Privacy Reform Is Coming to Australia: What Businesses Need To Know

Intro 0:00

Jeremy, welcome to the She Said Privacy/He Said Security Podcast, like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st Century.

Jodi Daniels 0:21

Hi, Jodi Daniels, here, I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies.

Justin Daniels 0:36

Hi. I am Justin Daniels, I am a shareholder and corporate M&A and tech transaction lawyer at the law firm, Baker Donelson, advising companies in the deployment and scaling of technology. Since data is critical to every transaction, I help clients make inform business decisions while managing data privacy and cybersecurity risk, and when needed, I lead the legal cyber data breach response brigade.

Jodi Daniels 0:59

This episode is brought to you by Red Clover Advisors. Thanks for the boot. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology e commerce, professional services and digital media. In short, we use data privacy to transform the way companies do business together. We’re creating a future where there’s greater trust between companies and consumers to learn more and to check out our best-selling book, Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors.com. Well, it is a dreary Monday morning. Early Monday morning. I don’t know if we’ve ever recorded a podcast at the 8am hour on a Monday morning before? Think you’re right, and everyone should know that it was only 8:05 and significantly picked on by one co-host.

Justin Daniels 1:59

Sounds like you should be finding another co-host.

Jodi Daniels 2:04

No, no, no, no, this is the co host. Perhaps the co-host could just be simply kinder.

Justin Daniels 2:13

I see. Okay, well, it is dreary out.

Jodi Daniels 2:15

It’s raining, and walked the dog in the rain and everything.

Justin Daniels 2:19

Alright. Well, let’s focus on our guest today.

Jodi Daniels 2:21

I know you should, you should get started. I mean, you should make an intro or something. All right.

Justin Daniels 2:26

Well, our guest is coming to us, literally from down under. So today we have James Patto, the partner at Helios Salinger. He’s a leading voice in Australia’s tech law landscape trusted by business and government on privacy, cybersecurity and AI, with over a decade of experience as a digital lawyer, he helps organizations turn regulation into opportunity, bridging law innovation and strategy to build trust and thrive in a digital world.

James Patto 2:56

Welcome to the show. Thank you very much. Lovely to be here. You are our I think you’re our first guest from Australia in four and a half years for such a fun country.

Jodi Daniels 3:13

Yeah, I think we’ve had friends from Australia. Don’t think we’ve had anyone on this is so much fun. It is one of my favorite countries that I studied in third grade, and I have yet to visit so maybe, maybe one day I will get there soon.

James Patto 3:27

Hopefully you got an excuse to visit me now, Jodi, I do.

Jodi Daniels 3:29

Oh, we can make it a work trip. Ah, brilliant. All right, James, tell us a little bit about your career journey to date.

James Patto 3:38

Yeah, absolutely. So I’ve been practicing in the technology law space for about 12 years. I started my career at one of the top tier law firms here in Australia called Minter Ellison. I actually fell into technology law. So originally I thought I was going to be originally I thought to be an investment banker, then I decided that ama law was for me. But then eventually landed myself in technology law and fell in love. So I’ve since been to a couple of other firms. I started up the digital and cyber and technology legal team at PricewaterhouseCoopers here in Australia, and basically from there, made my move across now to Hamilton lock and Helios Salinger, where I Yes, have continued my journey working with multi in multi disciplinary practices.

Jodi Daniels 4:29

Well, one of the things that I really found fascinating was Australians’ views on privacy and you recently shared some really interesting statistics that I wanted to share with everyone here. So in case you missed the LinkedIn post, everyone should go and follow James, and then you too can read the much longer post, but 84% of Australians want more control over how their personal information is collected and used, and 77% want small businesses covered. And I. I personally find that latter stat fascinating, because here in the US, we tend to exclude small businesses from a long list of things, which, as a small business owner, selfishly, this is good for me in some places, but as a consumer, it’s really not, because we all know that there are small companies that collect all kinds of information and do a lot with it, and 84% of Australians care about what’s actually happening with their personal information, which is also very similar to the statistics that we have here in the US. And I’m sure if I had a handy EU stat, it would be similar. So with this notion of where, where Australians care about privacy and kind of the global mindset. What I was hoping to get us started is give us a little primer on Australian Privacy Law now and then we’re going to talk a little bit about where it’s going.

