On 28 September 2023, the Australian Government released its response (Response) to the Privacy Act Review Report. The Privacy Act Review Report, published in February 2023 after more than two years of extensive consultation, made 116 proposals to strengthen Australia’s privacy laws. In its Response, the Government agreed to 38 proposals, agreed in-principle to 68 proposals and noted 10 proposals. Although the legislation to bring the reforms into law is not set to be tabled until 2024, it is prudent for businesses to take certain practical steps to ensure that they are ready for the incoming changes, and demonstrate to customers and other stakeholders that they take seriously the personal information with which they are entrusted.
Why are these changes required?
The Response reflects the Government’s aim to overhaul Australia’s privacy laws, dating back to the late 1980s, to bring them into line with community expectations and make them fit for purpose for the digital age. While the proposals do not mirror the more stringent requirements of GDPR jurisdictions, they would bring the Privacy Act 1988 (Cth) (the Privacy Act) significantly closer to such global benchmarks.
The proposed reforms seek to strike the right balance between a raft of competing considerations – balancing the regulatory burden on organisations, encouraging innovation and enterprise, protecting Australians’ personal data from cyber-attacks and other data breaches (and resultant identity theft, scams and other misuse), increasing clarity, simplicity, transparency and control of personal information, building security, trust and confidence in Australia’s digital ecosystems and strengthening enforcement in cases of wrongdoing.
Where proposals have been ‘agreed’, draft legislation will now be prepared and released for targeted consultation. Those ‘agreed in-principle’ will be subject to a further process of stakeholder engagement and impact analysis, ahead of a final decision as to their implementation. Some of those simply ‘noted’ are subject to further Government consideration of how to best achieve policy objectives.
The Government has committed to introducing legislation to reform the Privacy Act in 2024. It can be expected that legislation will be rolled out in stages, with transitional periods to enable organisations to ready themselves. The privacy law changes will be complemented by parallel reforms focussed on cyber-security, digital identities and responsible use of artificial intelligence.
Key proposals to note
We highlight in this article those proposals most likely to impact businesses. Although legislation to reform the Privacy Act is not expected until 2024, businesses can and should take steps now to prepare for these reforms, as we suggest further below.
Clarity and flexibility: The Government has agreed to amend the objects of the Privacy Act to recognise the public interest in protecting privacy and clarify its focus on information privacy.
The flexibility of the privacy regime will be enhanced through the making of APP codes and emergency declarations. Reflecting the types of information that require protection in the digital age, the Government has agreed in-principle that (among other things):
Consent and privacy default settings: To avoid ‘consent fatigue’ and undue compliance burdens, consent remains a requirement only in high privacy risk situations (such as collection of sensitive information, disclosure of information overseas, and use / disclosure for secondary purposes). The Government agreed in-principle to a clarification in the Privacy Act that consent (where it is required) should be voluntary, informed, current, specific and unambiguous. To that end, it also agreed in-principle that individuals should have the express right to withdraw consent, as easily as it is given – with guidance to be provided on the form and content of online consent requests, and online privacy settings to reflect the privacy-by-default framework of the Privacy Act.
Removal of the small business exemption: Businesses with an annual turnover of $3 million or less are currently exempt from the Privacy Act (subject to exemptions such as health service providers). The Government has agreed in-principle that the small business exemption should be removed, given the privacy risks now inherent across the digital environment. While this heralds a major change for small businesses and their compliance obligations, it will not occur without (a) an impact analysis, (b) further consultation on how to switch on obligations, proportionate to risks (possibly through a code), (c) the development of small business supports, and (d) a transition period to enable small businesses to ready themselves to comply. In the shorter term, it is intended that the small business exemption will be revoked for the collection of biometric information for use in facial recognition technology and those that trade in personal information.
Employee records: Employee records for both current and former private sector employees are presently exempt from the provisions of the Privacy Act. Further consultation on enhanced privacy protections for these employees (including employee data breach notifications) has been agreed in-principle.
‘Fair and reasonable’ test: The Government has recognised that, currently, the burden of managing privacy still falls largely on individuals to decipher complex privacy policies and collection notices. To address this imbalance (by shifting the burden to organisations), it has agreed in-principle to a new requirement that the collection, use and disclosure of personal information be fair and reasonable. This requirement would apply irrespective of whether or not consent has been obtained.
While the wording of the ‘fair and reasonable’ test is still to be developed (and its interpretation would evolve through enforcement determinations and case law over time), the question of whether this test is met in the circumstances will likely include legislated factors (agreed in-principle) such as:
Privacy policies and collection notices: To address concerns that privacy policies and collection notices can be too complex, lengthy, legalistic and vague, a requirement that collection notices be clear, up-to-date, concise and understandable with appropriate accessibility measures has been agreed in-principle. The Government also agreed in-principle that collection notices should specify whether information is collected, used or disclosed for high privacy risk activities, how to exercise individual rights, and the types of personal information that may be disclosed to overseas recipients. The development of standardised templates, layouts, terminology and icons for privacy policies and collection notices has been agreed in-principle to facilitate the new requirements.
Data retention: It has been agreed in-principle that entities should be required to establish their own maximum and minimum retention periods – with such periods to be specified in their privacy policies and periodically reviewed. More broadly, the Government has agreed-in principle to review all legal provisions across different regimes which require the retention of personal information, to determine if they appropriately balance policy objectives with the privacy and cyber-security risks of holding significant volumes of such information.
