11 December 2020

4.1As outlined in the Issues Paper, the Privacy Act currently includes exemptions in relation to small businesses, employee records, registered political parties and political acts and practices and journalism.

4.2The protections provided by the Privacy Act therefore do not apply to the way that exempt entities handle personal information, including sensitive information. Importantly, this means that individuals have no means of recourse if their personal information is mishandled, and exempt entities are not required to notify individuals or the OAIC about eligible data breaches under the NDB scheme.

4.3As noted in the Issues Paper, the exemptions were introduced in 2000 when the Privacy Act was extended to the private sector. The OAIC considers that the privacy risks that have emerged in the last 20 years have changed to the extent that it is no longer justifiable to exempt major parts of the economy from the operation of the Act. Personal and sensitive information held by small businesses, employers and political parties is not immune to the substantial risks that exist in the digital environment. The existence of the exemptions may also impact on the ability of overseas entities to transfer data to Australian entities.[84]

4.4The OAIC therefore recommends removing the current exemptions in the Privacy Act relating to small businesses, employers and employee records and political parties. It is appropriate to consider more comprehensive privacy protections for all Australians, including through the NDB scheme, regardless of the type of entity that holds their information or particular purpose for which it is held. A more detailed explanation of this recommendation is included for each exemption below.

4.5At this stage, the OAIC is not recommending the removal of the journalism exemption, however we will consider the submissions made to the review by other stakeholders and may revise this position in our future engagements with the review process.

Small business exemption

7. Does the small business exemption in its current form strike the right balance between protecting the privacy rights of individuals and avoid imposing unnecessary compliance costs on small business?

8. Is the current threshold appropriately pitched or should the definition of small business be amended?

a. If so, should it be amended by changing the annual turnover threshold from $3 million to another amount, replacing the threshold with another factor such as number of employees or value of assets or should the definition be amended in another way?

9. Are there businesses or acts and practices that should or should not be covered by the small business exemption?

10. Would it be appropriate for small businesses to be required to comply with some but not all of the APPs?

a. If so, what obligations should be placed on small businesses?

b. What would be the financial implications for small business?

11. Would there be benefits to small business if they were required to comply with some or all of the APPs?

12. Should small businesses that trade in personal information continue to be exempt from the Act if they have the consent of individuals to collect or disclose their personal information?

4.6The OAIC considers that the small business exemption is no longer appropriate in light of the privacy risks posed by entities of all sizes and the regulatory uncertainty created by the application of the exemption.

4.7As noted in the Issues Paper, the small business exemption was introduced in 2000 in recognition of the potentially unreasonable compliance costs for certain small businesses. These businesses were considered to pose little or no risk to the privacy of individuals.

4.8The Issues Paper asks whether the exemption strikes the right balance between protecting the privacy rights of individuals and avoiding unnecessary compliance costs on small business. This question implies that there is a trade-off between the protection of personal information and the cost to business. Rather, the OAIC considers that the protection of personal information is a vital part of doing business and creating a level playing field both between entities and individuals. Appropriate privacy protections create the consumer trust and confidence needed to support economic and social engagement with the product or service, regardless of an entity’s size.

4.9The small business exemption does not apply to specific business types, listed in ss 6D(4)-(9), recognising that these types of business were seen to pose a higher privacy risk at the time. However as noted in the Issues Paper, there is a lack of certainty about which small businesses are brought into the Privacy Act, particularly in relation to businesses that trade in personal information.

4.10There is also confusion and concern in the community about the application of the Privacy Act to these entities.

The OAIC’s 2020 ACAPS results found that 85% of respondents either mistakenly believed that the Privacy Act applied to small Australian businesses or did not know whether small Australian businesses were covered.

The survey also found that this exemption runs counter to community expectations, with 71% of respondents considering that small businesses should be covered by the Privacy Act.[85]

4.11 Small businesses are now increasingly collecting, holding and handling personal information in connection with their activities and in order to deliver their services. However, as at 30 June 2019, small businesses with a turnover of $3 million or less comprised 95.2% of the 2,375,753 businesses actively trading in the Australian economy.[86] The OAIC receives hundreds of enquiries and complaints each year about the conduct of small business operators, with the highest numbers of complaints relating to real estate agencies, property management businesses (property/construction/architects/surveyors) and professional services firms, including legal, accounting and management services.

A common complaint received by the OAIC is where an entity discloses an individual’s personal information (which can include the name and address of the individual) in response to a negative review of the business. The information disclosed sometimes include sensitive information. The OAIC is often unable to address these matters as the respondent is a small business operator.

