ABLI-FPF Convergences Series - Status of Consent for Processing Personal Data (Australia report)

ABLI-FPF Convergences Series - Status of Consent for Processing Personal Data (Australia report)

Author: Dr. Clarisse Girot, Honorary Senior Fellow, Asian Business Law Institute

Asian Business Law Institute and Future of Privacy Forum

June 2022

This report provides a detailed overview of relevant laws and regulations in Australia on

• notice and consent requirements for processing personal data;
• alternative legal bases for processing personal data which permit processing of personal data without consent if the data controller undertakes a risk impact assessment (e.g., legitimate interests); and
• statutory bases for processing personal data without consent and exceptions or derogations from consent requirements in laws and regulations.

Table of Contents 

1. INTRODUCTION 

2. AUSTRALIA’S DATA PROTECTION FRAMEWORK

    2.1. Privacy Act

    2.2. Recent developments 

           a. Review of the Privacy Act
           b. OP Bill 

3. CONSENT AND PRIVACY SELF-MANAGEMENT IN THE PRIVACY ACT 

    3.1. Consent in the APPs

           a. Collection of personal information
           b. Use and disclosure of personal information
           c. Use and disclosure of personal information for the purpose of direct marketing
           d. Cross-border transfer of personal information

    3.2. Sectoral consent requirements in the Privacy Act

           a. Credit sector
           b. Health sector

    3.3. Privacy codes

    3.4. Proposed expansion of the role of consent

    3.5. Consent and online identifiers

4. SECTORAL LAWS AND REGULATIONS   

5. ROLE OF THE OFFICE OF THE AUSTRALIAN INFORMATION COMMISSIONER (“OAIC”) 

    5.1. Regulatory guidance

    5.2. Public submissions on consent

6. CONDITIONS FOR CONSENT 

    6.1. Definition and forms of consent

    6.2. Consent must be voluntary

    6.3. Consent may be withdrawn

    6.4. Proposed amendments to refocus consent

    6.5. “Bundled consent”

7. CONSENT FOR SPECIAL CATEGORIES OR USES OF DATA

    7.1. “Sensitive information” under the Privacy Act

    7.2. Possible expansion of the categories of “sensitive information”

           a. Financial information
           b. Location data
           c. Children’s information

8. CONSENT FOR CROSS-BORDER DATA TRANSFERS 

    8.1. Operation of APP

    8.2. AGD proposal: removing the consent exception in APP

9. TRANSPARENCY AND NOTICE

10. SANCTIONS AND ENFORCEMENT

      10.1. OAIC v Facebook

      10.2. OAIC determinations in the 7-Eleven, Clearview AI, and Australian Federal Police cases

11. COLLECTING, USING, AND DISCLOSING DATA WITHOUT CONSENT SUBJECT TO A RISK IMPACT ASSESSMENT    

      11.1. Reducing reliance on consent: policy options considered (fair and reasonable test, legitimate interests)

      11.2. Expanding v. refocusing consent requirements

      11.3. “Legitimate interests” v. “fair and reasonable” test

      11.4. Factors to be applied in the “fair and reasonable” test

12. COLLECTING, USING, AND DISCLOSING DATA WITHOUT CONSENT IN OTHER CIRCUMSTANCES DEFINED BY LAW

      12.1. “Permitted general situations”

      12.2. “Permitted health situations”

      12.3. Rule of interpretation