The industry speaks: Privacy Act reforms – a good thing, or not enough?

The Australian government introduced its first tranche of reforms to the Privacy Act last week, acting on doxxing, children’s privacy, and data security and handling. But is it enough?

We reached out to industry and other experts to let us know their thoughts on the changes and whether they’re adequate to address the very real threats to our privacy or if they’re too little, too late.

Nam Lam
Australian and New Zealand managing director at SailPoint

The upcoming changes to Australia’s Privacy Act are a critical step in addressing the growing risks posed by the exponential growth of digitisation. As businesses collect and store more data, they must adopt stronger identity security measures to protect sensitive information, and human and non-human identities.

With stricter regulations and hefty penalties on the horizon, companies will need to rethink how they manage data access and ensure robust security frameworks are in place to prevent breaches and safeguard consumer privacy. This reform underscores the need for proactive measures in managing and securing access for all identities within the organisation to prevent cyber threats.

Dr Martin J. Kraemer
Security awareness advocate at KnowBe4

The lack of proper safeguards and clear policies against data breaches and cyber attacks exposes organisations to threats like identity theft and data leakage. As cyber attacks evolve, maintaining customer trust becomes increasingly difficult without robust security measures.

The proliferation of data and devices within organisations creates challenges in managing and securing vast amounts of information. As businesses access and collect significant volumes of consumer data from different channels, it can be challenging to control and streamline the policies of safely collecting, storing, and using them.

The ever-changing regulatory landscape adds complexity as organisations must navigate diverse and evolving global data privacy laws. Even without a physical presence in certain regions, businesses must adapt to foreign regulations, making it essential to stay informed and seek legal guidance to ensure compliance and the ability to operate in multiple jurisdictions.

VIEW ALL

Olly Stimpson
Strategic security adviser at CyberArk

With last week’s updates to Australia’s Privacy Act, businesses need to be aware of the significant implications for them, particularly around identity security. These reforms signal a shift towards greater accountability for businesses in handling personal data, requiring companies to take a proactive approach to embedding security by design.

As Attorney-General Mark Dreyfus highlighted, Australians have the right to expect their data to be protected. However, CyberArk’s 2024 Identity Threat Landscape Report reveals that many Australian organisations are ill-prepared.

Data theft and privacy protection are leading concerns, indicating that current security practices are not up to the challenge. Under the new laws, these gaps could prove costly, especially for companies relying on outdated or incomplete identity security frameworks.

Laura O’Neill
Head of Fujitsu Cyber Security Services

Fujitsu welcomes the government’s efforts to strengthen privacy protections for Australians in the first tranche of reforms, which includes outlawing doxing. While the first tranche of reforms is positive progress, the current privacy legislation will not keep pace with the fast and evolving environment of cyber threats.

It is critical for the government and industry to invest in increasing the security of systems that hold personal data. We hope the Privacy Act reforms will drive a renewed focus for organisations to combat cyber threats and increase data protection.

There is more work required by industry, governments and academics to collaboratively ensure the Private Act actively addresses ongoing changes in the digital economy. We look forward to the future uptake of stronger protections for everyday Australians in the second tranche of reforms.

Yvonne Sears
Director, Elev8 Resilience

The ‘Privacy and Other Legislation Amendment Bill 2024’ has been a long time coming. With many industry experts and campaigners pushing for reforms to bring Australia up to international standards, it’s frustrating to see the much-needed changes trickling in slowly. Unless you’re actively involved or paying close attention, you’d barely notice anything is happening. There’s no strong campaign from the government saying, “It’s time to take privacy seriously!” Instead, they tiptoe around the significant recommendations.

That said, change is on the horizon; we just need a little more patience.

This month, the Attorney-General introduced the highly anticipated amendments to the Privacy Act 1988 (Cth) (Privacy Act) in the Australian Federal Parliament. The bill notably addresses crucial areas like children’s online privacy, invasions of privacy, and doxxing.

