In December 2019, the Attorney-General announced a review of the Privacy Act 1988 (Cth) (Privacy Act) which resulted in the ‘Privacy Act Review Report’ published in February 2023 (Report). The Report included 116 proposals for reform of the Privacy Act. On 28 September 2023, the Federal Government delivered its response to the Report.
While the Government is supportive of the Report, its response does not provide much certainty as to the detail of legislative reform. The Government was tentative in its response, agreeing to 38 of the proposals and the balance of the proposals either agreed in principle (i.e. the Government requires further clarification on how and whether to implement the proposals) or noted (i.e. a likely rejection of the proposals).
The Government has committed to introduce draft legislation in 2024, which will likely legislate the less controversial and prioritised changes to the Privacy Act. However, the majority of the proposals will be subject to further public consultation, which will likely delay the implementation of substantive legislative reform.
Key reforms that have been agreed or agreed to in principle and which businesses should be aware of include the following:
- Protections for children’s data: How the best interests of a child (i.e. under eighteen (18) years) should be managed in the privacy context, which will likely have an impact on online businesses that are accessed by children.
- Greater enforcement powers of the Office of the Australian Information Commissioner (OAIC): The powers of the OAIC to be enhanced to take action for serious breaches of privacy, as well as the introduction of tiered penalty provisions for breaches of privacy and the Privacy Act.
- Transparency requirements for automated decision making: Businesses to demonstrate transparency regarding personal information that is used for decisions made using automation or artificial intelligence.
- Removal of small business exemption: Small businesses with annual turnover of less than $3million are presently exempted from the application of the Privacy Act. If this is removed, it will have an impact on small businesses in terms of the costs and regulatory burden of complying with the Privacy Act.
- New direct right of action: Individuals having a direct right of action to seek compensation through court action where they have suffered loss or damaged as a result of a serious breach of privacy, as well as a statutory tort of privacy enabling individuals to sue for serious invasions of privacy committed intentionally and recklessly in circumstances that fall outside of the Privacy Act. This is likely to increase the volume of privacy related litigation, as currently the only means of enforcement is through the OAIC.
- Employee data: Privacy Act to capture employee records, which are currently not captured under the Privacy Act.
- Provisions regarding the retention of personal information: The introduction of an obligation on businesses establishing minimum and maximum data retention periods for personal information.
- Expanding the definition of personal information and to clarify when an individual will be considered reasonably identifiable: An expansion of the definition of personal information could mean that data that currently falls outside of the Privacy Act will become relevant. Further, an individual may be reasonably identifiable where they are able to be distinguished from all others, even if their identity is unknown, which would impact businesses that rely on anonymous identifiers.
- Introducing further controls and individual rights regarding access, correction and erasure: This could result in increased regulatory burdens on businesses due to an increase in the volume and nature of requests by individuals exercising these expanded rights.
We will keep you informed and updated as the Government progresses the proposed reforms to the Privacy Act.
If you would like advice or assistance in relation to privacy law, please contact our Senior Associate, Josef Ferraro at jferraro@marsdens.net.au or otherwise by calling on (02) 4626 5077.
The contents of this publication are for reference purposes only. This publication does not constitute legal advice and should not be relied upon as legal advice. Specific legal advice should always be sought separately before taking any action based on this publication.
