The Australian Government’s response to the Privacy Act Review Report (which was released on 16 February 2023, and set out 116 privacy reform proposals for public consultation) has been released today. The response paper agrees in principle to many of the report proposals, and sets out 5 key areas with which the Government agrees:

  1. Bring the Privacy Act into the digital age – the objects of the Privacy Act should be amended to clarify that it is on information privacy, and that the definition of personal information requires modernising to include technical and inferred information (such as IP addresses and device identifiers).
  2. Uplift protections – exploring amendments to the Notifiable Data Breaches Scheme under the Act, including amendments to the notification timeframe once an eligible breach is confirmed, the types of information required to be included in a data breach notification, and the steps entities are required to take in response to a breach. The Government also agrees in principle to a new requirement that personal information collected, used and disclosed is ‘fair and reasonable’, and that entities should be required to establish their own maximum and minimum retention periods for personal information they hold.
  3. Increase clarity and simplicity for entities and individuals – to modernise certain definitions in the Act (e.g. ‘collection’, ‘disclosure’, de-identified’ and ‘consent’) and setting a distinction between controllers and processors of personal information. Amendments to increase transparency of overseas data flows and supporting the free flow of information overseas with appropriate/substantially similar protections was agreed in principle.
  4. Improve transparency and control – to introduce a statutory tort for serious invasions of privacy, and a direct right of action for individuals to seek remedies for privacy breaches in courts. The Government also agrees in principle to creating new individual rights, including a right of erasure of personal information, a right to challenge the information handling practices of an entity, and a right to require search engines to de-index certain online results.
  5. Strengthen enforcement – the introduction of a new mid-tier civil penalty introduced to cover interferences with privacy that do not meet the current ‘serious’ threshold,  and a new low-level civil penalty provision for specific administrative breaches of the Act and Australian Privacy Principles (such as failing to have a clear, up-to-date privacy policy or failing to deal with requests to correct information in specified timeframes.)

For some sectors currently exempt from the Act, the Government has indicated this may soon change by agreeing in principle that:

  • The small business exemption should be removed from the Act, but only following further consultation to understand the impact, and modifications required to ease the potential regulatory burden, and
  • Further consultation is needed to understand how enhanced privacy protections for private sector employees may be implemented in legislation.

The release of the priority areas and response by the Government sets some clear indications that the Privacy Act 1988 (Cth) (‘Act’) amendments are likely to progress imminently over the coming months.

You can view the full report here.