On 28 Sept., the Australian Attorney-General's Department outlined the government's response to the Privacy Act Review Report recommendations.

The department's long-awaited, comprehensive review report, released February 2023, proposed 116 recommendations, drawing from 30 key themes that emerged from stakeholders' input over the past two years. The report acknowledged that Australia's digital economy has led to innovation and increased productivity, but has also raised concerns about data breaches and privacy.

To address these concerns, the report suggested revamping privacy laws for the digital age. This effort also aims to protect against identity fraud and scams, and ensure the competitiveness of Australian businesses globally.

 Out of the report's 116 recommendations, the government accepted a total of 106 proposals. Among these, 38 proposals are "agreed," while 68 proposals are "agreed in-principle."

It's important to note both categories are contingent upon targeted and broader consultations before arriving at a final decision. The government intends to legislate these recommendations in 2024.

Additionally, the government took "note" of an additional 10 recommendations but chose not to accept them. These recommendations predominantly relate to political exemptions and specific protections for deidentified information.

The key takeaways are summarized in five focus areas of reforms to Australia's privacy framework:

  1. Bring the Privacy Act into the digital age

The government embraced key recommendations pertaining to the definition of personal and sensitive information. This includes providing clarification on what constitutes reasonable identifiability, expanding the definition of personal information to encompass technical and inferred data, such as IP addresses and device identifiers, and broadening the definition of sensitive information to include genomic data.

Also, the government agreed in-principle to eliminate the small business exemption, although this is subject to further consultation with industry stakeholders. Concerning the exemption for current or former private-sector employee records, the government acknowledged the necessity for further discussions with the private sector. The government chose to retain the journalism exemption but declined the proposal to narrow the political exemption.

  1. Uplift protections

The government endorsed most proposals aimed at enhancing data protection measures. Of particular significance is the commitment to principles surrounding fair and reasonable information handling, with the objective of reducing reliance on consent as the basis for information processing.

The report recognized the growing concerns related to security and the secure disposal of personal information, especially considering recent high-profile data breaches. However, proposed specific safeguards for deidentified information were not accepted. The government expressed its in-principle agreement to the proposal for a prompt 72-hour notification requirement when reasonable grounds suggest the occurrence of an eligible data breach.

Additionally, the government accepted proposals related to organizational accountability, which entail increased responsibility for senior management in matters of privacy and the mandatory implementation of privacy impact assessments for high-risk activities.

Proposals addressing privacy for children and vulnerable individuals also garnered government support, with a commitment to develop a Children's Online Code.

  1. Increase clarity and simplicity for entities and individuals

The government recognized the importance of fostering a privacy framework that enables businesses to leverage emerging technologies for economic growth. In this regard, it embraced a number of proposals aimed at providing clarity in terminology, including refined definitions for collection, disclosure and consent.

Additionally, the proposals aimed at recognizing the roles of controllers and processors of personal information gained acceptance, aligning Australia with international standards and reducing compliance burdens for businesses. Acknowledging the significance of the seamless flow of information across borders in the context of international trade, the government also accepted proposals advocating for the introduction of a mechanism to identify countries with substantially similar privacy laws.

This step aims to reduce the necessity for contractual provisions and enhance the efficiency of cross-border data exchanges.

  1. Improve controls and transparency for individuals over their personal information

The government recognized the current limitations of transparency and control over personal information for individuals, often through privacy notices and policies with limited individual rights. It embraced proposals to enhance the consent process, emphasizing these should be voluntary, informed, current, specific and unambiguous.

However, the government acknowledged excessive reliance on consent can place an unrealistic burden on individuals to comprehend privacy risks. Additionally, proposals aimed at bolstering individual rights and improving transparency through privacy policies and collection notices gained acceptance.

The government recognized that individuals have limited avenues to seek redress for interferences with their privacy, and accepted proposals on direct right of action and statutory tort for serious invasions of privacy.

  1. Strengthen enforcement

The government recognized effective enforcement of the Privacy Act is crucial for safeguarding individuals' privacy. It is firmly in favor of proposals aimed at strengthening enforcement, which encompasses measures to ensure the continued effectiveness and sustainable resourcing of the Office of the Australian Information Commissioner.

Additionally, the government endorsed granting additional powers for investigations related to civil penalty provisions.

Next steps

The Attorney-General's Department will lead the next phase of implementation and proposed the following key steps:

  • Develop legislative proposals which are "agreed," with further targeted consultation to follow.
  • Engage with entities on proposals which are "agreed in-principle" to explore whether, and how, they could be implemented to proportionately balance privacy safeguards with potential other consequences and additional regulatory burden.
  • Develop a detailed impact analysis to determine potential compliance costs for regulated entities and other potential economic costs or benefits (including for consumers).
  • Provide further advice to the government in 2024, including outcomes of further consultation and legislative proposals.

The report also indicated that the government acknowledged the need for entities covered by the Privacy Act to have sufficient time to comply with new requirements as part of reforms. Transition periods to be considered during the development of legislation, along with guidance and support to help entities understand their compliance requirements.

This reform also aligns with other government initiatives such as the Australian Cyber Security Strategy, Digital ID, National Strategy for Identity Resilience and Responsible AI in Australia. Collaboration with stakeholders will ensure the appropriate implementation of privacy reforms.