In another case, the personal information of an individual involved in a family violence dispute was disclosed to the offender. As a result of the disclosure, the individual feared for their safety. The OAIC could not investigate the matter as the entity that disclosed the information was a small business operator under the Privacy Act.

In another case, an ICT provider held personal information on behalf of a business that was subject to a data breach. The ICT provider did not meet the $3 million threshold, destroyed evidence relating to the data breach and refused to cooperate with the OAIC.

4.12 The small business exemption is also an anomaly amongst international privacy laws. No other comparable international jurisdiction exempts small businesses from the coverage of privacy legislation. The small business exemption has proved to be one of the major issues for Australia in seeking adequacy under the GDPR, due to the lack of privacy requirements in relation to a large section of the economy. The recent decision of the Court of Justice of the European Union (the Schrems Decision) has highlighted the importance of EU Adequacy decisions as a means of enabling transfers of data from the EU to overseas jurisdictions.[87]

4.13The OAIC therefore considers that there is strong justification for removing this exemption, and recommends that all businesses, regardless of size and activity, are covered by the Privacy Act.

4.14 As noted above, the principles-based approach established by the Privacy Act enables the APPs to apply to entities across the economy. The APPs provide entities with the flexibility to take a risk-based approach to compliance, based on their particular circumstances, including size, resources and business model, while ensuring the protection of individuals’ personal information. This means that the way that a small business complies with the APPs will be different to the way in which a large multinational corporation will comply.

4.15The OAIC does not consider that it is sufficient to amend the definition of small business to introduce a new threshold, or to cover or exclude specific acts or practices of small businesses. Businesses of all sizes can pose privacy risks, regardless of their turnover, as demonstrated by the examples set out above. Likewise, new privacy risks are constantly emerging, and there is a risk that expanding the list of entities that are not considered to be ‘small business operators’ under s 6D of the Privacy Act will quickly become out of date. The OAIC considers that this approach would not be consistent with the flexible and technology neutral framework of the Privacy Act and does not support the community in knowing whether their information is required to be protected.

4.16 Similarly, the OAIC does not consider that it would be appropriate for small businesses to be required to comply with some, but not all, of the APPs. The APPs are structured to reflect the cycle that occurs as entities collect, hold, use, disclose, and destroy / de-identify personal information. In other words, the APPs are designed to protect personal information throughout the information lifecycle. Accordingly, individual APPs cannot be read, or apply, in isolation. A holistic approach to compliance with the APPs is required to give full effect to the privacy protection framework set out in the Act.

4.17 The OAIC has experience with assisting small business to achieve compliance with the Privacy Act, regardless of any human or financial resource limitations. The OAIC is therefore well placed to support small businesses to meet their compliance obligations should the Privacy Act be extended to these entities.

Recommendation 27 Remove the small business exemption, subject to an appropriate transition period to aid with awareness of, and preparation for compliance with, the Privacy Act.

Employee records exemption

13. Is the personal information of employees adequately protected by the current scope of the employee records exemption?

14. If enhanced protections are required, how should concerns about employees’ ability to freely consent to employers’ collection of their personal information be addressed?

15. Should some but not all of the APPs apply to employee records, or certain types of employee records?

4.18The OAIC supports the removal of the employee records exemption. As with the small business exemption, the OAIC considers that removing the exemption will address the risks posed to the personal information of employees and create benefits to employers by increasing trust and confidence in their personal information handling practices and addressing regulatory uncertainty about the scope of the exemption.

4.19The OAIC considers that the most important policy objective is to ensure that an individual’s personal information is protected to the same standard, whether they are employed in the public sector, or in the private sector.

The OAIC’s 2020 ACAPS results show that 73% of Australians agree that businesses collecting work-related information about employees should be required to protect personal information in the same ways that government and larger businesses are required to.[88]

4.20 Employers often hold sensitive information about their employees, including health information, which is generally subject to a higher standard of protection under the Privacy Act. Exempting this information from protection poses a significant risk to the individuals the information is about.

An employee’s personal information was mishandled and stolen from the respondent’s offices. The personal information was then used to commit identity fraud. The OAIC could not investigate whether the personal information had been appropriately secured by the respondent as the information was contained in an employee record.

The OAIC received a complaint that a former employer allegedly disclosed that the complainant had been suspended from their job through an autoreply email that was connected to their work address. The OAIC could not investigate this matter due to the employee records exemption.

4.21The introduction of the employee records exemption was justified on the basis that the handling of employee records is better dealt with under workplace relations legislation. The OAIC acknowledges that it is important to ensure that there is not regulatory duplication, however the OAIC does not consider that the two frameworks are inconsistent. Record keeping requirements under other regimes complement the Privacy Act and should enable employers to easily meet their compliance obligations under the APPs.

