By Richard Smith

In August, the Australian Law Reform Commission (ALRC) published its final report on its review of privacy laws in Australia. The report, "For your information: Australian Privacy Law and Practice," is about 2,700 pages long and recommends substantial changes to Australia's existing privacy laws and practices.

The recommended changes include:

  • a call for mandatory notification for certain data protection breaches;
  • the removal of exemptions in relation to employee records and small business;
  • new requirements for cross-border data flows; and,
  • increased penalties.

Privacy in Australia is currently regulated by the Federal Privacy Act 1988 (Cth) (Act) and some states and territories also have legislation covering privacy. In January 2006, the Australian attorney general requested that the ALRC conduct an inquiry into the extent to which there is an effective framework for the protection of privacy in Australia. The ALRC carried out a substantial review with extensive public and industry consultation considering Australian privacy law and practice, as well as trends in other jurisdictions, particularly the USA and Europe. The resulting report recommends sweeping reforms to Australian privacy law.

Historically, nearly 80 percent of ALRC reports are substantially or partially implemented by the government. If the recommendations of the report subsequently become law, they will have significant consequences for Australian businesses and how they treat personal information and interact with their customers, employees and suppliers. It will also affect the way that governments and agencies carry out their functions and interact with the public.

Key recommendations of the ALRC

1. Data breach notification
In Australia today there is no mandatory obligation for entities to report instances where personal information is disclosed or compromised through a data breach. The ALRC considered legislative trends in other jurisdictions, as well as the increasing public concern about data theft and identity fraud and recommended the introduction of a mandatory data breach notification requirement. The report notes that its primary rationale for the introduction of the requirement is that '…notifying people that their personal information has been breached can help to minimise the damage caused by the breach.'

The ALRC proposes that:

  • an agency or organisation be required to notify the privacy commissioner and the affected individual when a data breach has occurred that may give rise to ‘a real risk of serious harm to any affected individual;
  • the notification only be required in respect of ‘specified personal information' which will be narrower in scope than normal ‘personal information;' and,
  • civil penalties apply for failures to report breaches.

2. Cross-border data flows
Business process outsourcing and other business activities that rely on trans-border data flows are becoming an increasingly common part of the Australian economy. The report recognises the public concerns that arise from sending personal data to other jurisdictions where privacy laws may be less robust. The ALRC proposes that the law be amended to make the entity sending the data overseas still accountable for that data, save in circumstances where:

  • there is reasonable belief that the information recipient is subject to a law, scheme or contract which upholds substantially similar privacy requirements (the ALRC wants detailed guidance published on this issue);
  • the affected individual consents, after being expressly advised that the sender will no longer remain accountable for the individual's personal information once sent off-shore; or,
  • the sender is required or authorised under a law to transfer the data.

3. Certain exemptions from the act to be removed
The ALRC recommends that a number of current exemptions from the act be removed, most notably the ‘small business' exemption and the ‘employee records' exemption.

Small business
Currently, businesses with a turnover of $3 million or less are generally exempt from the act. (There are a few exceptions, such as businesses that provide health services and hold health information, and businesses that are related to larger businesses.) The ALRC proposes that this exemption be removed.

To overcome compliance costs, the ALRC has proposed that the Office of the Privacy Commissioner (OPC) provide assistance to the small business sector through a national hotline, educational materials and templates to assist in preparing privacy policies.

Employee records
Private sector employers are generally exempt from the application of the act in relation to certain ‘employee records.' The ALRC proposes that the Privacy Act be amended to remove this exemption and that the OPC develop specific guidance relating to employees, including when it is appropriate to disclose to an employee third-party complaints about that employee.

4. Statutory cause of action for serious invasion of privacy
To ensure a consistent national position and approach, the ALRC proposes the introduction of a statutory cause of action for the invasion of privacy. The ALRC has suggested a three-tiered test in order to establish this proposed statutory cause of action:

(a) the two elements of the cause of action must be satisfied, namely: (i) there must be a reasonable expectation of privacy; and (ii) the act or conduct is highly offensive to a reasonable person;

(b) the relevant ‘circumstance of invasion' must exist, (e.g. a person must demonstrate interference with his or her home life, the disclosure of sensitive information about his or her private life or unauthorised surveillance); and,

(c) that, in the circumstances, the public interest in maintaining the individual‘s privacy outweighs other matters of public interest.

5. Increased penalties
The ALRC also considered the adequacy of existing remedies available to the privacy commissioner to enforce compliance with the act. While the ALRC recognised that the privacy commissioner had existing mechanisms available to ensure compliance (such as the power make determinations), it has recommended the strengthening of the enforcement powers of the privacy commissioner, including giving the commissioner the ability to:

  • impose a civil penalty where there is a serious or repeated interference with the privacy of an individual; and,
  • enforce undertakings to ensure compliance with the act.

Next steps
According to the Australian Cabinet Secretary Senator Faulkner, the government will consider the ALRC recommendations in stages. Firstly, the government proposes to respond to the recommendations relating to the privacy principles, health, credit reporting and education in relation to new technologies. In the second stage, the government will consider the recommendations relating to the removal of exemptions, data breach notices and the statutory cause of action for a serious invasion of privacy. It is expected that, if accepted, the government will enact the first stage of reforms within the next 12 to 18 months.

Richard Smith is a senior associate in the Technology, Media and Commercial Group at DLA Phillips Fox in Sydney, Australia. He specialises in advising clients with respect to technology and privacy compliance issues. He has also assisted clients in areas including IT service contracts, smartcard schemes, BPO and offshore outsourcing. Richard regularly speaks at industry conferences on legal developments relating to the IT industry and contributes articles to industry and legal newsletters. Richard can be reached at + 61 2 9286 8605 or richard.smith@dlaphillipsfox.com.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»