The Australian Attorney-General's Department released its highly anticipated review of the Privacy Act 1988 Thursday, a significant step in the reform of the nation's privacy law. The Privacy Act Review Report includes 116 recommendations based on 30 "key themes and proposals" from stakeholders during the course of the last two years.

"The proposed reforms are aimed at strengthening the protection of personal information and the control individuals have over their information. Stronger privacy protections would support digital innovation and enhance Australia’s reputation as a trusted trading partner," according to the Attorney-General's Department.

The potential reforms cover a wide range of issues, from proposing the abolishment of the small business exemption (but only after several conditions), implementing new limits on targeted advertising — particularly ads aimed at children — and including a suite of individual privacy rights, such as the "right of erasure," deindexing search results with sensitive or inaccurate information, among many others.

The public can comment on the proposed reforms until March 31.

The Office of the Australian Information Commissioner welcomed the release of the report. “This is an important milestone as we move towards further reform of Australia’s privacy framework," Australian Information Commissioner and Privacy Commissioner Angelene Falk said. "As the world has become increasingly connected and information flows more complex, our privacy laws need to adapt to ensure that personal information is protected and handled fairly."

Falk also noted the OAIC sees "the proposal to introduce a positive obligation that personal information handling is fair and reasonable, as a new keystone of the Australian privacy framework. This shifts the burden from individuals, who are currently required to safeguard their privacy by navigating complex privacy policies and consent requirements, and places more responsibility on the organisations who collect and use personal information to ensure that their practices are fair and reasonable in the first place."

The proposed reforms follow the late 2022 passage of the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, which significantly increased fines for serious data breaches and enforcement powers for the OAIC. The legislation came after several high profile data breaches in Australia.

Reaction to the reforms 

Salinger Privacy Founder Anna Johnston, CIPP/E, CIPM, FIP, said the reforms are "sensible" and "match the realities of the digital economy."

"We need privacy laws which reflect the clear expectations of the Australian community to have their privacy protected whether they are dealing with government, big business or small business, and regardless of whether they are online or offline," she said.

However, Johnston expressed frustration "that after three years there is to be yet more consultation on the recommendations."

Privcore Managing Director Annelies Moens, CIPP/E, CIPT, FIP, warned businesses to pay attention. "The small business exemption is recommended for removal (amongst others). Given that the Australian Privacy Act has extra-territorial application, this will significantly broaden the number of organisations globally that are required to comply with the Privacy Act when handling personal information connected with Australia."

Moens also predicted that the reforms would likely lead to more litigation, "as a direct right of action and a statutory tort for serious invasions of privacy are proposed to be introduced, providing individuals with additional avenues of redress. This is particularly relevant as the OAIC has a massive backlog of privacy complaints and insufficient resources."

Johnston noted businesses may resist some of the proposals "as difficult to implement, such as the 'right to erasure' — but in reality businesses should already be paying more attention to what customer data they’re keeping, and practising better data hygiene in terms of disposing of data as soon as it is no longer needed.  The large-scale Optus and Medibank data breaches in late 2022 have shown us all that the privacy damage done by data breaches is unnecessarily made worse if businesses are holding on to personal information well past its use-by date."

Privcore's Moens said, "A new fair and reasonable objective test is expected to be introduced for the collection, use and disclosure of personal information at the outset, irrespective of consent. This is intended to make organisations more accountable for the handling of personal information. Other proposed measures, such as mandatory privacy impact assessments for high-risk privacy activities will also assist in increasing organisational accountability."

With a global view, Johnston expressed some concern that none of the four "big exemptions are recommended to be outright abolished." Though the report recommended the removal of the small business exemption, it would only do so under certain conditions, including whether "small businesses are in a position to comply with these obligations," the report states. Other exemptions up for consideration included employee records, political parties and journalism.

Johnston characterized this as "a missed opportunity to aim for 'adequacy' when measured against the EU General Data Protection Regulation and other trading partners."

The international implications 

Indeed, the reforms are set in a global context, as nations grapple with data protection in a digital world.

"The proposals in this Report are designed to better align Australia’s laws with global standards of information privacy protection and properly protect Australians’ privacy. The Review considers that these proposed changes are likely to enhance cross border data flows with Australia as a trusted trading partner, and have resultant economic benefits for Australian businesses and the economy," the report's executive summary states.

IAPP Research & Insights Director Joe Jones, who previously served as the U.K. deputy director for International Data Transfers at the U.K. Department for Digital, Culture, Media & Sport, highlighted the global nature of the proposals.

"There's consideration as to whether reforms could help facilitate data transfers to and from Australia," Jones said. "Australia was last considered for 'adequacy' by the EU in 2001, but progress halted when European regulators cited concerns with Australia's privacy law and the country's government at the time confirmed it would not make changes.

Now, there appears to be more political momentum behind reform and the Australians are championing international data transfers, including via their discussions with the U.K. on a ‘data bridge’ (the U.K.’s new term for ‘adequacy’) and via Australian membership of the new Global Cross-Border Privacy Rules Forum.

"Interestingly," Jones added, "the European Commission submitted feedback to the last consultation and noted the potential for Australia’s reforms to ‘open the path’ for an adequacy finding, maybe even a mutual adequacy finding if Australia joins the growing list of jurisdictions with adequacy capabilities."

Next steps

Now that the report is public, the Attorney-General's Department has opened up a public comment period, including a 42-question feedback survey. The comment period is open until March 31.

The department said the report raises "complex policy issues that affect individuals and public and private entities," and they are seeking views "to ensure that any reforms the Australian Government implements are balanced and effective."

According to Johnston, Attorney-General Mark Dreyfus "previously indicated that he would bring a bill to parliament within the current term of government, which might mean 2023 or 2024."