Receive all the latest news and insights straight to your inbox
Subscribe
Subscribe
Proposed reforms to Australian privacy laws will impact how businesses handle personal information and interact with individuals
In February 2023, Australia’s Attorney-General released the Privacy Act Review Report (the report). It proposes significant reforms to the Privacy Act, aiming to strengthen Australia’s privacy framework and align it with global standards of privacy protection.
The proposed reforms are not yet law. But if they are implemented in amending legislation, they will have a significant impact.
The report’s findings can be summarised into two broad aims, namely to improve:
- Current protections on individual privacy rights; and
- Regulation and enforcement of individual privacy rights.
Some of the key recommendations to achieve each aim are listed below:
1. Improved protection recommendations
Notice and consent requirements
The report is critical of current notice and consent requirements, stating how an overreliance on these requirements places unrealistic expectations on individuals to understand the risks of giving up personal information. It calls for an improvement in the ways privacy collection notices are sent to individuals, and how consents are obtained, with a focus on making them as clearly understood as possible.
Fair and reasonable test
The introduction of a fair and reasonable test is recommended as an overarching principle behind privacy activities involving personal information. This standard would ensure that when AAP entities obtain personal information from individuals, it is done so in a matter that is consistent with the individuals’ expectations and not harmful.
Security, destruction and notifiable data breaches
The Privacy Act already requires entities to only:
- Obtain what information is reasonably necessary; and
- Destroy when information is no longer required.
However, the report recommends that entities are required to constantly monitor and periodically review what information is reasonably necessary and what information is no longer required.
Direct marketing, trading, and targeting
The report highlights targeted advertising concerns, cautioning that it may not fall under the definition of personal information in the Privacy Act. It calls for further reports into targeted advertising, as well as explicit regulation of this activity.
Individual control over personal information
The report proposes that individuals have additional rights to control their personal information. These would include:
- The right to object to the storage of personal information; and
- The right to request that personal information be erased.
The report suggests some exceptions (such as public interest), in addition to extra transparency requirements.
2. Regulation and enforcement recommendations
Enforcement of the Privacy Act
The report proposes new reforms to strengthen the enforcement of the Privacy Act. They include new civil penalties and powers for the Independent Commissioner with respect to investigations, public inquiries, and determinations.
Direct right of action and a statutory tort for serious invasions of privacy
The report proposes the introduction of a direct right of action for individuals to seek remedies through the court for serious breaches of privacy.
What are the next steps?
The Government will formally respond to the report, taking into consideration feedback from public and private entities during a consultation period that closed on 31 March 2023. Its response may indicate what recommendations will become part of the amending legislation.
In the interim, businesses should review and consider current privacy policies in preparation for these proposed reforms and closely monitor the progress of the changes.
