June 2, 2023
Prepare for Updated Data Privacy Laws in Australia with Skyflow
Two consecutive cyberattacks within one month in 2022 exposed the personal data of millions of Australians. As a result, the Australian government is introducing much stricter data privacy requirements. Here’s what you need to know about the proposed changes, how they impact your business, and what you need to do to stay compliant.
In September 2022, cybercriminals breached the data systems of Optus, Australia’s second largest Telco, exposing the sensitive personal data of about 10 million users. The following month, the personal medical data of 10 million Australians was stolen from Medibank, Australia’s largest health insurance company.
These massive, consecutive data breaches prompted the Australian government to consider stricter data privacy laws, which could change how your business is allowed to collect and use the personal data of Australian residents.
In this post, we’ll discuss the latest proposed data privacy regulation changes in Australia. We’ll also look at how to avoid huge penalties and help your business to stay compliant with new and evolving regulations by using Skyflow to isolate, protect, and govern sensitive data and ease compliance with data residency requirements.
Eight Proposed Changes to Revamp Australia’s Data Privacy Laws
The Australian Attorney-General released a Privacy Act Review Report on February 16, 2023, that made a total of 116 recommendations to amend the existing Privacy Act 1988. We’ve summarized the 320-page report into the following eight changes that will have a significant impact on businesses that manage Australians’ personal data.
1. Remove Exemptions for Small Business
Proposal 6 in the Privacy Act Review Report would require that all small businesses comply with Australian data privacy laws, including businesses that were previously exempt.
Impact: Small businesses that were previously exempt from data privacy laws would now need to comply with data privacy regulations. If your business falls under this category, then you might be required to implement strict data privacy protocols that define how your business collects, stores, and uses sensitive data.
2. Conduct Privacy Impact Assessments
Instead of merely relying on open-ended privacy principles, Proposal 13 in the Privacy Act Review Report suggests the need to conduct data privacy impact assessments before an organization can undertake any action that risks exposing the sensitive data of Australians.
Impact: Your business may need to get a privacy impact assessment clearance before you can analyze plaintext sensitive user data using an analytics tool or send sensitive user data to another country. Using a data privacy vault can help you to de-identify sensitive user data for analytics, and implement data residency controls so you don’t need to send this data outside of Australia.
3. Improve Organizational Accountability
Proposal 15 of the Privacy Act Review Report would require organizations to record for which purposes they are collecting, using, or disclosing Australians’ sensitive personal information. These purposes must be recorded before any personal user information gets collected.
Impact: Compliance with this proposal would require collaboration between your company’s marketing, product, sales, and security teams to define why you are collecting the sensitive data of Australians. Under this proposal, you would need to appoint or designate a senior employee, such as a Chief Privacy Officer or Chief Information Security Officer (CISO) to enforce data privacy rules internally. A data privacy vault can help whoever is responsible for enforcing data privacy rules in your company to avoid data sprawl so they can track which sensitive data is being collected and maintain data visibility.
4. Help Users Opt Out of Direct Marketing and Targeting Campaigns
Proposal 20 would require companies to give all users the right to opt out of any targeted marketing campaign. Companies wouldn’t need explicit consent to collect non-sensitive user data, such as the number of visits a user makes or how many times they click an ad. But you should still allow users to opt out of this type of tracking.
Impact: Under this proposal, you would need to get user consent before you could collect or use your users’ personal information. Your marketing campaigns would no longer be able to rely on cookies to track the internet history or website visits of your users. Under this proposal, you also would not be able to exchange user data with partners, affiliates, or other organizations without explicit approval from users. After you gain user approval to share sensitive data with trusted third party services, a data privacy vault lets you securely share this data.
5. Take Measures to Protect De-Identified User Data
Proposal 21 of the Privacy Act Review Report would require organizations to implement “technical and organizational measures” to protect against unauthorized exposure of user data. It would also require that businesses establish their own “maximum and minimum retention periods” for sensitive data.
Impact: You would need to adopt external data privacy solutions like a data privacy vault to protect and periodically destroy all of your inactive or idle users’ sensitive data. You also would need to scope your data operations to exclude inactive or idle users of your product.
6. Apply Privacy Laws to Vendors, Partners, and Affiliates
Proposal 22 would require companies that are subject to Australian Privacy Principles (APP) to apply those principles to non-APP companies that handle sensitive user data on their behalf.
