Australia – next stages in the Privacy Act review confirmed

By Sarah Birkett on October 25, 2023

We (finally) have more clarity as to the next steps in the long-awaited reform of the Australian Privacy Act.

As we noted back in February this year (see here), the Attorney-General’s Department recommended a number of changes to Australia’s core privacy regime, which saw its last major overhaul in 2014.

The Australian Government has now formally responded to the report, flagging its intention to adopt the vast majority of the 116 recommendations in the Attorney-General Department’s report.

The changes are expected in two phases.

First up will be the 38 changes accepted in full, where drafting will commence immediately followed only by “targeted” consultation. This includes:

Adjustments to the civil penalty regime (which was last updated in December 2022 – see here), with a mid-tier penalty for breaches lacking a serious element, and a low-level civil penalty for administrative breaches;
Greater transparency around automated decision making, including a new content requirement for privacy policies and a right for individuals to request “meaningful information” as to how automated decisions with legal / significant effects are made;
Enhancements to OAIC guidance, particularly in respect of information security and retention; and
Introduction of a Children’s Online Privacy Code.

Whilst Australian businesses should start preparing, the compliance burden for these changes will be relatively light for most organisations.

Next up will come those changes which the Government has accepted in principle, subject to further consultation and impact analyses given the likely complexity. Included in this batch are:

Introduction of direct rights of action under the Privacy Act, as well as a statutory tort of privacy (which could have huge ramifications for anyone doing business in Australia);
An expansion of data subject rights, including the right to object to collection, use or disclosure, a right of erasure, a right to withdraw consent (which isn’t expressly enshrined as a data subject right at present) and, interestingly, a right to request the de-indexation of certain online search results containing personal information;
Removal of the small business exemption (which currently excludes organisations with a turnover of less than AUD 3 million from compliance with the Act);
Enhancing protections for employee records (which are currently excluded from the Act entirely), including bring HR data within the scope of the notifiable data breach regime; and
The introduction of standard contractual clauses for overseas data transfers.

No announcements have been made as yet as to when we can expect to see the next steps in the review actioned.