KPMG Australia (KPMG) welcomes the opportunity to provide a submission to the Attorney-General Department’s review of the Privacy Act 1988 (Cth) (the Review). The Review is a significant opportunity to contribute to an important reform process that has the potential to empower consumers and protect their data, while creating economy wide benefits.
As a leading professional services firm, KPMG is committed to meeting the requirements of all our stakeholders – not only the organisations we audit and advise, but also employees, governments, regulators and the wider community. We strive to contribute to the debate that seeks to develop a strong and prosperous economy and society.
The Review is an important and timely opportunity to once again reflect on our national approach to the regulation of data privacy. The Privacy Act recently marked its 30-year anniversary. While the Act has seen considerable reforms in that time (notably the introduction of the Australian Privacy Principles and Comprehensive Credit Reporting in 2014, and the Notifiable Data Breach scheme in 2018), it is important to ensure that Australia continues to have a privacy framework that achieves the right balance of protecting individuals and enabling entities to effectively respond to the challenges and harness the benefits of a free flowing data driven digital economy and society, in a balanced and proportionate way and provide certainty and guidance.
The terms of reference for the Review, and the questions posed in the Issues Paper, raise a broad range of matters that would have wide-ranging impacts on government, business and consumers. As noted in the Issues Paper, substantial consideration has been given to many of these matters in previous reviews. KPMG’s submission is therefore not intended to respond specifically to every question raised, but to draw on our multi-disciplinary subject matter experts across the firm to provide feedback on some key themes and issues which we believe should be considered in planning for this reform process.
Our comments centre on the following broad key themes raised in the Issues Paper:
As a technology neutral and principles-based law that prescribes individual information privacy rights and corresponding obligations, the Privacy Act provides flexibility for organisations to develop and implement a risk-based approach to the protection of personal information they collect and process. However, as the Issues Paper identified, there are a number of complex questions that are important to reflect upon to ensure that the right balance continues to be struck for a clear, streamlined framework that meets the needs of government and business and the rights of individuals in an evolving digital society and economy.
The Australian Information Commissioner Angeline Falk has flagged four key elements of reform that she considers are needed to support effective privacy regulation over the next decade:
There are two critical questions to consider, given the significant and potentially wide-ranging nature of the reform. First, what the key objectives of the Review are, in addition to addressing the consumer privacy rights issues identified by the Australian Competition and Consumer Commission (ACCC) in relation to digital platforms, and second, what is the most effective approach to reform.
Entities currently must manage and comply with a range of regulatory requirements that exist in overlapping and in some cases fragmented data-related frameworks at both a State and Federal level. New data frameworks are currently being developed. Given the nature of data flows and the convergence of data-related rights, data security standards and regulatory frameworks and standards both in Australia and globally, it will be important to take the opportunity to carefully consider how the Privacy Act interacts with these frameworks and provides a robust and clear national framework.
Central to this is how reform will help provide Australia with a comprehensive framework that maintains or strengthens key data protection principles, standardises and clarifies obligations, ensures the rights of individuals and the free flow of information and communication are protected, while minimising the imposition of further regulatory burdens to achieve a net benefit for all participants.
Lastly, the Review must also consider the impact of COVID-19 on how we work and interact with businesses and government in what will be a new normal. Digitisation of government and citizen-centric services and the increasing use of digital contact tracing and QR codes, where citizens provide more information to connect and verify their identity, are becoming increasingly critical and the data protection framework needs to support this.