The Latest in Marketing: Australia Privacy Reform

Melanie Balke
|
February 27, 2023

Marketing is all about learning; a good marketer stays on top of everything.

However, it’s hard to tackle everything and run a business! That’s why I’ve dedicated today’s blog post to some of digital marketing’s latest and hottest news. (Drumroll, please!)

If you’re not a native of Australia, you may be surprised by this, but there have been a lot of data breaches in the country. A quick search on the BBC’s website immediately yields a host of egregious IT slights from major economic players, including Optus telecommunications, Medicom, and Australia’s own Channel Nine.

In other words, there’s a big problem in Australia, and the government has been diligently tracking these serious invasions of privacy. More importantly, the Aussie powers that be are actively discussing new privacy laws and regulations, and these proposed reforms can have a big impact on your marketing.

You could do what I have — and read dozens of articles and opinion pieces — or you can make things simple for yourself and read this post!

Why Is This Happening?

The Sydney Opera House. overlaid text reads, "Why: The Background Information."

A good teacher always told me that nothing happens in a vacuum.

These new legislative measures aren’t appearing from thin air! The many proposed changes — which I’ll discuss in a moment — are direct responses to a line of high-profile data breaches in the past few years. Aside from the obvious ramifications, these data breaches have highlighted Australia’s outdated privacy laws.

Frankly, there have been far too many incidents for me to name in a short blog post, but some of the major offenses include:

  • Australia’s Channel Nine (March 2021)
  • Medibank (October 2022)
  • Optus (September 2022)

All of these events were catastrophic, but the Optus and Medibank data breaches were uniquely disastrous.

What Happened During the Optus and Medibank Data Breaches?

The first breach that broke the back of the Privacy Act was Optus Telecommunications.

During this breach, cyber attackers held the Australian communications company hostage, demanding AU$ 1,000,000 to maintain the privacy of nearly 10 million customers — around 40% of the country’s population.

Eventually, the crisis ended with at least 2.8 million customers being classified as having withstood “quite significant” personal information breaches.

A month later, in October 2022, Australia’s largest private insurer was breached. This attack exposed 9.8 million users’ data.

A Brief Timeline of Australian Privacy Principles

Overlapping ferns. The text reads, "A Timeline: The History of the Privacy Act."

While these recent data breaches were important, the push to review Australia’s privacy regime began in 2020.

With the European Union’s General Data Protection Regulation as a template, the Australian Attorney-General’s Department compiled information from over 200 public and private entities. This report was released in 2021 as a discussion paper.

After more feedback and negotiation, the 2021 document was further refined. By December 2022, the Attorney-General was ready to release the final report — the Privacy Act Review Report.

However, the public unveiling of the document was delayed. In fact, the Privacy Act Review Report was only recently released to the public!

The lengthy report includes 116 proposals, so I won’t be reviewing the entire thing. However, having scoured the report notes, I’ve compiled a list of the most important points for digital marketers to know.

Out of the many changes the report proposes, I narrowed everything down to 5 essential issues:

  1. Expanded enforcement powers, primarily those of the Australian Information Commissioner
  2. Improved guidelines for consent requests
  3. Increased limitations on customer data and processing
  4. Reduced exceptions to the current Privacy Act
  5. Significantly increased penalties for violations

Now, before we continue, I need to stress that none of this is codified as law. Right now, Australia is reviewing the proposals and understanding what these changes may entail. Australia’s privacy laws have yet to change, and there’s no real guidance on when these proposals will (or will not) take effect.

But!

It’s still good to be informed, so keep reading to learn more about the current scoop on the Australian Privacy Act.

What’s in the Privacy Act Review Report?

Overlapping palm leaves. The text reads, "The Changes: What Might Be Coming Soon."

I’ve already outlined the most important tidbits of the report, but a line of text doesn’t explain much. We need to dig deeper if we want to understand what may be coming, so let’s take a closer look at what the report proposes.

Expanding Enforcement Powers

Expansion of the Office of the Australian Information Commissioner — the OAIC — is a recurring theme throughout the privacy legislation amendment proposal. While this office has powers, it currently has a fairly limited scope. Moreover, the OAIC’s ability to punish offenders of the Privacy Act is surprisingly low.

The report aptly proposes these changes, suggesting that the OAIC gain “… new powers for the IC in relation to investigations, public inquiries, and determinations.” (They’re not beating around the bush, either; that proposal comes from page 4 of the report!) Moreover, the report proposes that the OAIC develop guidance and lead the effort to define various aspects of the updated Privacy Act.

Additional updates to Australian privacy laws — and, more importantly, the government’s enforcement powers — are sprinkled throughout the report. Of the many changes, some of the most salient include the following:

  • A new ability to create both public and private inquiries into data breaches (page 260)
  • Developing guidelines for an annual OAIC report on infringement notices and cases (on page 266)
  • Greater power to punish any eligible data breach (noted on pages 262 and 264)
  • The power to request information at any time (page 259)

Among other measures, the revisions also suggest that individuals impacted by data breaches may be allowed to join a statutory tort in the future, particularly when sensitive information is made public.

