By Richard Smith

In August, the Australian Law Reform Commission (ALRC) published its final report on its review of privacy laws in Australia. The report, "For your information: Australian Privacy Law and Practice," is about 2,700 pages long and recommends substantial changes to Australia's existing privacy laws and practices.

The recommended changes include:

  • a call for mandatory notification for certain data protection breaches;
  • the removal of exemptions in relation to employee records and small business;
  • new requirements for cross-border data flows; and,
  • increased penalties.

Privacy in Australia is currently regulated by the Federal Privacy Act 1988 (Cth) (Act) and some states and territories also have legislation covering privacy. In January 2006, the Australian attorney general requested that the ALRC conduct an inquiry into the extent to which there is an effective framework for the protection of privacy in Australia. The ALRC carried out a substantial review with extensive public and industry consultation considering Australian privacy law and practice, as well as trends in other jurisdictions, particularly the USA and Europe. The resulting report recommends sweeping reforms to Australian privacy law.

Historically, nearly 80 percent of ALRC reports are substantially or partially implemented by the government. If the recommendations of the report subsequently become law, they will have significant consequences for Australian businesses and how they treat personal information and interact with their customers, employees and suppliers. It will also affect the way that governments and agencies carry out their functions and interact with the public.

Key recommendations of the ALRC

1. Data breach notification
In Australia today there is no mandatory obligation for entities to report instances where personal information is disclosed or compromised through a data breach. The ALRC considered legislative trends in other jurisdictions, as well as the increasing public concern about data theft and identity fraud and recommended the introduction of a mandatory data breach notification requirement. The report notes that its primary rationale for the introduction of the requirement is that '…notifying people that their personal information has been breached can help to minimise the damage caused by the breach.'

The ALRC proposes that:

  • an agency or organisation be required to notify the privacy commissioner and the affected individual when a data breach has occurred that may give rise to ‘a real risk of serious harm to any affected individual;
  • the notification only be required in respect of ‘specified personal information' which will be narrower in scope than normal ‘personal information;' and,
  • civil penalties apply for failures to report breaches.

2. Cross-border data flows
Business process outsourcing and other business activities that rely on trans-border data flows are becoming an increasingly common part of the Australian economy. The report recognises the public concerns that arise from sending personal data to other jurisdictions where privacy laws may be less robust. The ALRC proposes that the law be amended to make the entity sending the data overseas still accountable for that data, save in circumstances where:

  • there is reasonable belief that the information recipient is subject to a law, scheme or contract which upholds substantially similar privacy requirements (the ALRC wants detailed guidance published on this issue);
  • the affected individual consents, after being expressly advised that the sender will no longer remain accountable for the individual's personal information once sent off-shore; or,
  • the sender is required or authorised under a law to transfer the data.

3. Certain exemptions from the act to be removed
The ALRC recommends that a number of current exemptions from the act be removed, most notably the ‘small business' exemption and the ‘employee records' exemption.

Small business
Currently, businesses with a turnover of $3 million or less are generally exempt from the act. (There are a few exceptions, such as businesses that provide health services and hold health information, and businesses that are related to larger businesses.) The ALRC proposes that this exemption be removed.

To overcome compliance costs, the ALRC has proposed that the Office of the Privacy Commissioner (OPC) provide assistance to the small business sector through a national hotline, educational materials and templates to assist in preparing privacy policies.

Employee records
Private sector employers are generally exempt from the application of the act in relation to certain ‘employee records.' The ALRC proposes that the Privacy Act be amended to remove this exemption and that the OPC develop specific guidance relating to employees, including when it is appropriate to disclose to an employee third-party complaints about that employee.

4. Statutory cause of action for serious invasion of privacy
To ensure a consistent national position and approach, the ALRC proposes the introduction of a statutory cause of action for the invasion of privacy. The ALRC has suggested a three-tiered test in order to establish this proposed statutory cause of action:

(a) the two elements of the cause of action must be satisfied, namely: (i) there must be a reasonable expectation of privacy; and (ii) the act or conduct is highly offensive to a reasonable person;

(b) the relevant ‘circumstance of invasion' must exist, (e.g. a person must demonstrate interference with his or her home life, the disclosure of sensitive information about his or her private life or unauthorised surveillance); and,

(c) that, in the circumstances, the public interest in maintaining the individual‘s privacy outweighs other matters of public interest.

5. Increased penalties
The ALRC also considered the adequacy of existing remedies available to the privacy commissioner to enforce compliance with the act. While the ALRC recognised that the privacy commissioner had existing mechanisms available to ensure compliance (such as the power make determinations), it has recommended the strengthening of the enforcement powers of the privacy commissioner, including giving the commissioner the ability to:

  • impose a civil penalty where there is a serious or repeated interference with the privacy of an individual; and,
  • enforce undertakings to ensure compliance with the act.

Next steps
According to the Australian Cabinet Secretary Senator Faulkner, the government will consider the ALRC recommendations in stages. Firstly, the government proposes to respond to the recommendations relating to the privacy principles, health, credit reporting and education in relation to new technologies. In the second stage, the government will consider the recommendations relating to the removal of exemptions, data breach notices and the statutory cause of action for a serious invasion of privacy. It is expected that, if accepted, the government will enact the first stage of reforms within the next 12 to 18 months.

Richard Smith is a senior associate in the Technology, Media and Commercial Group at DLA Phillips Fox in Sydney, Australia. He specialises in advising clients with respect to technology and privacy compliance issues. He has also assisted clients in areas including IT service contracts, smartcard schemes, BPO and offshore outsourcing. Richard regularly speaks at industry conferences on legal developments relating to the IT industry and contributes articles to industry and legal newsletters. Richard can be reached at + 61 2 9286 8605 or


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities. Early Bird ends TODAY.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»