James Patto 6:01

Yeah, absolutely. So the Australian Privacy regime, as it currently sits, underwent a pretty massive rehaul overhaul in 2013. So, funnily enough, just after I started my career, so as soon as I joined the legal fraternity, I was immediately hit with a new privacy regime to get my head around. And so we run with a principle. And basically since then, we have had pretty limited changes to our regime. We had the inclusion of a notifiable data breach scheme, so mandatory data breaches. And then also we had some uplifts in our fines. So our enforcement regime, essentially, and that’s pretty much about it. There’s been bits and pieces around the edge, but we run essentially a principles based environment or framework, and that has been good in the sense that it applies across most of the economy, we have some exemptions, some key exemptions for particular sectors. So we have exemptions for small businesses. We have exemptions for particular types of information. So there are exemptions around employee records and employee data. And we also have exemptions for surprise, surprise political parties, which is actually something that’s been quite topical over the last couple of weeks or month or so, as we’ve just had a large federal election process which gave rise to a number of people questioning the use of personal information in the hands of political parties. So the regime basically takes you all the way through, from establishing privacy management frameworks through to transparency measures like privacy policies. We have collection obligations, we have use and disclosure restrictions, and then we have Retention and Destruction obligations as well. So in terms of what it covers. It’s quite similar to many of the other regimes around the world. It is quite different in terms of the level of compliance that it required. As of today, you did mention that we have some changes potentially in the pipeline. We’ve also had some pretty substantial changes to the enforcement regime actually pass and at the end of last year and go into law as of December last year. And so those changes were pretty, pretty fundamental building blocks to what we’ve been looking at from a reform perspective.

Jodi Daniels 8:36

I’m curious, because every country’s definition of small business is different. What is small business defined as here that would qualify as an exemption.

James Patto 8:48

So our threshold is essentially $3 million in annual turnover. So if your annual turnover is below $3 million you won’t be covered by the Act. There is some particular sectors that are covered, Notwithstanding that, and that’s things like health service providers and organizations that trade in personal information. So a data sharing sort of organizations, and data selling organizations, brokers, that sort of thing. But on the whole, if you have under $3 million of annual turnover, you are going to be excluded from the operation of the act.

Jodi Daniels 9:23

Okay? Thank you. Really, really helpful, and I felt a lower threshold than I might have imagined.

James Patto 9:31

Yeah, and but funnily enough, it still comes. It still leaves a lot of organizations outside within Australia, outside of the ambit of the act, because we have a very small business, heavy economy in Australia.

Jodi Daniels 9:44

Is it global turnover?

James Patto 9:49

It’s, well, most small businesses won’t be operating at a global level, but it’s essentially the business as a whole.

Jodi Daniels 9:58

Okay? Thank you. Clarifying when you stop laughing at me today, I swear you took like the laughing pill.

Justin Daniels 10:06

Okay, so you talked about where the law stands. Now. Can you talk to us a little bit about what has changed or may change in Australian Privacy Law in 2025 and beyond?

