The marketing industry doesn't like what it sees. Most other commentary welcomes the bill as a (exceedingly slow) step forward on the issues the government carved out as "first stage" reforms from the ALRC report delivered four years ago. With the notable exception of the Australian Privacy Foundation.
While the Attorney General says the "bill will bring Australia's privacy protection framework into the modern era" and will tighten up the rules around how companies and organisations can collect, use and disclose personal information, the APF describes it as a backward step, and sets out why the 'Anti-Privacy Bill' Should be Scrapped (pdf).
I doubt if there will be many takers for that option. The bill is yet to pass the House and then face the Senate. Let's hope it's somewhat familiar territory there, although in Senate Estimates last week Shadow Attorney General Senator Brandis had a bee in his bonnet about the size of the ALRC report, regardless of its scope and the complexity of the issues:
It has seemed to me for quite a long time now that, although the Australian Law Reform Commission does wonderful work of the very highest standard, it does, if I may say so, somewhat overcapitalise its research. Let me give you an example of what I mean. The privacy report of a few years ago was nearly 2,700 pages long. I am not aware of anyone—academic, government body, think tank; any institution in the world—that has produced a 2,700-page document about privacy.Provisions in the bill as passed won't come into effect until nine months after assent. E-health is being dealt with separately and other major issues await stage 2 consideration including exemptions including for smaller business, media organisations in the conduct of journalism and political parties, serious data breach notifications and a statutory cause of action for serious invasion of privacy. Privacy law reform still has a long way to go.
"..the Privacy Commissioner will be able to make a determination to direct an organisation to take specific steps to stop certain conduct, or take reasonable action to redress any loss or damage suffered. The commissioner will also be able to obtain enforceable undertakings from an organisation. A court can then make appropriate orders, including orders for compensation. The commissioner will also be able to apply to the court for a civil penalty order against organisations. Penalties range from 200 penalty units—$22,000 for an individual and $110,000 for a company—to 2,000 penalty units, which is $220,000 for an individual and $1.1 million for a company. For serious and repeated breaches of privacy, the penalty will be 2,000 penalty units. This is another remedy for consumers and will encourage compliance with the Privacy Act. The Privacy Commissioner will also be able to direct agencies to perform a privacy impact assessment, and will be able to conduct privacy performance assessments to check that agencies and organisations are complying with the Australian Privacy Principles. This bill will make dispute resolution simpler, quicker and cheaper. The commissioner will have a new power to recognise and approve an external dispute resolution scheme for credit reporting disputes. There are new conciliation provisions, so that conciliation can be a dispute resolution option. In essence, the Australian Privacy Commissioner will have new powers, including the power to seek enforceable remedies for consumers who have had their privacy breached."
Under the new cross-border disclosure regime in the Bill, Australian entities that disclose personal information to overseas recipients will generally be liable for privacy breaches committed by those recipients—although the Australian entities may have recourse through their contracts. As the government acknowledges, this reflects a shift away from the ‘adequacy approach’ seen in NPP 9 and the EU to an ‘accountability approach’, as adopted by APEC and Canada. The government also comments that the ‘chain of accountability’ is not broken simply because an overseas recipient engages a subcontractor. There will be some exceptions to the ‘reasonable steps’ and accountability obligations. One of these is where the recipient is subject to a law or binding scheme similar to the APPs which gives appropriate enforcement rights to the individuals. Guidance from the OAIC is anticipated on this point. Notably, contractual provisions will no longer be sufficient alone to avoid accountability. Consent will also provide an exception, but must be more explicit than under NPP 9.
Some concerns have been raised in the media that the new APPs will significantly reduce the use of offshore cloud computing services. It is hard to see this being the case. While retaining data in Australia or a jurisdiction with similar laws will be more attractive in that it will overcome the accountability issue, we expect to see cloud computing customers seeking to use contractual measures to protect themselves in case they are held liable for a breach by the provider.
It should also be noted that APP 8 is not intended to apply ‘where personal information is routed through servers that may be outside Australia.’ Entities will however need to take reasonable steps to ensure that personal information routed outside Australia is not accessed by overseas recipients as this will be considered disclosure."