law-legal-technology 1900x500

Privacy law under the spotlight – release of the Privacy Act Review Report

Gina Tresidder and Christopher Wright

Key Points

  • An extensive consultation and review process has culminated in the release of the Attorney-General’s Privacy Act Review Report on 16 February 2023.
  • The Report proposes significant reforms to Australian privacy law, including limiting the small business exemption, and requiring Privacy Impact Assessments for high privacy risk activities.
  • Interested parties have until 31 March 2023 to submit feedback.
  • Russell Kennedy is able to assist clients seeking to make a submission to the consultation process or to advise how their services may be affected by the current proposals.

What is the Privacy Act Review Report?

On 16 February 2023, the Attorney-General released the Privacy Act Review Report (Report), which can be found here.

This review of the Privacy Act 1988 (Act) was instigated following the Australian Competition and Consumer Commission’s (ACCC) 2019 Digital Platforms Inquiry final report, which made several recommendations for privacy law reform. Commencing in October 2020, the Attorney-General underwent extensive consultation and review of the Act. On 16 February 2023, the Attorney-General released its long-awaited report drawing on feedback from stakeholders and analysis of other sources, including research papers, international data protection and privacy laws and reports.

A total of 116 proposals have been made by the Attorney-General designed to better align Australia’s laws with global standards of information privacy protection. There are three main areas of focus, namely: the scope and application of the Act, the privacy protections which should apply under the Act, and the enforcement of the Act to address breaches of privacy.

Some of the proposals include:

  • Expansion of the definition of ‘personal information’ to increase the scope of the Act;
  • A change to current exemptions within the Act, including limiting the exemptions on small businesses;
  • The introduction of a ‘fair and reasonable’ test with respect to the handling of personal information;
  • Enhancement of individuals’ rights to their personal information to increase transparency and control, including a right to object, request erasure, and have search results de-indexed;
  • The requirement for a Privacy Impact Assessment for activities with a high privacy risk;
  • Enhancements to the Notifiable Data Breach (NDB) scheme to minimise harm to affected individuals, including new data breach reporting obligations;
  • Additional obligations for ‘de-identified’ information to better regulate information, including prohibiting APP entities from re-identifying de-identified information;
  • The introduction of ‘controllers’ and ‘processors’, causing a non-APP entity to potentially fall within the scope of the Act if it processes information on behalf of an APP entity controller;
  • Greater enforcement powers for the Office of the Australian Information Commissioner (OAIC) and civil penalties for breaches;
  • The introduction of a ‘direct right of action’ for individuals to seek remedies in court for breaches of the Act which cause harm; and
  • Introduction of a statutory tort of privacy for serious invasions of privacy for individuals to seek compensation in court for breaches of privacy which fall outside the Act.

Next Steps

Feedback is currently being sought by the Government in its response to the Privacy Act Review Report from both public and private entities, with the deadline for feedback on 31 March 2023. You can provide your feedback here.

How we can help

Russell Kennedy is able to assist clients seeking to make a submission to the consultation process or to advise how their services may be affected by the current proposals.

Please contact Russell Kennedy’s expert Privacy team members Gina Tresidder, Kate Littlewood or Michael Cassidy for advice on all aspects of privacy, cybersecurity and data protection in Australia.

If you’d like to stay up to date with Russell Kennedy Alerts and Events, you can subscribe to our mailing list here.

The information contained in this Insight is intended as general commentary and should not be regarded as legal advice. Should you require specific advice on the topics or areas discussed please contact the Russell Kennedy lawyers listed above.

View related insights

Cyber attack

New Privacy Legislation in 2024 - Government responds to proposed reforms to Australia’s privacy laws

10 Oct 2023

The Australian Government has published its response to the Attorney-General’s Privacy Act Review Report.

modern-cityscape-with-office-buildings-and-skyscrapers 540x360

Implementation of Australian foreign ownership register

4 Jul 2023

The Register of Foreign Ownership of Australian Assets (Register), recently announced by the Australian Tax Office (ATO), commenced on 1 July 2023, as well as the introduction of new Online Services f ...

legal-advice-online-labor-law-concept-layer-or-notary-working 360x240

Getting a Headstart on Trade Mark protection in Australia

8 Mar 2022

Australia’s trade mark system is quite unique to other jurisdictions in that it allows an Applicant to opt to have their application pre-assessed before it is formally filed. In other words, it ...