Data security: The significant data breaches of the past year, and their sometimes devastating impact on individuals, have highlighted the need to enhance the Privacy Act’s existing data security obligations. To this end, the Government has:
Notifiable Data Breaches scheme: The Notifiable Data Breaches scheme sets out requirements for entities where they become aware that there are reasonable grounds to believe that there has been an eligible data breach. Heightened requirements to ensure more rapid responses in such circumstances have been agreed in-principle. These include requirements to:
To reduce the considerable reporting burden, the Government has also agreed to consider how best to streamline the multiple reporting processes often faced by entities in the event of a data breach.
Designated employees and organisational accountability: The Government has agreed in-principle to further organisational accountability measures, including:
Privacy Impact Assessments: While Commonwealth agencies are currently required to complete a Privacy Impact Assessment (PIA) for all high privacy risk projects, entities in the private sector have not been required to do so. This may be set to change with the Government agreeing in-principle that non-government entities be required to conduct a PIA in such circumstances. By undertaking a PIA, it is hoped that a business would be able to identify and assess the impacts of an activity on the privacy of individuals and make an informed decision as to whether or not the impact of the activity was so great that it would contravene the Privacy Act. Examples of high risk activities may include dealing with sensitive information on a large scale, selling personal information, and the use of biometric information (such as facial recognition technology).
Automated decision-making (ADM): The Government has agreed that privacy policies must set out the types of personal information that will be used in substantially automated decisions that have a legal / similarly significant effect on an individual’s rights, and that individuals should have the right to request meaningful information about how such automated decisions are made. In this regard, the Government acknowledged the recommendations of the Royal Commission into the Robodebt Scheme in relation to the use of ADM by Commonwealth agencies.
Direct marketing, targeting and trading: With the increased use of high volumes of data in targeted or personalised advertising and content have come new privacy risks. The Government has agreed in-principle to introduce definitions for direct marketing, targeting and trading in the Privacy Act. It has also agreed-in principle that individuals should have an unqualified right to opt-out of their personal information being used or disclosed for direct marketing purposes (but not, at this stage, the right to opt-out of receiving targeted advertising, which is undergoing further consideration).
To address concerns about harmful targeting, the Government has agreed in-principle that:
Cross-border data flows: The proposed reforms seek to address increased concerns about the privacy risk of international data transfers, in an age where the free flow of information across borders is becoming ever important. Significantly, the Government has agreed to introduce an adequacy regime, whereby it will prescribe countries with substantially similar protection to the Australian Privacy Principles (APPs). This will allow businesses to disclose personal information to recipients in those prescribed countries without the need for contractual provisions or other measures.
To facilitate cross-border transfers to non-prescribed countries, the Government has agreed in-principle to provide standard contractual clauses, for voluntary use, requiring that the overseas recipient does not breach the APPs. Where the use of such standard contractual clauses is not appropriate, entities will be able to rely on the existing informed consent exception. The Government has agreed in-principle to strengthen this exception by requiring entities to consider the risks associated with an overseas disclosure of personal information, to consider whether other mechanisms could facilitate the disclosure, and to inform individuals that privacy protections may not apply to their information if they consent to the disclosure.
The Government has also agreed in-principle that entities should also be required to specify the types of personal information that may be disclosed, when specifying the countries in which recipients of overseas disclosures are likely to be located. Further consultation will be undertaken on the scope of the extraterritorial provisions of the Privacy Act.
Individual rights: Currently, an individual has the right to access and request the correction of their personal information. The privacy reforms intend to build on these limited rights, with the Government agreeing in‑principle to new additional individual rights to:
These new rights would be subject to exceptions, including circumstances involving legal proceedings or obligations or where it would be unreasonable, technically impossible or contrary to the public interest to comply. The new rights would be notified to individuals at the point of collection, and response procedures set out in privacy policies. Reasonable assistance must be provided for the exercise of rights, and reasonable steps must be taken to acknowledge the request and respond, under the proposed reforms.
Rights to litigate for interferences with privacy: At present, individuals have limited avenues to seek redress for interferences with their privacy. We have previously discussed the liability landscape in Australia under the current privacy framework. Courts in jurisdictions such as New Zealand, the United Kingdom, some Canadian provinces and some states in the United States recognise torts or actions for invasion of privacy, although a notable distinction between these jurisdictions and Australia is that Australia does not have a national human rights framework from which Australian Courts would be able to derive such a tort.
The Government has now agreed in-principle to both:
The direct right of action would be subject to mechanisms to encourage early resolution of claims, to minimise the potentially large burden on the courts.
To establish the statutory tort, a plaintiff bringing a claim would be required to prove that:
Checklist: Practical steps that your business can take now
In preparing your business for the coming reforms, ensuring robust privacy and risk mitigation practices and demonstrating to customers and other stakeholders that your business takes seriously the personal information with which it is entrusted, the following steps are recommended:
If you would like to discuss these issues further, please contact our team.
 The Report contains various other proposals not considered here (addressing, for example, the personal information of children and vulnerable people, research, journalism exemptions and government co-operation, information sharing and review mechanisms).
 Privacy Act 1988 (Cth) sch 1 s 12.