(As an interesting aside: The report notes that most commenters agreed with these ideas. One of the few objections comes from Telstra, which suffered a sizeable data breach in 2015.)

Fewer Business Exemptions

As part of this ongoing fight to prevent “unauthorised access,” the current proposal suggests that fewer online services should be exempt. Under the revisions to the Privacy Act in 2000, many small businesses were exempt from these regulations. However, the new proposal may remove this small business exemption, with experts citing lowering data security costs.

Improving Consent Requirements

In addition to enhanced enforcement powers, the document suggests that further reform is needed in the consent department. As with the General Data Protection Regulation from the European Union, the proposed changes aim to protect personal information by limiting access to data.

The report goes so far as to suggest that Australian law experts convene to design consent requests with standardized formatting, language, or style. Again, the OAIC is being nominated to create these guidelines.

With the review of the Privacy Act amendments, there is also an explicit condemnation of certain advertising practices. Both dark patterns (using psychological tricks to trap consumers in cycles) and tricky consent forms (e.g., bundles and pre-checked boxes) have been singled out for the chopping block.

Introducing New Limitations and Privacy Practices

Overlapping ferns. The header reads, "New Limitations: Australian Privacy Laws May Be Getting Tougher on Personal Information."

Inspired by the European Union’s GDPR, the Australian government has proposed a variety of new limitations and mandatory privacy impact assessments for businesses that collect personal information.

While there isn’t enough time for me to review each individual change, some of the highlights include the following:

  • Businesses must conduct assessments to determine what information is being held
  • Customers must be alerted to any possible impacts from data breaches
  • Defining certain types of Australian personal information that cannot be collected
  • Defining “high-risk activities”

Most of these points are self-explanatory, but I’ll quickly dive into the third and fourth amendments.

Information That Cannot be Collected Under the Privacy Legislation Amendment

If you want to follow along in the official document, you’ll need to flip to page 128 to find the list of newly restricted data. Now, many of these items would never pass the fair and reasonable test of privacy, but that’s beside the point!

Should these new amendments pass without any editing (which they probably won’t!), businesses will no longer be able to track the following types of data:

  • Any data that could be considered discriminatory
  • Circumstantial facial tracking
  • Commercially used data for children
  • Data from scraping websites
  • Information about an individual’s “vulnerabilities” (i.e., disability)

Defining High-Risk Activities

The Attorney-General will also be given the power to restrict the scope of collected data if it falls under the “high risk” category. This data is considered sensitive information, and the potential risk  may outweigh the benefit obtained from tracking this information — at least according to the new proposal.

Under the proposed amendment to the Privacy Act, “high-risk” data includes the following:

  • Biometric data
  • Large-scale processing of Australian personal information
  • Live or “real-time tracking” of a user’s location (also known as geolocation)
  • The personal information of a child

For the curious, this information can be found on pages 124 and 125 of the official report.

Raising the Bar on Maximum Penalties

Finally, the proposal suggests that — among its many other measures — Australian communications officials have access to increased penalties. Page 253 explicitly promotes a tiered punishment system, which classifies each offense into different categories. This new proposal will also allow victims of an eligible data breach to sue the company for damages.

The most severe tier includes the following offenses:

  • Any data breach that impacts a vulnerable population
  • Failure to protect highly sensitive information
  • Possession of any type of restricted data
  • Repeated privacy breaches
  • Widespread data breaches involving personal information
  • Willful, serious, or repeated interference

Generally, committing any of these acts is a surefire way to lose consumer trust. However, the current punishment is fairly lax in Australia. Should the new legislation pass, businesses can expect much steeper fines and stronger reprisals from enforcement bodies.

How Will the Privacy Act Report Impact Your Business?

Before you start panicking, let me reiterate what I said before: Nothing is official yet. As of this article’s publication — in February 2023 — the changes that this report proposes have not been made law. Rather, the document is merely a release of the Australian Attorney-General’s study on how data privacy benefits the public interest.

However, it’s always wise to keep your eye on the news!

If your company is or is planning to sell goods to Australian consumers, these proposals may impact your operations! Anticipate the upcoming changes and adapt; don’t wait until the exposure draft becomes law.

The Perks of Hiring an Email Marketing Team

Alternatively, you can avoid the headache altogether!

Hiring a skilled marketing team — like The Email Marketers — gives you access to the best of digital marketing without the hassle of legal know-how. Just let the pros handle your campaigns, and you won’t have to worry about a data breach!

If you’re looking for a marketing partner, then The Email Marketers is a great place to start! Get in touch with us, and we’ll discuss your business’ needs and goals. In the meantime, keep checking the blog for more updates and marketing news!