In our recent submission to the Attorney General’s office, we expressed our support and concern for certain proposals within the Privacy Act Review discussion paper. 

We support the introduction of the concept of public interest and interactions with other schemes. 

In Australia, existing and future legislation as well as supporting schemes, will rely on the principles which are provided by the Privacy Act 1988 (the Act) for example, the Consumer Data Right (CDR). It is important that the Act continues to be the ‘one source’ for Government and business to reference in relation to personal information to reduce regulatory complexity. 

We raised the following concerns with these proposals:

• To include inferred or generated information; currently in the implementation of CDR, which extends to any inferred or generated information that contains even one CDR data point, the experience is that product developers cannot access individuals' data (unless they are accredited) which has limited their ability to use this data and offer a bespoke service or product.
• That an entity need only take reasonable steps to stop collecting personal information when an individual withdraws their consent: this appears contrary to empowering the consumer. It is reasonable that an entity advises a consumer of the consequences of such a withdrawal but, once the consumer is informed and reiterates their specific withdrawal, the entity must stop collecting, using or disclosing this personal information.
• To introduce an industry funding model and for that to be similar to ASIC’s model: as the intent of the Act “to promote and protect the privacy of individuals and to regulate how Australian Government agencies and organisations with an annual turnover of more than $3 million, and some other organisations, handle personal information”. It is reasonable that the cost of monitoring compliance with the Act be borne by those individuals, taxpayers. As is evident from recent headlines, and actions by the Government in 2021, the ASIC funding model is not effective and is leading to many of ASIC’s regulated population exiting the market. 
• Although not outlined in the Discussion Paper, we suggest the Office of the Australian Information Commissioner (OAIC)’s role is further extended to provide educative support to business and consumers. The Act is complex, and we believe an appropriate starting approach would be educating consumers about their rights and obligations of business. Considering the shift in digitisation and online service delivery it will also be important for OAIC to provide practical guidance and best practice information.

Small Business

We also noted that we do not support removing the exemption for very small and micro Australian businesses, being businesses with a turnover of less than $3 million. 

There is no evidence that privacy queries and complaints relating to small and micro businesses have increased with advances in technology, thus the removal of the exemption would simply increase the complex regulatory environment faced by these businesses without providing individuals with better protection of their personal information.