Australia's Privacy Act Review Key Proposals and Government Response
- Johnathon Althaus
In case you missed it, on 16 February 2023, the Attorney-General publicly released the Privacy Act Review Report which contained 116 proposals recommending an overhaul of Australia’s current privacy legislation, the Privacy Act (1988) Cth.
On 28 September 2023, the Government released its’ Response to that report, with the Government’s Repose:
- ‘agreeing’ to 38 of those proposals (meaning draft legislation will be introduced on each of these points at some stage in 2024);
- ‘agreeing in principal’ to 68 of these proposals (meaning further and more detailed consultation and impact analysis is to be carried out, though at this stage it is unlikely those proposals will make it into the 2024 legislation); and
- ‘noting’ 10 of these proposals (meaning the Government will not proceed with these proposals).
We will keep an eye out for the draft legislation in 2024, and provide further commentary on the ‘agreed’ changes that will likely form part of that legislation. Some important ones to look out for will be:
- additional powers for the Office of the Australian Information Commissioner (OAIC), including to make additional Australian Privacy Principals in certain circumstances and with approval from the Attorney-General, and to enforce mid-tier and low-level civil penalties for non-serious interferences with privacy, with additional funding for the OAIC expected to be announced at some stage in the future;
- a criminal offence will be introduced for ‘malicious’ re-identification of any information was ‘de-identified’, where there is an intention to harm or obtain an illegitimate benefit;
- Children will specifically be defined (in the Privacy Act) as persons who have not reached 18 years of age, and a Children’s Online Privacy Code will be introduced to apply to services that are ‘likely to be accessed by children’; and
- a requirement for Privacy Policies to set out the types of personal information that will be used in AI-related decisions, coupled with a right for individuals to request detailed and meaningful information about how organisations use personal information in ‘substantially automated decisions’.
Key Changes Still to Come
Being experts in Business Law and working with a number of Small Businesses, we have been keenly watching how the Government will respond to the proposal that the Small Business Exemption be removed (the exemption allowed most small businesses with an annual turnover of less than $3million to be exempt from the Privacy Act).
The Government has ‘agreed-in-principle’ with this recommendation, commenting that feedback from the community has been clear, in that the general expectation is if personal information is supplied to a small business that information will be kept safe and not be used in harmful ways. Whilst it appears likely the removal of this exemption is only a matter of time, the Government has flagged the need to provide an appropriate transition period and the implementation of supports for small businesses (potentially in the form of tailored guidance, e-learning modules and other tools).
Another key proposal put forward in the initial report was that private sector employee records should no longer be exempt from the Privacy Act. The Government has agreed-in-principle with this proposal, but has flagged that consideration must be given to how privacy and workplace relations laws will interact, and noted that any implementation of this proposal will need to consider the impact and timing of new privacy obligations on Small Businesses. We wouldn’t be surprised to see this proposal be delayed (at least for Small Businesses) until after the removal of the Small Business Exemption has been fully worked through.
The last point on our radar is that individuals and entities will have a direct right of action, in the form of a right to bring a Court Application for relief against interference with privacy. An additional statutory tort will be introduced for more serious invasions of privacy, meaning individuals and entities, and these will ultimately give individuals and entities civil rights against other individuals and entities for privacy-related damage.
How Enterprise Legal Can Assist
Whilst none of the above has been specifically set in stone, and there is more consultation to be done (including with respect to the draft legislation), Australia’s Privacy Laws are being significantly changed and are being highly prioritised by the Government.
Enterprise Legal would love to discuss the upcoming changes in more detail, and we welcome any questions or conversations on this point. For any Small Businesses, we are happy to present to you and your team about these changes, and we can help you assess what impact they are going to have on your day-to-day functions so that you can be prepared for the inevitable changes.
We will continue to monitor these changes and circulate more information as it becomes available. Keep an eye out on our website or socials for those updates, or sign up for our mailing list.