INTHEBLACK November 2023 - Magazine - Page 16
F E AT U R E
THE RIGHT TO
Proposed changes to consumer protections may
affect businesses across the digital economy. Here is
how to prepare for what’s ahead.
Words Stephen Corby
CONSUMER DATA IS A HOT COMMODITY in
the digital economy. The more personal
information companies can collect from their
current and prospective customers, the more
accurately they can target products and
services to generate sales and profits.
However, data is quickly becoming a
double-edged sword. With cyberattacks on
the rise, businesses risk irreparable reputational
damage – and hefty clean-up bills – when their
customers’ private information is exposed.
In addition, significant penalties have already
been introduced in Australia for breaches
In the EU, consumer privacy is protected by
General Data Protection Regulation (EU GDPR).
An integral part of the regulation is one’s right
to be forgotten. A consumer can request that
their personal data be erased if it is no longer
needed for the purpose for which a business
originally collected or processed it.
A two-year review of the Privacy Act
1988(Cth) has been conducted to identify how
to better protect individuals and their personal
information. As a result of that review, EU-style
protections may be introduced in Australia.
EVERY BUSINESS AFFECTED
Lisa Given, professor of information sciences
at Melbourne’s RMIT University, says changes
to the Privacy Act will broadly affect how
companies conduct business in Australia.
There is a small business exemption in place,
but this may be removed as part of the reforms.
For the purposes of the exemption, a small
business is one with an annual turnover of
A$3 million or less.
16 INTHEBLACK November 2023
Changes to Australian privacy legislation
“would effectively empower Australian citizens to
appeal to Australian companies in the same way
European citizens can do currently,” Given says.
“If you’ve got a mailing list, or you’re
gathering important information from people
and you’re based in Australia, you would have
to comply with the legislation,” she says.
“What that’s going to mean for businesses
is potentially quite different practices.”
Many privacy jurisdictions also have an
existing extraterritorial reach. Businesses that
provide goods or services to individuals residing
in the EU, for instance, are already subject to
some aspects of the EU GDPR.
For many companies, this will mean increased
investment in technology and robust processes
to ensure customer data can be reliably
“erased” when required. The more data a
company holds, the more difficult and costly
Given also points to other key features
of EU GDPR, particularly the requirement
for companies to seek active consent from
customers for their data to be recorded
and retained. For example, if a company wishes
to sign a customer up to its e-newsletter, it
would have to actively seek permission to do so.
This is already the current approach in Australia
due to existing marketing obligations under the
Privacy Act and SPAM legislation.
NO TIME LIKE TODAY
Matthew Green, consulting and risk partner
at tax and advisory firm Grant Thornton, says
the proposed changes to the Privacy Act are