Cyber attack

New Privacy Legislation in 2024 - Government responds to proposed reforms to Australia’s privacy laws

Gina Tresidder, Nathan Curcio

Key points

  • The Australian Government has published its response to the Attorney-General’s Privacy Act Review Report.
  • The Government has “agreed” with 38 of the 116 proposals to reform Australia’s privacy laws and “agreed in-principle” to 68 proposals.
  • The “agreed” proposals include strengthening security and data destruction obligations, expanding the courts’ enforcement powers, and introducing new mid-tier and low-level civil penalty provisions.
  • The Government is committed to introducing legislative amendments in 2024.


On 28 September 2023, after extensive public consultation the Australian Government published its response (Response) to the Attorney-General’s Privacy Act Review Report (Report). The Response can be found here. A summary of the Report can also be found here.

The Report contained 116 proposals made by the Attorney-General’s Department to amend the current Privacy Act 1988 (Cth) (Privacy Act) to better align Australia’s privacy laws with global standards of information privacy protection.

Of the 116 proposals, the Government has:

  • “agreed” to 38 proposals, which will be the subject of legislative amendments to be developed by the Attorney-General’s Department; and
  • “agreed in-principle” to 68 proposals, which will require further engagement with businesses and a comprehensive impact analysis before the Government makes a final decision.

Key Reforms

Key reforms that have been “agreed” to by the Government include:

Security and destruction of personal information

  • Strengthening existing security and data destruction obligations by clarifying that the “reasonable steps” an entity is required to take include both technical and organisational measures.
  • The Office of the Australian Information Commissioner (OAIC) providing additional guidance as to what constitutes reasonable steps, drawing on technical advice from the Australian Cyber Security Centre.

Automated Decision-Making

  • Requiring privacy policies to outline the types of personal information used in substantially automated decisions that have a significant effect on individuals’ rights.

Children’s Privacy

  • Introducing a Children’s Online Privacy Code which would apply to online services that are likely to be accessed by children.
  • Defining ‘child’ in the Privacy Act as an individual who has not reached 18 years of age.


  • Introducing tiers of civil penalty provisions, including a new mid-tier civil penalty provision for interferences with privacy that do not have the “serious” element, and new low-level civil penalty provisions for administrative breaches.
  • Expanding the courts’ powers to make any order they see fit after a civil penalty provision relating to an interference of privacy has been established.
  • Allowing the Commissioner to make a declaration requiring an entity to identify, mitigate, and redress actual or foreseeable loss suffered by individuals.
  • Granting the Information Commissioner additional powers for investigations of civil penalty provisions and the power to undertake public inquiries and reviews on approval or direction by the Attorney-General.

APP Codes

  • Allow the Commissioner to make APP Codes for specific industries where there is unlikely to be an appropriate industry representative to develop the code.

Not Yet

Key reforms that have been “agreed in-principle” by the Government, but require further consideration include:
  • removing the small business exemption;
  • extending privacy protections to private sector employees;
  • amending the definition of consent to provide that it must be voluntary, informed, current, specific and unambiguous; and
  • requiring that the collection, use and disclosure of personal information must be fair and reasonable regardless of whether consent has been obtained.

Next Steps

The Government has indicated it intends to introduce legislation in 2024. The Attorney-General’s Department will draft legislative proposals and consult further with relevant entities on the “agreed” proposals.

As for the “agreed in-principal” proposals, there will be further engagement with entities to explore how best to balance privacy safeguards with the additional regulatory burden these represent.  

How we can help?

Russell Kennedy is able to assist clients in advising how their services may be affected by the agreed proposals.

Please contact Russell Kennedy’s expert Privacy team members Gina Tresidder, Jonathan Teh, Anthony Massaro or Kate Littlewood for advice on all aspects of privacy, cybersecurity and data protection in Australia.

If you’d like to stay up to date with Russell Kennedy Alerts and Events, you can subscribe to our mailing list here.

The information contained in this Insight is intended as general commentary and should not be regarded as legal advice. Should you require specific advice on the topics or areas discussed please contact the Russell Kennedy lawyers listed above.

View related insights


Beware: associate, advisory or non-voting directors as members of an approved provider governing body

29 Nov 2023

As we help our approved provider clients prepare their governing bodies to include a majority of ind ...

caregiver-carer-hand-holding-elder-hand - VAD 540x360

Understanding Voluntary Assisted Dying: A Guide for Physicians and Psychologists

17 Nov 2023

Voluntary assisted dying (“VAD”) has been a topic of significant discussion and legislat ...

shot-of-an-unrecognizable-nurse-checking-a-patients-medical-chart 540x360

Only one month to go – Have you completed your annual Key Personnel Suitability Matters check?

9 Nov 2023

Approved providers have until 1 December this year to complete their first annual suitability check ...