Substantial Privacy Act reform: what will this mean for your business?

By Alison Baker, Eden Winokur, Iona Goodwin, Todd Waugh and Sheruni Fernando

The Attorney-General’s Department has published the long-awaited Privacy Act Review | Report 2022 (Report).

The Report provides a real indication that Australia’s privacy laws will shortly be substantially overhauled. The proposed changes, if implemented, will have a significant impact on Australian businesses large and small. Privacy protections will be extended, and obligations tightened. Some businesses not previously required to comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) (Privacy Act) will find themselves having to grapple with new obligations.

The proposed broadening of the rights of the individuals has been on the reform agenda for years. Certain aspects, such as the ‘right to be forgotten’ echo the European Union approach to privacy regulation set out in the General Data Protection Regulation (GDPR). The introduction of a statutory tort of privacy raises the spectre of more litigation in this space, including class actions.

How did we get here?

The Report is the outcome of more than two years of consultation regarding the Privacy Act, which commenced in October 2020.

The first step was the release of the Privacy Act Review: Issues Paper (Issues Paper). The Issues Paper sought feedback for potential reform of the Privacy Act.

The Issues Paper was followed by the Privacy Act Review: Discussion Paper (Discussion Paper), which considered feedback on the Issues Paper and sought further feedback on potential changes to the Privacy Act. Submissions and feedback received in response to the Discussion Paper have informed the proposals in the Report.

What’s next?

The proposals in the Report are not new legislation; there is more consultation to go before we have a Bill to digest. The Government is seeking feedback on the proposals in the Report before deciding how to proceed. Feedback on the Report is due by 31 March 2023.

We anticipate legislation to reform the Privacy Act will be introduced to the Parliament this year. Once in the Parliament, it will undergo the usual process of review and amendment in both Houses. It remains to be seen if there will be a complete bipartisan approach to this important law reform process. However, in the context of the Optus and Medibank data breaches, and given the review of the Privacy Act commenced under the previous Coalition Government, we can expect bipartisan support for at least some of the proposed changes.

The proposals

The Report contains 116 proposals in 27 key areas. We have set out in the table below those proposals we consider to be the key proposals.



Removal of the small business exemption

Some estimate this amendment could impact millions of Australian businesses. Before the removal of the exemption, there would be an impact analysis and further consultation which would assist the development of appropriate support for small businesses to comply with their obligations.

Employee records exemption

This exemption will be narrowed to enhance the protection of private sector employees, including by requiring that employers will have to notify the Office of the Australian Information Commissioner (OAIC) of any data breach involving an employee’s personal information which is likely to result in serious harm. The Report indicates the need for further consultation regarding this measure, including in relation to how privacy and workplace relations law should interact. This will be a significant change for employers who have not had to comply with the APPs in respect of the personal information of their employees in some circumstances –including in relation to some data breaches.

Rights of the individual

Individuals to be given new rights in relation to their personal information. These protections are aimed at providing greater transparency and control for individuals. Proposals include:

  • a right to the erasure of their personal information (the right to be forgotten);
  • if requested by an individual, the APP entity must identify the source of the personal information it has collected;
  • if requested by an individual, the APP entity must provide an explanation or summary of what it has done with the personal information;
  • a right to object to the collection, use or disclosure of personal information;
  • a right to correction of generally available online publications over which an APP entity maintains control; and
  • a right to de-index online search results containing personal information.

As well as these rights it is proposed to introduce:

  • A direct right of action to permit individuals to apply to the courts for relief in relation to an interference with privacy.
  • A statutory tort for serious invasions of privacy.

For some, these are long awaited reforms enhancing the rights of the individuals. In the wake of the Optus and Medibank data breaches last year, we consider there to be a high probability that these reforms will form part of the new legislation.

Security, retention and destruction

It is proposed that entities should:

  • take reasonable steps to protect de-identified information; and
  • establish their own maximum and minimum retention periods in relation to the personal information they hold.

It is also proposed that the Commonwealth undertake a review of all legal provisions that require retention of personal information to determine if the provisions appropriately balance their intended policy objectives with the privacy and cyber security risks of entities holding significant volumes of personal information.

Understanding what data a business holds and why – information mapping and having an efficient and up-to-date approach to data retention will become key priorities for businesses if these proposals are implemented.


The introduction of tiers of civil penalty provisions:

  • Mid-tier civil penalty provisions would cover interferences with privacy without a ‘serious’ element.
  • Low-level civil penalty provision would cover administrative breaches of the Privacy Act and APPs.

Further, it is proposed that the definition of ‘serious interference’ be clarified.

Notifiable data breaches scheme

A proposal to better facilitate the reporting processes for notifiable data breaches to assist both the OAIC and entities with multiple reporting obligations. Entities would be required to:

  • provide an eligible data breach statement to the OAIC as soon as it becomes aware or no later than 72 hours that there are reasonable grounds to believe that there has been an eligible data breach. The statement must set out the steps the entity has taken or intends to take in response to the breach, including, where appropriate, steps to reduce any adverse impacts on the individuals to whom the relevant information relates; and
  • notify individuals of a suspected data breach as soon as practicable where the entity is aware that there are reasonable grounds to believe that there has been an eligible data breach.