4.22The employee records exemption is limited in its scope, applying only to an organisation acting in its capacity as an employer or former employer of an individual, in relation to acts or practices that are directly related to the employment relationship and an employee record held by the organisation. Employers who are ‘organisations’ under the Privacy Act are therefore required to comply with the Act for all personal information handling that falls outside the scope of the exemption. As noted in the Issues Paper, a recent decision by a Full Bench of the Fair Work Commission found that the exemption will only apply once an employee record has been generated, meaning that the requirements of the APPs with regard to collection and notice currently continue to apply.[89]

4.23The OAIC considers that it is likely to create a greater compliance burden for employers to determine when the Privacy Act does or does not apply to their particular personal information handling activity, than to have it apply to all the personal information that it holds.

4.24 As with the small business exemption, there is no comparable employee records exemption in international privacy jurisdictions.

4.25 As outlined in relation to the small business exemption, the APPs offer sufficient flexibility to businesses to take a risk-based approach to compliance, based on factors including their size and the number of employees that they have. It is important that all the APPs apply, given that they are designed to provide protections to personal information throughout the information lifecycle. The review should consider the exceptions in APP 12 in light of the removal of the employee records exemption, to ensure that they remain appropriate and fit for purpose in an employment context.

4.26 Further, the OAIC considers that the compliance costs for employers would be relatively low, given they will likely have obligations under the Privacy Act in relation to any other personal information handling activities they carry out as part of their business.

4.27 The Issues Paper raises concerns about an employer’s ability to rely on the consent of an employee to the collection, use or disclosure of their personal or sensitive information, given the power asymmetry that may be found between employers and employees. The OAIC agrees that power asymmetries in any relationship affect the validity of consent, whether that is between employers and employees,[90] or in some circumstances, between businesses and consumers. This is a key limitation of consent, as outlined in Part 5, below. However, this limitation would not preclude an employer from being able to collect, use or disclose an employee’s personal or sensitive information, where there is a genuine business need for it to do so. There are exceptions to the requirement for consent to the collection of their sensitive information in APP 3, for example, where the employee is required or authorised by law to collect this information. Similarly, an employer could use or disclose the personal information of an employee under APP 6 in situations where they did not have the express consent of the employee, for example, where the employee would have a reasonable expectation that the employer would use or disclose the information in a particular way. The OAIC has made a number of recommendations in this submission that seek to address the limitations of the consent model.

Recommendation 28 Remove the employee records exemption, subject to an appropriate transition period to aid with awareness of, and preparation for compliance with, the Privacy Act.

Political exemption

16. Should political acts and practices continue to be exempted from the operation of some or all of the APPs?

4.28Political parties are neither government agencies nor commercial entities. They perform unique and essential roles in political recruitment, policy development and political socialisation and mobilisation. Political parties are the mechanisms that define electoral competition and political identification.

4.29One view is that the processing of personal data by parties for the purposes of ‘democratic engagement’ is different to general personal information handling and the public interest in ‘knowing the electorate’ should allow a wide latitude to process personal data to educate and mobilise voters.

4.30However, this assertion is being called into question. Parallels can be drawn between many activities of political parties and those of marketing organisations (for example, online and offline advertising, employing data analytics companies, using social media space, testing and retesting political messaging).

4.31Modern political campaigns around the world have become ‘data-driven’ to consolidate existing support and target new voters and donors. Some campaigns create detailed profiles of individual voters to ‘micro target’ increasingly precise messages to increasingly refined segments of the electorate. Skilled data analytics tools were employed in the two elections won by Barack Obama in 2008 and 2012, leading to a general assumption that all campaigns must now be data-driven to be successful.

4.32The effects of ‘data-driven’ elections have been apparent in countries where political parties are not covered by data protection laws. For example, the European Council noted that the Cambridge Analytica case demonstrates that data protection ‘has become a key issue not only for individuals but also for the functioning of our democracies because it constitutes a serious threat to a fair, democratic electoral process and has the potential to undermine open debate, fairness and transparency’.[91]

4.33This also illustrates how potential infringements on the right to protection of personal information could affect other fundamental rights, such as freedom of expression, freedom to hold opinions and to think freely without manipulation.

4.34The OAIC has opposed the political parties exemption since its introduction, on the grounds that there are still few well-articulated policy reasons why the exemption should apply to political parties and political acts and practices, at least in its blanket form. There is also a risk that the exemption’s effect on political transparency may damage Australia’s system of representative democracy, as well as the public’s trust in Australia’s privacy protections.

