| What area(s) of law does this episode consider? | The GDPR, Australia, and the Privacy Act 1988 (Cth) (Privacy Act). |
| Why is this topic relevant? | With multiple high-profile data breaches occurring in 2022, Australia’s privacy regime came under the spotlight once more. Grounded in the Privacy Act and the Australian Privacy Principles (APPs) contained in Schedule 1, the Australian approach to privacy and data retention is a nuanced legislative behemoth. However, at the same time many locals are wrestling with Australia’s regime, they also have to contend with the EU’s General Data Protection Regulation (GDPR). The globally renowned GDPR entered into force in 2018, with great fanfare and mild international panic over its extraterritorial reach – and did you know the EU’s perspective on Australia’s privacy regime is that it’s inadequate because of exemptions for small business and employee records? Keeping up to date with moves in the privacy law space is a key skill for many Australian lawyers in private practice and in-house. |
| What legislation is considered in this episode? | Privacy Act 1988 (Cth) Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Cth) |
| What cases are considered in this episode? | Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (C-311/18) (Schrems II) (Eur-Lex link)- In issue was the transfer of data between Facebook Ireland and Facebook Inc. based in the United States. The Court of Justice of the European Union declared the EU-US Privacy Shield – the framework assisting with the transfer of personal data between the EU and the US – invalid, but upheld the Standard Contractual Clauses (SCCs).
|
| What are the main points? | - In 2000 the Privacy Act was extended to the private sector.
- When this extension happened there was a real fear that the regime would be overly burdensome on some smaller pre-internet local businesses and that there were already protections around employee/employer confidentiality.
- This thinking led to the small business exemption and the employee records exemption. These were intended to be temporary – 23 years later they are still in place.
- The employee records exemption applies to all past and present employees. The groups of people not included under the employee exemption are:
- Future employees.
- Contractors.
- Volunteers.
- Additional programs such as optional fitness programs run by an employer are not included under the employee records exemption.
- By the nature of the contracts that many smaller enterprises have with larger corporates or the government, many are already “falling backwards” into compliance with the Privacy Act.
- In Alec’s view, there is a general lack of implementation of the Privacy Act and a lack of understanding of what is required. He refutes the criticism that the Privacy Act is pre-internet or “predates” this or that.
- This is, in Alec’s view, not a total lack of implementation – just particular areas in which people seem to have “lost the plot”.
- Because of the small business and employee record exemptions, the EU does not consider Australia’s privacy regime to be adequate for the purposes of the GDPR.
- An Australian business receiving data that is subject to the GDPR has various obligations to otherwise comply with or agree to the SCCs – this includes related corporate entities.
- This restriction, however, does not apply where an Australian entity sends data to somewhere covered by the GDPR.
- Getting Australian data sent overseas – and infected by compliance with the GDPR – returned to Australia can be difficult. An example of this situation is sending information to a foreign data analytics entity for processing.
- In Alec’s view, an entity’s core obligations under the Privacy Act can be simplified to “the 3 cannots”:
- You cannot collect whatever personal information you like.
- You cannot use it for whatever purpose you want.
- You cannot keep it forever.
- APP 11.2 says that once personal information has been used for the purposes that the user was notified for, there is a positive mandatory obligation to delete or de-identify it.
- It is very unlikely there will be a reasonable excuse that will waive this obligation.
- Complying with privacy obligations significantly reduces risk of potential breaches, the cost of notifying and rectifying a breach if it were to occur, and the ongoing costs of data storage.
- The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Cth) raised the maximum penalty from $2.2 million to $50 million or 30% of adjusted turnover.
- The principle of “least data”, or “data minimisation”, is a principle highlighted in decisions and guidance by the Privacy Commissioner.
- The idea is that companies should collect the least amount of personal and sensitive information that they possibly can to do their function.
|
| What are the practical takeaways? | - Privacy lawyers need to stay abreast of not only the changing legislation but changes in technology that will affect privacy.
- It is likely more cost-effective for companies to treat employee records as if it were customer data rather than distinguishing between the two.
- For lawyers wishing to get into the area of privacy law, keep up to date with regulations, decisions, and technology.
- Understand the wider way the law and APPs are implemented, and look at the law in a wider commercial context. Most of a privacy lawyer’s job is interpreting, applying, and using past experience to find solutions – ChatGPT is not up to this task!
- The privacy practice space is a small, collegiate – and in Alec’s words – “nerdy” niche. Reach out to those in the space.
|
| Show notes | Australian Government Attorney-General’s Department, Privacy Act Review Report (2023)
Hearsay Sidebar, We Interview ChatGPT about… Itself
* Sadly, Hearsay was unable to locate the relevant student publication Alec mentions in the podcast. |
Substantive Law
Substantive Law