Currently, APP entities have 30 days to notify the OAIC of an eligible data breach.  This reduction in the time to report is a further reflection of a turning towards the approach set out in the GDPR.

Personal information, de-identification and sensitive information

Broaden the definitions of ‘personal information’ and ‘sensitive information’ (information that could fall into the broadened definitions include technical data (such as IP addresses), genomic information and geolocation tracking data).

The Report also proposes:

  • a prohibition on reidentifying deidentified information (this may include the introduction of a criminal offence where reidentification has occurred with a malicious intent); and
  • the amendment of the definition of ‘collection’ to expressly cover information obtained from any source and by any means, including inferred or generated information.

Fair and reasonable personal information handling

Amend the Privacy Act to require that the collection, use and disclosure of personal information must be fair and reasonable in the circumstances. The proposal states that it should be made clear that the fair and reasonable test is an objective test to be assessed from the perspective of a reasonable person.

This will cause organisations to really consider the personal information being held and could lead to an increase in privacy complaints.

Consent and privacy default settings

Amend the definition of consent to provide that it must be voluntary, informed, current, and specific. The Report also suggests that the withdrawal of consent should be as easy as the giving of consent. For online services, any privacy settings must be clear and easily accessible.

Organisational accountability

APP entities must determine and record the purposes for which it collects, uses and discloses personal information at or before the time of collection. APP entities must appoint or designate a senior employee responsible for privacy within the entity. This can be an existing member of staff.  

Direct marketing, targeting and trading

Individuals should have unqualified rights to:

  • opt-out of their personal information being used or disclosed for direct marketing purposes; and
  • opt-out of receiving targeted advertising. A requirement that an individual’s consent must be obtained to trade their personal information has also been proposed. 

Overseas data flows

Additional requirements to be implemented – following further consultation – in relation to overseas data flows, including a requirement to demonstrate an ‘Australian link’ that is focused on personal information being connected with Australia. Also proposed are strengthened informed consent obligations in relation to overseas disclosures.

Privacy policies and collection notices

The inclusion of an express requirement that collection notices be clear, up-to-date, concise and understandable is proposed.

Controllers and processors of personal information

The introduction of APP entity controllers and APP entity processors. This would bring a non-APP entity that processes information on behalf of an APP entity controller within the scope of the Privacy Act.

What the proposals will mean for businesses

If enacted as law, the proposals will have substantial impacts on Australian businesses.

In particular:

  • The removal of the small business exemption may mean that millions of small businesses which were previously exempt must now comply with the APPs. This will likely result in increased compliance costs, including responding to notifiable data breaches.
  • Information which is not currently protected (eg IP addresses, device identifiers, other online identifiers, geolocation information and genomic information), may soon be protected by the Privacy Act. Businesses should consider whether they collect, store, disclose and/or use these types of data, as they may become subject to increased obligations.
  • Businesses may face increased penalties and disputes/litigation due to the introduction of new civil penalty provisions and increased personal rights.
  • Businesses will have to respond to data breaches faster (they will have to notify the OAIC of a suspected eligible data breach within 72 hours).

What the proposals will mean for cyber insurance

Many cyber insurance policies provide cover for third-party claims, and responding to investigations commenced by the OAIC.

Cyber insurers will be keeping a close eye on the degree to which this new regime will increase the risk of exposure to more frequent claims, and higher claims costs. The combined effect of removing the small business exemption, a broader definition of personal information and a direct right of action for individuals, has the potential to result in a surge of third-party claims against insureds by affected individuals, including enhancing class action risk.

Cyber insurers will also be mindful of the OAIC’s potential enhanced regulatory capacity. The more onerous obligations around the use and disclosure of personal information and the tighter timeframes for notifiable data breaches, may increase the risk of organisations breaching the Privacy Act. Further, removing the requirement that breaches of the Privacy Act be ‘serious’, would likely result in an increase of OAIC investigations and penalties.

What’s next?

The Government is seeking feedback on the proposals in the Report before deciding how to proceed. We anticipate legislation to reform the Privacy Act will be introduced to the Parliament this year. Once the legislation has been introduced, it will undergo the usual process of review and possibly amendment.

We will continue to monitor this important reform process and keep you updated.


Related industries

Related practices

You might be also interested in...

Cyber | 21 Dec 2022

2022 – A big year for cyber attacks and regulation in Australia

In this article, we provide the latest update on Privacy Act reforms, a wrap-up of the key cyber trends in 2022 and more.

Cyber | 24 Oct 2022

Big penalties for Australian privacy breaches

The Australian Government has moved swiftly to significantly increase the financial penalties that companies face if they fail to protect the personal information of their customers.