The OAIC’s 2020 ACAPS results revealed that 62% of the Australian public incorrectly believed that political parties were covered by the Privacy Act, with 74 % of respondents stating that political parties should be subject to the Act. These results indicate that there is also a disconnect with community expectations in this area.[92]

Recommendation 29 Remove the political parties exemption, subject to an appropriate transition period to aid with awareness of, and preparation for compliance with, the Privacy Act.

Journalism exemption

17. Does the journalism exemption appropriately balance freedom of the media to report on matters of public interest with individuals’ interests in protecting their privacy?

18. Should the scope of organisations covered by the journalism exemption be altered?

19. Should any acts and practices of media organisations be covered by the operation of some or all of the APPs?

4.35 As outlined in the Issues Paper, the journalism exemption was introduced into the Privacy Act in recognition of the public interest in providing adequate safeguards for the handling of personal information and the public interest in allowing a free flow of information to the public through the media.

4.36The exemption is limited to a media organisation’s activities in the course of journalism and does not extend to the media organisation’s other functions and activities, such as advertising, website functions, competitions and surveys or subscriptions. Any personal information handling that occurs in the course of these activities will be regulated by the Privacy Act.

4.37The journalism exemption can be distinguished from the other exemptions in the Privacy Act, as it only applies to media organisations who have publicly committed to published privacy standards. Personal information handled in the course of journalism is therefore subject to some level of privacy protection and oversight, for example, by bodies such as the Australian Press Council or codes of practice overseen by the Australian Communications and Media Authority. The journalism exemption is also consistent with other global privacy legislation, including New Zealand, Canada and the GDPR.

4.38 The OAIC considers that it may be appropriate to introduce enforceability requirements in relation to the oversight bodies of media organisations by shifting their operation to an external dispute resolution (EDR) scheme model. They could then be recognised under s 35A as the Privacy Act, thereby enabling a greater level of oversight by the Commissioner.

4.39The OAIC will consider relevant information submitted by stakeholders as part of the Issues Paper consultation before making any further recommendations about the journalism exemption.

Recommendation 30 Introduce greater enforceability requirements for the privacy safeguards covering media organisations. The review could consider whether the EDR scheme model is appropriate to achieve this outcome.

Footnotes

[84] Note that the predecessor to the European Data Protection Board, the Article 29 Working Party issued an Opinion that raised concerns that the exemptions under the Privacy Act meant that Australia could only be considered adequate if appropriate safeguards were introduced to meet the Working Party’s concerns. See Article 29 Data Protection Working Party, Opinion 3/2001 on the level of protection of the Australian Privacy Amendment (Private Sector) Act 2000. This issue is discussed further in the Overseas data flows section, below.

[85] OAIC (2020) Australian Community Attitudes to Privacy Survey 2020, report prepared by Lonergan Research, pp. 58-60.

[86] Australian Bureau of Statistics, 8165.0 Counts of Australian Businesses, including Entries and Exits, Jun 2015 to Jun 2019, prepared for the OAIC in April 2020. This figure does not take account of entities that are treated as ‘organisations’ regardless of their turnover, by virtue of ss 6D(4)-(9), or small businesses that have opted in to the Privacy Act under s 6EA (650 businesses, as at 11 November 2020).

[87] Data Protection Commissioner v Facebook Ireland LTD, Maximillian Schrems, (2020) C-3111/18. The Schrems Decision found that where an EU entity was relying on standard contractual clauses under Article 46 of the GDPR, they must consider the broader environment of the overseas recipient, and the impact that might have on their ability to provide essentially equivalent protections. The Schrems Decision is likely to have implications for the international flow of data because it requires a rigorous assessment of not just the privacy frameworks, but also the broader cultural environment in which the transferred data is subject to determine whether essentially equivalent protections are provided. A formal EU Adequacy Decision would alleviate the need for EU and Australian entities to take further steps in assessing the effectiveness of the Article 46 GDPR transfer tool being used and considering whether additional safeguards are needed. The Schrems Decision is discussed further in the Overseas data flows section below.

[88] OAIC (2020) Australian Community Attitudes to Privacy Survey 2020, report prepared by Lonergan Research, p. 60.

[89] Lee v Superior Wood Pty Ltd [2019] FWCFB 2946; 286 IR 368.

[90] The Article 29 Data Protection Working Group noted that when processing employees’ personal data, consent is highly unlikely to be a legal basis for data processing at work, unless employees can refuse without adverse consequence. Instead, processing may be necessary for the performance of a contract, in accordance with legal obligations imposed by employment law, or based on legitimate interest. See Article 29 Data Protection Working Party, Opinion 2/2017 on data processing at work - wp249, accessed on 19 November 2020.

[92] OAIC (2020) Australian Community Attitudes to Privacy Survey 2020, report prepared by Lonergan Research, p. 60.