Privacy in Australia: what’s around the bend?

elevenM will be hosting webinars and briefing sessions on the Federal Government’s review of the Privacy Act. Read on to find out more.  


The very concept of ‘personal information’ could be revised under a wholesale review of the Privacy Act 1988 announced by the Attorney General.

The definition of personal information is at the heart of the Act, the principal piece of legislation governing Australians’ privacy. The ways in which information and data are handled by organisations – and therefore how privacy is ultimately managed – flow from this definition.

Later in this post, we summarise the broad set of questions across the scope of the Privacy Act being considered by the Government’s review. For now, let’s focus on the potential changes to the definition of personal information, and resulting implications.

Presently, under the Act, personal information is ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable’. This definition has remained largely unchanged since the commencement of the Act in 1988.

The issues paper released by the Attorney General for the review of the Privacy Act considers how technology has now changed the ways that information is created, stored, used, shared and inferred due to the connected way in which we all interact every day. Thus, questions are raised as to whether the technical data created by the way we use devices, the internet, and the internet of things is, or can be, personal information.

Is metadata personal information? In the 1979 decision of Smith v Maryland (before the era of big data), the US Supreme Court said ‘no’ – phone record data did not require a warrant as ‘people [do not expect] privacy in the numbers they dial’. The Federal Court of Australia in Privacy Commissioner v Telstra Corporation (2017) found similarly: metadata is not personal information. That if the information or opinion is not about an individual, it is not personal information – even if that information or opinion could be linked with other information to identify a particular individual. However, in summarising these findings, the OAIC stated that assessing what is personal information requires “an evaluative conclusion”, and that “even if a single piece of information is not ‘about the individual’ it may be about the individual when combined with other information”.

Clear? Most recently, the ACCC’s Digital Platforms Inquiry Report pointed out that there is ‘considerable legal uncertainty on the issue of whether technical data collected in relation to individuals is within the scope of the definition of personal information’.

Any broadening of the definition of personal information, such as to include metadata or other technical data,  will require organisations to radically re-think their current approaches to data handling and to potentially re-visit initiatives that handle and process technical data on the basis that it is not presently defined as personal information.

More broadly, the review announced by the Government will take a comprehensive look across the full scope of the Privacy Act: information handling practices, definitions and enforcement mechanisms and more. It will also consider how to better empower consumers, protect their data and best serve the Australian economy.

Consultation topics include:

  • whether the scope of the Privacy Act and its enforcement mechanisms remain fit for purpose
  • whether there should be an individual right of action to enforce privacy obligations under the Privacy Act, a statutory tort for serious invasions of privacy, or a ‘right to erasure’
  • the impact and effectiveness of the notifiable data breach scheme
  • the effectiveness of enforcement powers and mechanisms in the Act
  • whether Australia should have an independent certification scheme to monitor and demonstrate compliance with Australian privacy laws.

Given that this review process will impact information handling practices in almost every field, we believe it is incumbent on the industry and government to actively engage with the review process and seek to understand and communicate the issues involved.

Over the next few months, elevenM will be dissecting the issues, hosting webinars and offering our clients in-depth briefing sessions to help them understand issues involved and support them to participate in the change and review process. If you would like us to keep you informed, please contact us at news@elevenM.com.au

The issues paper seeks feedback on issues relevant to reform by 29 November 2020. A discussion paper will be released in early 2021 seeking more specific feedback on preliminary outcomes, including any possible options for reform.