Clifford Chance

The Australian Attorney-General's Department has released the Privacy Act Review Report, proposing significant changes to federal privacy legislation to address demand for stronger privacy protection in an age of digital vulnerability. 

The Attorney-General's Department released the Report on 16 February, proposing 116 reforms to the Privacy Act 1988 (Cth) geared towards improving protections for personal information, as well as the control individuals can exert over that information. The Report is the culmination of two years of investigations and draws from stakeholder feedback, independent research, and international data protection and privacy laws.

The extensive, and in some respects, fundamental changes proposed by the Report – which could find their way into draft legislation by the middle of this year – seek to balance the strong public demand for greater transparency and control over how personal information is handled with a broader need for innovation in the digital economy.

Some of the major changes proposed by the Report are set out below.

• Clarify the scope of "personal information" by replacing "about" an individual with "relates to". This more clearly allows for technical and inferred information, such as IP addresses and device identifiers, to be included in the meaning of "personal information".
• Introduce new data breach reporting obligations, including modifying timeframes for notifying relevant parties (such as the Information Commissioner within 72 hours).
• Require Australian Privacy Principle ("APP") entities to appoint or designate a senior employee responsible for privacy.
• Introduce individual "data subject rights" modelled on the EU's General Data Protection Regulation, including the right to request erasure and the right to object.
• Introduce a "fair and reasonable" test to ensure that entities' handling of personal information is within individuals' reasonable expectations and is not harmful.
• Delineate between "controllers" and "processors" to better recognise the different compliance obligations for entities that process personal information under the direction of another entity.
• Clarify that the "Australian link" required in relation to overseas data flows is focused on personal information connected with Australia.
• Introduce protections for employee records, which are exempted under the current operation of the Act.
• Remove current exemptions for small businesses and introduce a package of support to assist small businesses in setting up the required policies and practices.
• Introduce additional protections for children.
• Improve the guidance on reasonable steps to be taken to destroy or de-identify personal information when it is no longer required.
• Regulate "targeting", where information is collected, used or disclosed for tailoring services, content, ads or offers to individuals.
• Introduce new civil penalties via a tiered approach and infringement notices and additional powers to the Office of the Australian Information Commissioner ("OAIC") to increase compliance with the Act's requirements.
• Recognise both a direct right of action for individuals harmed by data privacy breaches to pursue remedies in the courts and a statutory tort for serious invasions of privacy.
• Require all entities covered by the Act to carry out a Privacy Impact Assessment before they engage in an activity which is likely to have a significant impact on individuals' privacy.
• Develop stronger OAIC guidance, specific legislated requirements, and APP codes.

A one-page summary of the Report can be found here.

Public feedback on the proposed reforms, which will be used to inform the Australian government's response to the Report, is due by 31 March 2023.