James Patto 10:19

Yeah, it’s an interesting one. So maybe, maybe the best way to do this is to take you a little bit back to see where we’ve come from, the process that we’ve been in. So our act was slated for so well, we had the GDPR come into effect in May 2018 so that was really a point where a lot of countries around the world started to look at their own legislation and started to decide, do we think that our current privacy framework is sufficient? We here in Australia, had an announcement by our Attorney General’s department, who’s the department that essentially leads the Privacy Act reform process, in December 2019, to basically say we’re going to start reviewing our act, and we really think we need some level of uplift. So when you think about that December 2019, and we only really had the first set of changes come out of that process at the end of last year, it’s been a very, very long journey for our reform process, and even then, we’re nowhere near where we feel like we need to be. So out of that process, we got what was called the Privacy Review Report, which made 89 proposals. So legislative change proposals to the Australian Act, the government came back off the back of that review report and basically agreed to essentially most of them. So there was only eight that they didn’t agree to. The rest were 81. Of them were agreed and were slated for some level of reform. And then we had our first bill off the back of that at the end of last year, which basically dealt with 24 of those 81 reforms. Now, interestingly enough, none of the reforms that came well, not really many of the reforms that came through in that first bill were substantive compliance uplifts. And we subsequently found out through the sort of Senate committee report of investigating that that that was because there was essentially a directive that came through from government that they were trying to minimize the effect on regulated entities. And so what this bill then ultimately did, what is, what is now in law, is that it really set the scene for a future compliance uplift. So it concentrated on enhancing the regulator’s powers of investigation. It concentrated on re-establishing a brand new enforcement regime’s structure. So rather than just having one, essentially one civil penalty that could be enforced, there was a number of new civil penalties, a new infringement notice regime, which allowed, essentially on the spot fines to be issued by the regulator for certain breaches. And so all of this became essentially that scene setting legislation for the next phase of reforms that we hoping that will come through in the next sort of 12 to 24 months. Those were much more substantial. So some of the things that we’re looking at potentially bringing in here is a fair and reasonable test. So that’s essentially a test that sits over the top of everything that you do, whether you have obtained consent or not, if, even if you’ve obtained fully effective, informed, voluntary, unambiguous consent, if what you’re doing with the information is not considered fair and reasonable to an ordinary person in all the circumstances, then it still might actually be a breach of the act. So consent is not a defense with a test like that, which is a very interesting concept. What also came off the back of that is, is some organizational accountability measures, so what we call data governance style obligations to determine and record the purpose for which you are collecting, using and disclosing information, especially when it’s a secondary use. So if you’ve collected it for a primary use, and then you decide later on you’re going to use it for a secondary use, you need to have written records of that accessible for the regulator. There’s also been significant talk about removing some of those exemptions I spoke to earlier. So the Small Business exemption is on the chopping block, potentially here in Australia. So obviously there is still some consultation going on at the moment around what that might look like and what the cost might be, and I can speak a little bit later about sort of the Future of Privacy Law in Australia, and some of the uncertainties that surround that. But that is certainly one of the ones that is in the firing line, same with the employee record exemption. So there’s talk of not removing it, but essentially ensure. Increasing, that it is significantly narrow, and that there are certain obligations that will apply to employee records or employee personal information. But no no changes to the political party exemption, though, and the other thing that I think is important in the context of GDPR like rights, is there’s been a suggestion that we should bring in essentially enhanced individual rights that align pretty much with the GDPR, so rights to erasure, rights to object, rights to required de indexation from search functions, and broader rights of access and explanation as well.

Jodi Daniels 15:38

One of the common questions global companies always have is trying to figure out, what are the differences or commonalities amongst all these different laws, so that they can figure out, how do I actually set up a program and you started to hint at privacy rights from a GDPR point of view, and how that might be something that’s coming along. So I have a few questions. One, what do you think? Let’s say they do come into scope. What is the earliest that that might happen? And then can you share some of the the other, you know, differences or things that are the same between GDPR and, you know, I appreciate we have 19 different US state laws, but you can, kind of seems still like California, Colorado are some of our bigger ones, that companies are sort of, you know, creating their privacy programs too.

James Patto 16:35

Yeah, yeah. So, so, I think from a certainly, as a sort of spoken about this previously on a number of occasions, in terms of obviously, a lot of countries are looking to obtain adequacy with the GDPR. So one of the holy grails for privacy law is to be able to obtain one of those adequate adequacy decisions that basically determines that the regime that you have offers a level of protection that is similar to that what is provided under the GDPR. Now, obviously the US has its own separate regime that it operates under in relation to the GDPR, but certainly our friends, even further down under than us, New Zealand, have obtained for themselves an adequacy decision. And I think to some extent, these, of these uplifts that we’re looking at bringing to our legislation, is that quest looking to try and get that so I sort of mentioned previously, so the individual rights piece is, is really important. We have a significant lack of individual rights under our existing legislation, we only have rights to access personal information held by an organization and rights to correct that’s essentially the two main rights that we have. So there’s some significant differences there, in terms of the law as it is today versus something like the GDPR. The other pieces, we have a less stringent, notifiable data breach scheme as well. So our notifiable data breach scheme has a reasonable time attached to the notification, unlike the GDPR, who has a much stricter, semi two hour turnaround and and if you’re looking, funnily enough, if you, if you’re an expert in the GDPR, and you look at you, look at the Australian legislation, we don’t use the same terminology, the processing terminology, data control as data processes. That sort of terminology is not something that we use in our act. We don’t make a distinction between those two types of entities. We we just look at the actions that the and the handling of the information by the entity, and the entity is either an app entity or they or they’re not, if they fall outside of it, I will say we’ve had some recent determinations from our commissioner, and also, actually federal court cases which have talked about the application the Extra territoriality of our law, the bar is very low in Australia. So organizations, if they are doing any sort of services into Australia, offering services to Australians, you are very likely to be caught whether or not you have a physical presence down under as well. And I think overall, our general definitions and concepts are quite different, but they’re part of this exercise. And part of this uplift in reform is to try and bring Australia in line with a lot of our global counterparts, to make that global compliance journey a bit easier going both ways. So organizations coming into Australia, but also Australian organizations looking to explain expand globally, to try and get them speaking the same language as their international counterparts,

Jodi Daniels 19:49

if you had a crystal ball. Is there any thought to timeline, like, when might be the next? Soonest? First group of, I forget what you called them, the different, the I want to say resolutions, but that wasn’t right.

