Privacy Act Review Report – latest update

By Kristy McCluskey

In an increasingly digitised environment, the storage and access of data and associated privacy principles are now at the forefront for businesses and Australian regulators, not least due to high profile data breaches in 2022 involving Optus and Medibank. The Attorney General’s Department Privacy Act Review Report 2022 (Report) was released on 16 February 2023, providing the greatest indication yet that Australian privacy laws are likely to be updated, having far reaching effects on consumers and businesses alike.

The Report is the outcome of more than two years of consultation regarding proposed amendments to the Privacy Act (Act). The Report contains 116 proposals to strengthen and modernise Australian privacy law. In this article, we give an overview of the most pertinent changes, and the effect they may have on consumers and businesses.

Small business exemption

Arguably the most substantial recommendation in the Report is removing the small business exemption. Under the current legislation, most small businesses with an annual turnover of less than $3 million are not required to comply with the Act, unless they are engaged in exempt activities. Removing this exemption will require all non-exempt businesses to become fully compliant with Australian privacy laws. The government has acknowledged the impact this will have on businesses, particularly smaller entities, and has pledged to undertake a full impact analysis and industry consultation.

Notifiable breach

The last 18 months has demonstrated the commercial damage to a business a data breach can cause, along with society’s expectations around how those breaches are reported. The Report introduces an obligation for entities to provide an eligible data breach statement to the Office of the Australian Information Commissioner (OAIC) within 72 hours of becoming aware there are reasonable grounds to believe an information breach has occurred. An entity must also then notify individuals as soon as practicable and take reasonable steps to prevent adverse impacts to the individuals affected.

Civil penalties

Reforms in December 2022 increased the maximum penalties for serious or repeated privacy offences. Following this, the Report recommends that legislation introduce new low-tier and medium-tier civil penalty provisions to address the issue that any sanction for breaching the Act that is less than serious or repeated can only be dealt with via an OAIC determination. Whilst penalty amounts are yet to be determined, it is likely these new penalties will target minor privacy breaches and administrative breaches resulting in increased regulatory action and enforcement against businesses.

Right of erasure

The Report proposes individuals should be empowered to request deletion of their personal information by complying entities. Whilst this is practically an extension of the current obligation to delete personal information that is no longer needed, it is expanded in that individuals will be able to request the deletion of any category of personal information. However, the Report suggests these requests will not be accepted where there is a competing public interest, it is unauthorised by law, or is an abuse of process.

Personal information

Finally, the Report recommends altering the definition of ‘personal information’ to include information relating to a person. This expansion will allow businesses to capture a larger range of information and helpfully brings it into line with other existing Commonwealth legislation.

Where to now?

The consultation period for the review regarding the proposed amendments closed on 31 March 2023. Whilst it remains to be seen which amendments will be enacted, it is likely the increased regulation will impact more Australian businesses, greatly increasing compliance costs. Conversely, it is hoped the increased powers and changes will provide enhanced protections to consumers. However, some market commentators suggest the broader definition of personal information, and the increase in businesses having to maintain privacy policies, may lead to increased class actions, litigation risk, and insurance premiums within industry.

We will keep you up to date with further developments. If you need to understand more about these proposed reforms reach out to a member of our Investment Funds team.


Emma Woolley

Partner & Head of Family Office Advisory

Karl Rozenbergs

Partner and Co-Lead Health & Care

Ben Hamilton

Partner & Technology and Digital Economy Co-Lead

James Deady

Partner & Technology and Digital Economy Co-Lead

Eugene Chen

Partner & Head of China Practice

Oliver Jankowsky

Partner & Head of International Practice

John Bassilios

Partner & Fintech and Blockchain Lead

Matthew Curll

Partner & Insurance National Practice Leader

Melanie Smith

Director – Business Development, Marketing and Communications

Natalie Bannister

Partner & Commercial National Practice Leader

Nathan Kennedy

Partner, Head of Pro Bono & Community and ESG Co-Lead

William Moore

Partner & Head of Private Clients Advisory

Mark Dessi

Partner & Energy Leader

James Bull

Special Counsel & Frank Lab Co-Lead

Melanie James

People & Culture Manager

Jacqui Barrett

Partner & Head of US Desk

Lauren Parrant

Senior People & Culture Advisor

Melinda Woledge

Marketing & Communications Manager

Jasmine Koh

Senior Associate & Frank Lab Co-Lead

Alison Choy Flannigan

Partner and Co-Lead Health & Care

Jordon Lee


Geoff Benson


Meg Lee

Partner & ESG Co-Lead

John Gray

Partner, Technology & Digital Economy Co-Lead and NSW Government Co-Lead

Harvey Duckett


Luke Denham


Billie Kerkez

Manager – Smarter Recovery Solutions

Jemima Whiteman


Bradley White


Sarah Khan


Audrey Leahy

Special Counsel & Head of Irish Desk

Nicole Tumiati

Partner & Retail & Consumer Goods Leader

Marie Mitilineos


Gloria Tam


Peter Jones

Senior Commercial Counsel

Eden Winokur

Partner & Head of Cyber

Jennifer Degotardi

Partner & NSW Government Co-Lead

Sheldon Fu


Claire Bourke


Silvana Brcina


Daphne Schilizzi


Andrew Banks


Isabella Urso


Jessica Liu


Amelia Spratt


Lisa Ziegert

Director – Client Solutions

Luke Raams


Emma McDonald


Carl Ayers


Maddison Reznik

Senior Associate & Trade Marks Attorney

Rebecca Dodd


Ruby Hunt

Pro Bono & Community Co-ordinator

Rachel Bonic


Samantha Frost


Emma Bechaz


Matt Dolan


Luke Hefferan


Michelle Harradine


Related industries

Related practices

You might be also interested in...

Uncategorised | 22 May 2023

Developer run projects and development management agreements

We explore DMAs where the development is controlled by the developer and the landowner accepts a passive role.

Uncategorised | 22 May 2023

Mortgages – let’s get your priorities straight

We explain the importance of priority and how the equitable doctrine of marshalling may assist lenders with a lower ranking mortgage.