Change: | Individuals can request the deletion of their data under specific circumstances, such as irrelevance or cessation of the original processing purpose. |
| Potential Impacts to DSPs: | DSPs will need to implement mechanisms that allow users to exercise this right easily, such as mechanisms that locate and remove data upon request. |
Right to Object to Processing
| Proposed Change: | Individuals can refuse the processing of their data for specific uses, such as direct marketing or profiling. |
| Potential Impacts to DSPs: | DSPs will need to offer users more control over how their data is used, particularly in analytics and marketing, and adjust their data processing activities to accommodate user preferences. |
Right to Data Portability
| Proposed Change: | This right will help users to transfer their data from one provider to another and facilitate a smooth transition between service providers. |
| Potential Impacts to DSPs: | DSPs may see increased competition and be required to offer consumers the ability to export their data in a usable format. |
Stricter Penalties and Enhanced Regulatory Powers
| Proposed Change: | The Office of the Australian Information Commissioner (OAIC) will impose higher fines and possess broader enforcement powers, including the ability to engage in more robust investigative actions and to coordinate more effectively with international privacy enforcement bodies. |
| Potential Impacts to DSPs: | DSPs will face substantial financial risks for non-compliance. |
Direct Right of Action
| Proposed Change: | Individuals can pursue direct legal recourse against entities for privacy breaches. |
| Potential Impacts to DSPs: | This could increase litigation and require more robust in-house legal expertise within DSPs. |
Global Reach of the Privacy Act
| Proposed Change: | The Act's jurisdiction will extend to any business that processes data of Australian citizens, irrespective of the business's location. |
| Potential Impacts to DSPs: | DSPs operating internationally need to ensure their global operations comply with the Privacy Act, which add a layer of complexity to international data management. |
Regulation of High-Risk Activities
| Proposed Change: | High privacy risk activities, like large-scale data processing and automated decision-making, will be subject to stricter regulations. |
| Potential Impacts to DSPs: | DSPs must integrate privacy considerations at the design stage and continuously assess and mitigate risks associated with these activities. |
Impacts on ATO and DSPANZ Security Frameworks
ATO DSP Operational Security Framework (OSF)
- Data Security Enhancements: The OSF will likely include guidelines on the encryption of personal data and the management of access controls, which would require DSPs to upgrade their technologies and policies.
- Incident Response: The OSF will stipulate stricter incident reporting requirements, demanding faster notification to authorities and affected individuals in the event of data breaches.
Security Standard for Add-on Marketplaces (SSAM)
- Increase Due Diligence: DSPs that host add-on marketplaces will need to conduct thorough assessments of the add-on's compliance with privacy laws before listing them, ensuring that add-ons adhere to the highest security standards.
- Regular Audits: Regular audits might become a standard practice to enforce compliance, involving detailed reviews of add-on's data handling and privacy practices.
Conclusion
The proposed amendments to the Australian Privacy Act 1988 represent a pivotal shift towards strengthening data protection and privacy management. They demand that all entities, especially those in the technology and digital sectors, recalibrate their operational strategic frameworks. DSPs, in particular, will face challenges in aligning their products and services with these stringent standards, necessitating a proactive and informed approach to compliance.