Impact: You would be required to document all workflows and data transfers between your business and external entities. You would also have to enforce APP requirements with all of your vendors, partners, and affiliates that handle sensitive user data. A data privacy vault provides audit logs for sensitive data that can help you to document both internal workflows and data tranfers that involve sensitive data.
7. Restrict Overseas Dataflows
Proposal 23 would restrict the overseas transfer of data to only include countries that provide an Australian-equivalent level of data privacy protection. The proposal would require the establishment of detailed contractual clauses, duly signed by all responsible parties before moving any sensitive data. It would also require businesses to inform impacted Australian residents about the risks of overseas data transfers.
Impact: You might need to cease any overseas data transfers that your company currently performs to minimize the risk of non-compliance with Australian privacy laws. You might also need to use separate data systems, such as a data privacy vault, to store the sensitive data of your Australian users. And, you would need to abandon tools and vendors that can’t comply with Australian privacy laws.
8. Create Strict Penalties
Proposal 25 would create stricter penalties to encourage improved regulatory compliance by introducing two new civil penalty provisions. It would also require that companies that are subject to APP must “redress any actual or reasonably foreseeable loss or damage suffered by the complainant.”
Impact: You would risk facing much larger penalties and the reputational damage of ongoing public inquiries if you don’t comply with the proposed data privacy law changes. In the event of a violation, you would risk larger payouts to compensate affected users. Using a data privacy vault can help you to avoid penalties by isolating, protecting, and governing sensitive data with fine-grained access controls.
Ease Compliance with Evolving Australian Data Privacy Laws
As businesses continue to collect more user data and cybercriminals employ increasingly sophisticated attacks, data privacy laws are bound to evolve and change at a rapid pace. Between 2021 and 2022 alone, the Australian Privacy Act has undergone nine changes.
Talking about the need to further overhaul existing privacy laws, Federal Attorney-General Mark Dreyfus said, “The Privacy Act does not adequately protect Australians' privacy in the digital age.” He also added that the 116 data privacy recommendations made by the Attorney-General’s Department are awaiting feedback from Australian residents.
While these data privacy recommendations are being evaluated, it is unclear how many of the proposed reforms will be passed into law. Regardless of the outcome of this proposal, your business risks violating new data privacy regulations as they go into effect unless you take a comprehensive, architectural approach to data privacy and compliance.
And in the meantime, you need to make sure you comply with existing rules and regulations around sensitive data protection and data residency in Australia.
With Skyflow Data Privacy Vault, you can ease compliance with both current and upcoming data privacy laws.
Skyflow Data Privacy Vault provides comprehensive, architectural solutions to data privacy and compliance that lets your business go beyond a reactive approach and establish a strong privacy posture.
By using a data privacy vault to isolate, protect, and govern sensitive data, you can ease compliance with changing privacy laws in Australia and worldwide.
Skyflow helps you to protect sensitive data and eases compliance by:
- Isolating all your sensitive data in a single place: By isolating sensitive data and avoiding the headaches caused by sensitive data sprawl, you can more easily complete privacy assessments, simplify the compliance certification process, and help protect sensitive data from exfiltration if your systems are breached.
- De-identifying sensitive user data for analytics: You can protect the data privacy of individuals whose sensitive data you use to power critical workflows like analytics by de-identifying all sensitive user data before it’s ingested by your analytics pipeline.
- Tokenize sensitive data for integrations with trusted third party services: For many workflows, you need to send PCI, PHI, or PII data to a third-party service for processing. And you need to do all of this while remaining compliant with stringent regulatory requirements like PCI DSS. With Skyflow Connections, you can quickly and securely integrate third-party services like Visa, Mastercard, Stripe, Adyen, MuleSoft, and many more with your vault — while offloading compliance requirements to Skyflow and protecting the privacy and security of sensitive data. This makes it easy to process payment card transactions or handle workflows like payment card issuance.
- Use an Australia-based vault to avoid data transfer clauses and honor data residency requirements: By storing all of your sensitive data in a vault that’s located in Australia, you can avoid the need for data transfer clauses and protect your business from the risk of violating Australia’s healthcare data residency rule. According to the Personally Controlled Electronic Health Records Act 2012, Australian patient healthcare data is required by law to remain within Australia’s borders..
If you’d like to learn more about how Skyflow can help you protect the privacy and security of your customers’ sensitive data while easing compliance, contact us to learn more.