One highlight is the focus on the development of a ‘Children’s Online Privacy Code,’ which will guide how the Privacy Principles apply to children (under 18 years old) using online services, including social media. This code must be registered within 24 months of the Privacy and Other Legislation Amendment Act 2024 receiving royal assent, which is a promising step.

We also see a clearer definition of what constitutes a tort for serious invasions of privacy. Interestingly, this isn’t limited to personal information but includes physical intrusions – like entering someone’s private space, or observing, listening to, or recording their private activities.

Another key point is the amendment to the Criminal Code Act 1995 to address doxxing offences. Under this bill, it’s an offence to use a carriage service to publish or distribute personal data in a way that could be seen as menacing or harassing. Importantly, ‘personal data’ now explicitly includes images, phone numbers, email addresses, and home or business addresses – essentially any information that could identify or locate an individual.

While these are steps in the right direction, it’s disappointing we didn’t see the full slate of recommendations come through. This bill is labelled the ‘first tranche’ of privacy reforms, with the Attorney-General promising more developments in the months ahead.

However, it would be far more efficient – and reassuring – if we had greater transparency about what’s next and when it will happen, instead of continuing this guessing game. Until then, Australian privacy laws still fall short of expectations, both domestically and internationally. We remain in the ‘third country’ category, an untrusted region, largely due to the numerous exemptions – particularly for small businesses – that pose serious risks to personal data.

George Harb
Vice President, ANZ, at OpenText

Australia is on the brink of significant changes to its privacy legislation as the Federal Government moves to enhance online safety and update privacy regulations. These new measures represent an achievable strategy for safeguarding personal information and ensuring accountability in data handling practices. Businesses must transition from outdated systems to modern solutions by adapting their data management approaches to ensure online safety.

The adaptations will be pivotal in driving enhanced compliance and responsible data management across industries. The changes implemented mark significant shifts in addressing privacy breaches and compel businesses to adopt a more proactive and strategic approach to data management and privacy compliance. The tiered civil penalty system, transparency requirements in automated decision-making processes and statutory tort for serious invasions of privacy are all comprehensive measures that underscore a significant shift towards data protection and individual empowerment in the digital age. Businesses implementation of these requirements and guidelines will ensure that there are enhanced data management practices to mitigate data leaks. With the increase of data breaches in Australia, if businesses can foster trust and accountability through updating privacy policies and improving customer engagement, they can build a competitive advantage in the market whilst managing legal risks.

OpenText supports this privacy act and is committed to collaborating closely with government bodies to ensure seamless adaptation to these changes. Our comprehensive suite of enterprise information management solutions is designed to ensure compliance and enhance data protection in this evolving privacy landscape. We are dedicated to assisting businesses through this transition, providing the tools and expertise needed to thrive under the new regulations.

Finally, here’s what Telstra has to say about the government’s proposed Scam Protection Framework:

Telstra has a long history of working alongside the Australian government on both operational security and cyber policy.

We welcome a more coordinated approach to monitoring and disrupting scams and recognise the benefit in greater cross-sector coordination that includes banks and digital platforms, supported by industry-specific codes.

The telecommunications sector has been active in scam mitigation with regulated obligations contained in the Scams Code and enforced by the ACMA, which has [been] in place since 2020 and covers call and SMS scams.

Telstra is already taking action to block millions of suspicious scam calls, SMS and internet scams from reaching our customers every day, and we continue to evolve our systems, technology and tactics in combating the tactics of scammers.

Our recent partnership with CBA on Scam Indicator to help protect Australians from fraud is a powerful example of the potential of a cross-sector approach and the need for all three sectors to continually evolve and adapt their approach to blocking scams.

We look forward to working through the detail of the Scams Prevention Framework and participating in the consultation process to finalise the industry code, which we believe should be flexible and responsive, allowing industry to adapt to new tactics by scammers and leverage existing interrelated regimes, systems and initiatives.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.