Carroll & O'Dea Facebook

When it matters,
you need the
right commercial advice

Contact Us


Is your business ready for a new era of privacy regulation: Insights from the “Government response to the Privacy Act Review Report” (Part 1)

Is your business ready for a new era of privacy regulation: Insights from the “Government response to the Privacy Act Review Report” (Part 1)

Published on March 27, 2024 by Yue Lucy Han and Selwyn BlackYue Lucy Han and Selwyn Black

The cornerstone of privacy regulations in Australia, the Privacy Act 1988 (Cth) (the Act) has recently undergone comprehensive review to adapt to the profound transformations in technology, data usage, and societal norms since its inception.

Evolution of privacy law in Australia

The Act was originally enacted to regulate the handling of personal information by federal government agencies and private sector organisations. However, the landscape has since undergone a seismic shift. The emergence of social media platforms, the smart phone, the increasing commercialisation of personal data, and artificial intelligence have outpaced the Act’s original framework.

To address these developments, the Australian government initiated a Review of the Act which was conducted by the Attorney-General’s Department.

This is further supported by the 2023 Australian Community Attitudes to Privacy Survey which revealed that 84% of Australian citizens want more control and choice over the collection and use of their information and about 9 in 10 want businesses and government agencies to do more to protect their personal information. This article will look at the key focus areas of the Privacy Act Review Report and the Government’s response to the report.

Key focus areas of the Review

The Privacy Act Review Report (the Review Report) which was released in February 2023 identified several critical areas requiring attention to align the Act with contemporary privacy challenges:

i. Enhanced consumer rights – strengthening individuals’ rights over their data, including the right to access and correct their information, and potentially introducing a right to be forgotten.

ii. Transparency and accountability – encouraging organisations to be more transparent about how they handle personal data and ensuring greater accountability for data breaches.

iii. Cross-border data flow – addressing the complexities of cross-border data transfers and ensuring adequate protection of personal information when transferred overseas.

iv. Regulation of big tech – assessing the practices of tech giants and considering measures to curb their data dominance and potential misuse of personal information.

v. Enforcement and penalties – reviewing enforcement mechanisms and penalties for non-compliance to ensure they act as effective deterrents.

Government response?

On 28 September 2023, the Government released its formal response to the Review Report. The response agrees, or agrees in principle, with the majority of the 116 proposals that were made.

The Government’s response can be seen as sending a clear message to Australian business that while the legislation to implement these changes must still be drafted, it can be expected to happen soon.

This is an important consideration as many of the changes will affect the way certain organisations structure themselves and the way existing IT systems and information management channels are organised within a business. Prudent businesses should embrace the lead time to review their current processes and consider how they might change and update their systems and procedures.

While some changes primarily increase individual rights, key issues for business will require consideration to be given to:

  • the extended definition of ‘personal information’;
  • the strengthening of obligations regarding policies and collection notices; and
  • introducing a requirement for processing of personal information to be ‘fair and reasonable’.

The requirement that the collection, use and disclosure of information should be fair and reasonable in all the circumstances is a new test. This new test is also a high standard than has been applied previously.

Some of the agreed proposals will also give the Office of the Australian Information Commissioner (OAIC) stronger enforcement powers. An example that the Government has agreed to introduce tiers of civil penalty provisions which will allow for more agile implementation of sanctions.

The Data Breach Scheme will also change which will require quicker notice in line with the General Data Protection Regulation (GDPR) and to allow entities to stagger their notifications to an individual as more information becomes available.

While the review process has been considerable and ongoing, there have been some interim measures introduced to address immediate concerns. This can be seen by amendments to the Act in 2021 which expanded the notification requirements for data breaches, which emphasises the importance of prompt and transparent disclosure in the event of a breach.

For the future, the final recommendations from the Review report are anticipated to introduce substantial changes to Australia’s privacy landscape. The potential for implementation of a statutory tort for serious invasions of privacy will no doubt remain a topic of high interest.

The evolving nature of technology ensures that the discourse on privacy will continue to be persistent. Balancing innovation with the protection of individual privacy rights poses a continuous challenge for legislators and stakeholders. However, it also presents an opportunity to craft a more robust, adaptive, and privacy-centric legal framework. Australia stands at a critical juncture in redefining its privacy laws to suit the digital era’s demands. The review of the Act reflects a concerted effort to recalibrate the nation’s privacy landscape, ensuring that it remains relevant, protective, and adaptive to the evolving challenges of the modern world. As the contours of the revised Act now being to take shape, it is imperative to strike a balance between fostering innovation and safeguarding individual privacy, thereby fostering a digital ecosystem that thrives on trust, responsibility, and respect for personal information.

Please note that this article does not constitute legal advice. If you are seeking professional advice on any legal matters, you can contact Carroll & O’Dea Lawyers on 1800 059 278 or via our Contact Page and one of our lawyers will be able to assist you.

Need help? Contact us now.

We're here to help. For general enquiries email or call 1800 059 278.
For Business lawyers call +61 (02) 9291 7100.

Contact Us