Proposed Changes to Privacy Laws: Key Issues for Media Businesses
Extensive reforms of significance to media and internet businesses have been proposed in the Privacy Act Review Report released in February 2023 (the 2023 Privacy Report). Submissions on the proposals in the report closed on 31 March 2023 and the reform process is likely to continue through into 2024.
Media organisations and internet businesses, and particularly those which produce news content will also have a keen eye on whether and to what extent the content (in the case of the privacy tort below) and funding (in the case of adtech and other changes) of journalism will be affected. This article briefly considers some of the key changes.
Key principles and background
It has long been recognised that the very important public benefits that media organisations and producers of news and other non-fiction content provide – in terms of protecting our democratic principles – need to be protected in law reform processes.
In the Privacy Act, the journalism exemption is the mechanism which is currently used to ensure that the Act does not impede investigation and reporting by media organisations. It exempts acts in the course of journalism by media organisations from the operation of the Act. “Journalism” is not defined. The exemption plays an important role, because if the Australian Privacy Principles applied to acts in the course of journalism by media organisations then media organisations would require consent to collect sensitive information unless an exception applied: APP 3.1. Sensitive information includes matters such as criminal records and political beliefs.
As further explained below, the 2022 Privacy Report proposes to retain the journalism exemption albeit with significant changes.
Media exemption
The 2023 Privacy Report proposes to retain the exemption, but to amend it to “require media organisations to be subject to:
- privacy standards overseen by a recognised oversight body (the ACMA, APC or IMC); or
- Standards that deal adequately with privacy”.
It is proposed that in consultation with industry, and the ACMA, the OAIC should develop and publish criteria for adequate media privacy standards and a template privacy standard that a media organisation may choose to adopt.
The content and approach to those standards, if developed will be critical.
Privacy tort
The Report proposes to introduce a statutory privacy tort. The possibility of introducing a statutory tort or privacy has been considered in multiple privacy reform processes in Australia over a period of decades. To date, none of those processes has resulted in the enactment of a tort. Since the decision of the High Court in ABC v Lenah Game Meats [2001] HCA 1, there have been court decisions both for and against the proposition that there is a tort (or alternatively or additionally an equitable confidence-based cause of action) available in respect of publications of private information which would be highly offensive to a reasonable person of ordinary sensibilities.
The 2023 Privacy Report proposes to enact a statutory tort proposed in Australian Law Reform Commission Report 123: Serious Invasions of Privacy.
The essential features of the proposed tort are summarised in the 2023 Privacy Report (at page 372) as follows:
- The invasion of privacy must be either by: intrusion into seclusion, or misuse of private information
- It must be proved that a person in the position of the plaintiff would have had a reasonable expectation of privacy in all of the circumstances;
- The invasion must have been committed intentionally or recklessly – mere negligence is not sufficient;
- The invasion must be ‘serious’;
- The invasion need not cause actual damage, and damages for emotional distress may be awarded, and
- It is subject to a ‘balancing exercise’ - the court must be satisfied that the public interest in privacy outweighs any countervailing public interests.
The 2022 Privacy Report lists the following proposed defences:
- A defence of lawful authority
- A defence where the conduct was incidental to defence of persons or property
- A defence of consent
- A defence of necessity
- A defence of absolute privilege
- A defence for the publication of public documents, and
- A defence for fair reporting of public proceedings.
Media organisations opposed the tort in previous submissions, on the basis that it would have a detrimental or chilling effect on freedom of expression and journalism in Australia (See page 375 at 27.4 of the Report).
The proposed form of the tort also raises significant questions. For example, the defences which are given, appear to be the ones which would only be available where the public interest in publication outweighs the public interest in privacy. Clarification may be required to prevent them from causing the public interest test to be read down.
The 2022 Privacy Report proposes that the remedies to be made available include:
- damages, including for emotional distress and, in exceptional circumstances, exemplary damages;
- an account of profits;
- injunctions;
- delivery up, destruction and removal of material;
- correction and apology orders; and
- declarations.
Overarching fair and reasonable test
The 2023 Privacy Report proposes an overarching “fair and reasonable” test. If enacted, this would give the Privacy Commissioner (and Courts) a broad remit in relation to practices which comply with other aspects of the Privacy Act, but which are considered excessive.
The impact of this overarching rule if introduced on media and internet organisations is uncertain. It could be substantial in the adtech and business context. The rule would presumably be subject to the journalism exemption. If it was not, then it would be potentially vulnerable to challenge on a constitutional basis as it would give the Privacy Commission who is part of the Commonwealth Government discretionary power over media content.
Adtech: Personal information, choices and opt outs
The 2023 Privacy Report has recommended a suite of changes which are likely to significantly affect the media and online advertising environment if enacted. If enacted, they will very substantially increase consumer visibility and control over adtech practices.
These changes include:
- Changes to the definition of “personal information” which may result in more adtech data falling within the definition, and thus also the core operation of the Act.
- Extension of certain obligations to de-identified information.
- An unqualified right to opt out of personal information being used or disclosed for direct marketing purposes.
- An unqualified right to opt out of receiving targeted advertising.
- A requirement that an individual’s consent must be obtained to trade their personal information.
- Prohibition of direct marketing to children unless the personal information used for direct marketing was collected directly from the child and the direct marketing is in the child’s best interests.
- Prohibition of targeting to a child, with an exception for targeting that is in the child’s best interests.
- Prohibiting trading in the personal information of children.
- A requirement that targeting individuals should be fair and reasonable in the circumstances.
- A prohibition on use of sensitive information to target individuals (except for political opinions, membership of a political association or membership of a trade union).
- Requiring entities to provide information about targeting including clear information about the use of algorithms and profiling.
- Regulation of use of geolocation tracking data within the auspices of the Act.
- Changes to the provisions of the Act dealing with consent (including in relation to children).
- An overarching “fair and reasonable” requirement (see discussion above).
- A children’s online privacy code.
These changes, if enacted, would likely have a substantial impact on the practices and business models of media and internet organisations. This will no doubt be the subject of a detailed consideration as part of the next round of consultation.
Other proposals in the report
The 2023 Privacy Report also proposes significant new rights in relation to erasure, correction and de-indexing of personal information (proposals 18.3, 18.4 and 18.5), plus a right to object, requiring a written response (proposal 18.2).
It makes other significant proposals which will be of relevance to media and internet organisations. They include changes to the employee records exemption (which will affect media and internet organisations in their capacity as employers), changes relating to notices and consents, including in relation to templates and guidance, requirements in relation to privacy default settings, requirements for privacy impact assessments, consent for research, with consultation on other changes to facilitate research, a requirement to record the purposes of collection of personal information, a requirement to have a privacy officer, clarification of consent rules in relation to children, guidance on capacity and consent more generally, requirements for entities to provide more information to individuals in response to access requests, requirements to notify individuals about their rights and how to exercise them, and an obligation to respond to and provide reasonable assistance in relation to exercise of rights, additional obligations and guidance in relation to the security, retention and destruction obligations in APP 11, enhanced powers for the OAIC and Courts in relation to enforcement of the Act and changes to the notifiable data breaches provisions in the Act.
A complete list of proposals can be found in the report which is at www.ag.gov.au/rights-and-protections/publications/privacy-act-review-report.
See also chapter on Privacy, surveillance, confidentiality in Thomson Reuters’ Media and Internet Law and Practice for a full version of this article.