James Patto 20:10

The proposals, the tranches that we usually, I think they’re calling tranches at the moment, is at least what we’ve apparently been dubbed. Look, I think there is a few things. One is, I think that it’s likely that we will have further multiple tranches. I don’t think the rest of this will come in a big bang tranche too, and that is because I think the scale of these changes are significant, and there’s still quite a bit of background consultation and quantification of compliance costs. We, as I said, previously, we had an election which returned a privacy friendly government, in the sense that the government was returned that was leading the reform charge, but there has been a change in the direction of the government to focus on productivity. We don’t know what that is going to mean for privacy reforms, because, as you probably know, as soon as someone starts talking about productivity, anything with a compliance burden attached to it, very quickly gets the chop or gets removed. And so we’re not sure what the impact that will have, but I think from a timing perspective, we have to look at the GDPR as a good base in terms of that compliance ramp up journey. So I think that’s probably going to be a two year ramp up off the back of any time that we actually see legislation passed. So even if we’re even if we see legislation before the end of the year, and it happens to be passed sort of early 2026 then I can’t see it being in effect, in full effect, until at least that sort of early 2028.

Jodi Daniels 21:46

Very helpful. Thank you.

Justin Daniels 21:47

Actually, James, I wanted to ask you. I wanted to back up and ask you a different question, which is, can you talk to us a little bit about how some of the cultural norms in Australia impact your privacy regime, like in the GDPR, privacy is considered a fundamental right a lot because of what happened in World War Two. In the United States, we’re kind of more commercially based, and it’s really business government, consumer is last. I’d love to get a little understanding of how just the culture in Australia impacts how these privacy laws have evolved in your country?

James Patto 22:23

Yeah, absolutely. So we, we kind of sit straddle both of those areas. So we do get a lot of our regulatory guidance from the EU traditionally, in fact, it was traditionally from the UK. As you can understand, being, a being a British colony we were, so we, we sort of struggle between the culture in the US around that sort of innovation culture, you know that non regulation, that self regulation culture, and the more sort of black letter law culture that comes from the EU, because we’re not unlike the EU and the US. We don’t have that sort of we don’t have that big economy and that big sort of data style economies that those jurisdictions have. And so what that means is that we’ve been allowed been a little bit more nuanced in the way that we’ve approached our legislation. And the big, probably the big cultural factor that we have in Australia is the size of our small business sector. And so our Business Council has been able to protect those businesses by keeping them separate from the legislation. And I think that the other area that we have probably more recently is we’ve seen, as Jody has said, we’ve seen a significant increase in awareness around privacy rights and data right. So I think back in 2012 when we had the original uplift. There wasn’t really a full appreciation for what privacy was. They weren’t, you know, people weren’t really aware, or didn’t really understand the way that data was being used, and obviously, the way that data is being used, and the size, the amount of data that’s being collected and utilized by organizations, has grown significantly since that time, and I think the Australian public is is waking up to that, and because we have a relatively high legislative culture, so we have a lot of laws in Australia, we have a lot of legislation, it makes sense that we are moving more down towards a path towards the European model, rather than towards the sort of the more US style model.

Jodi Daniels 24:49

With so many global companies in a little bit of limbo, it sounds like of where we are. What do you recommend companies do now?

