After two years of extensive review and consultation, the Attorney-General’s Department released its Privacy Act Review Report (Report), yesterday, 16 February 2023. 

Coming in at over 300 pages, the Report has made 116 proposals to amend the Privacy Act 1988 (Cth) (Act) across three broad categories – the scope and application, protections and regulation and enforcement. 

Comparisons with international regimes like the GDPR are inevitable and, if implemented, these changes may well lead to a realistic push for ‘adequacy’ for Australia for the purposes of relevant overseas regimes, opening up the possibility of easier cross-border transfers both inbound and outbound.

We will provide more detailed analysis in the coming days, but some high points to note are:

  • scope: the definition of Personal Information will be amended to overcome some narrow judicial interpretation in the past, and broadened to include expressly key digital data like inferred and technical information, geolocation and online identifiers
  • scope: the oft-maligned small business exemption will be removed, with tightening around other previously broad exemptions for employee records, political parties and journalism
  • transparency and consent: while the ‘notice and consent’ regime will be retained, there will be stronger focus on the clarity of notices, with potential standardisation, and a real focus on ‘true’ consent, it needing to be voluntary, informed, current, specific, unambiguous, and easily withdrawn in the same way it was given
  • proportionality and data minimisation: a new proportionality concept will be introduced, requiring any collection of personal information to be fair and reasonable in the circumstances, to counter the temptation to misuse the imbalance in power in respect of individuals and the immense data collection capabilities that exist online
  • risk assessments: mandatory impact assessments will need to be conducted for high impact processing
  • special protections: new clarifications around the definition of a ‘child’ and their capacity to consent, introduction of a children’s online privacy code, and special protections for vulnerable individuals are all recommended to increase protections for special classes of individuals and high-risk circumstances
  • vastly increased rights for individuals/new invasion of privacy tort: significant proposal for a direct personal right of action for breach of the Privacy Act and the introduction of a tort of invasion of privacy
  • penalties: in conjunction with the increase in penalties for serious or repeated interferences with privacy introduced late last year (up from $2.22m to the greater of $50m, three times the benefit, or 30% of turnover in the relevant period), privacy compliance will become as financially significant as it is reputationally significant. This comes with the proposed introduction of intermediate penalties and guidance around thresholds for harm, providing a graduated risk regime and some welcome regulatory certainty
  • controller/processor distinction has been recommended: in what is perhaps a surprising development (based on the tone of previous interim stages of this process), the introduction of a controller/processor distinction has been recommended. This is a great development for delineating obligations across complex supply chains (like digital advertising) and for those working with cross-border transfers in particular. This, along with the GDPR-like protections, potentially opens up the greatest possibilities, as Australia could press for ‘adequacy’ under GDPR, obviating the need for complex data transfer impact assessments and enabling easier cross-border data flows.

Overall, it delivers what was expected, and perhaps goes a bit further towards bringing Australia’s regime into line with practices, expectations and regulatory trends in the third decade of the 21st century.

Next steps

The Government has called for feedback on the proposals before deciding how to proceed. The deadline for feedback is 31 March 2023.