James Patto 25:00

Yes, so there’s a few things. One is we’ve I mentioned previously that we had some changes in Australia around an on the spot, fine sort of mechanism. And so they are only for certain breaches of our laws, and they target particular things like the quality of your privacy policy, the direct marketing opt out procedures that you have, the the data breach response notice that you give. So the accuracy of the data breach response notice you give. So if you look at these things, these are the things that I speak to my clients about immediately addressing because this is the low hanging fruit for the regulator, because rather than traditionally, having to go to the federal court to apply a civil penalty, this is something that they can issue in their own right, they can understand that for them, it’s a much lower bar, and so they’re more likely to be looking at these things. So when I speak to my clients, we’re talking about, well, data breach response preparation. Make sure you have your notification strategy appropriately determined, and your data breach protocols ready to go. Have a look at your privacy policy. Make sure you’re ticking all the right boxes. Make sure you’ve got everything that you need, and make sure that you are reflecting the guidance from the regulator around the way, not only what’s in your privacy policy, but the way that it’s drafted, plain English, easy to understand. You have to remember that a privacy policy is a transparency document, and so you want to make sure that it is transparent in terms of the way that you’re handling information, and then go and revisit those direct marketing activities, make sure you’ve got those clear opt outs available now that’s that’s the sort of direct compliance piece that’s Come out of the most recent reforms, I think, in terms of the broader piece around how do you prepare for what’s in the pipeline? There are some really good, high value, essentially good business things that you can do now to prep yourself for what’s coming. And the good thing is, one, they’ll build a great foundation for you to launch your compliance journey off once we have a bit more clarity around what the comp what that compliance framework looks like, but they’ll also generate some business value for you in the meantime, and so that’s things like implementing appropriate privacy impact assessment processes and procedures, and making sure that that’s done efficiently, making sure that you’re building a framework that is risk based. So, you know, you don’t need to do a full privacy impact assessment that is, you know, 50 pages long and 100 questions on lower risk activities, data breach uplift, so making sure that you’ve enhanced your incident response readiness across the entire data breach lifecycle, privacy maturity. So I reckon I recommend a lot of a lot of my clients, yeah, peel back, peel back the cover and go and have a look at where you stand currently against today’s regime. Find where your risk lies, find where you have the biggest journey to future compliance. So you can benchmark that privacy maturity assessment against the GDPR. You can benchmark that against where we think the reforms might go. And there’s actually, funnily enough, in Australia, we’ve had some state based laws that apply to state governments that have implemented some of these, or that are going to implement some of the things that I’ve spoken about as to what’s coming at federal level. So that’s in Western Australia. So you’ve got some benchmarks there that you can look at already and say, Okay, how would we perform in that environment? And then finally, it’s the standard thing in this space. Know your data. So go and have a look at what you’ve got, understand what you’ve got. Why did you collect it? Where did you collect it from? And that’s going to allow you to build fund your foundational improvements to how your organization manages both both personal but also your non personal data. So there’s value in that for your organization.

Jodi Daniels 28:57

We actually find a lot of companies do data inventories and want to include the non personal information. Personal information because they’re already doing the same exercise, and they’re having so much fun. Why are you smirking at me? You don’t believe it’s fun. It can be fun.

Justin Daniels 29:15

Okay, so, James, do you have a best privacy tip you’d like to share with our audience?

James Patto 29:23

Look, I think my privacy tick comes off. That last one, I think that my and you sort of mentioned it in the lovely intro. You gave me, my aim when I’m dealing with compliance with my clients is to really look for the areas where there is value for your organization, particularly when we don’t have the compliance framework or the full set of legislation in front of us, there are things that you can do to build those foundational improvements and that know your data piece is so so important, because it’ll let everything flows from that, and whether that’s even your breach response, you know, you can understand where your what type of data you hold. Where it sits. And so if something does happen, you can very, very quickly respond, react and build trust in your customer base, which ultimately is going to lead to value for your business.

Jodi Daniels 30:08

And when you are not advising companies on privacy, what do you like to do for fun?

James Patto 30:16

Ah, well, apart from go to the park with my dog, I think video gaming is my has always been my passion. That’s how I got into actually, technology law is I was always a big video gamer, and I built my own computers and gaming computers, and then when I found out that there was something that I could do that involved both technology and the law, I got pretty excited. And so that’s how I ended up in this so I still do, even though I’ve got a family and much less time that I used to at my university days. I still, I still love to get on and play some video games when I get the chance.

Jodi Daniels 30:52

Well, we are so delighted that you joined us today. Thank you so much. If people would like to connect with you and learn more, where can they go?

James Patto 31:02

So LinkedIn is probably the best place to reach out to me. In first instance, I’m pretty active on LinkedIn. I try to respond to all the messages that I get, and I try to respond to comments. So that’s probably the best place to go, otherwise the Helios Salinger website or the Hamilton lock website I’m on both lucky me, feel free to reach out with an email or a call, whatever, whatever suits.

Jodi Daniels 31:27

Amazing. Well, I’m going to highly encourage everyone James, that’s how you and I met amazing content on LinkedIn. So everyone go follow James and thank you again for joining us today.

James Patto 31:39

My pleasure. Thank you very much for having me.

Outro 31:45

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.