Article

Watch This Space: Attorney-General Hints at Privacy Reform

In Australia we rely heavily on the Privacy Act 1988 (Cth) to create statutory protections for our personal information, but our current privacy framework lacks some of the features of more modern legislation around the world.

That all might change. The Attorney-General has announced his intention to overhaul the Privacy Act. In a Guardian Interview on 16 January 2023, Mr Dreyfus promised to consider ‘European-style reforms’ to Australia’s long-neglected privacy law. If the now-completed Privacy Review is anything to go by, the right to have your data erased, a statutory tort of privacy and an expanded definition of ‘personal information’ are all on the table.

Why reform?

The Attorney-General expressed concern that the Privacy Act is “out of date and not fit-for-purpose in our digital age”. He would not be the first to do so. Many have suggested that Australia bring its privacy regime into line with international standards, particularly the European Union’s General Data Protection Regulation (GDPR).

Australia lacks many of the data protections enjoyed by EU citizens, such as a right to object to the use of your personal information or regulations surrounding ‘pro-privacy’ default settings. Given the importance of online interactions in the modern world, it is surprising that our privacy framework does not account for the volume or type of data traffic that is processed on the internet.

What could reform look like?

In October 2020, phase 1 of the Privacy Law Review commenced. This involved the publishing of an issues paper by the Attorney-General’s Department (AGD) and submissions from invested parties such as industry experts, businesses and the Office of the Australian Information Commissioner (OAIC). Phase 2 delivered several proposals and responses and concluded in early 2022. In November 2022, Parliament passed an amendment to the Privacy Act increasing penalties for data breaches and enhancing the powers of OAIC (which you can read about here).

In their submission to the Review, the AGD outlined several proposals which would constitute a complete overhaul of Australia’s privacy legislation. Notably:

  • A more expansive definition of ‘personal information’, ‘reasonably identifiable’ and ‘collection’ which would capture more kinds of data, including metadata.
  • Pro-privacy default settings
  • Requirements for valid consent to the collection, use or disclosure of personal information.
  • The right to object to the collection, use or disclosure of personal information (and a corollary right to ‘opt-out’ of targeted advertising).
  • The right to erasure of personal information under certain circumstances.
  • New required disclosures in privacy policies.
  • Creation of a statutory tort of privacy.

A statutory tort of privacy, which would form the basis of a new cause of action or lawsuit, would give individuals a direct recourse where their privacy has been compromised. The dimensions of the statutory tort are in their elemental stages. The OAIC has submitted that such a provision would provide greater coverage and protection to individuals in line with Article 17 of the ICCPR, which states that:

  • No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.
  • Everyone has the right to the protection of the law against such interference or attacks.

Although we may not know how exactly the tort might take shape (although the AGD’s proposals contain some options) the ICCPR gives us a general guideline of what the tort is designed to do.

Another suggestion has been changes to exemptions to the Privacy Act. Currently, small businesses with an annual turnover of under $3 million dollars are exempt from the operation of the Act. Exemptions also exist in relation to employee records and political parties. During Phase 1 of the Review, the OAIC submitted that these exemptions should be removed entirely. While talk of removing exemptions was not present in the AGD’s proposals, it is worth noting if only to prepare for the significant potential impacts if such provisions were removed or limited.

ARTICLE: Optus, Medibank and Changes to Privacy Laws

How to prepare

The proposals contained in the Privacy Law Review would undoubtedly foster greater consumer protections online and grant individuals more control over their personal information. It also introduces a whole suite of new obligations for entities subject to the Act. This will require many organisations to update their privacy policies and data security processes and ensure compliance with any new or updated provisions.

While the Attorney-General has hinted at reform, nothing is set in stone. It may be several months before we hear news about an actual proposal to go before parliament. Until that time, we encourage you to watch this space.

If you have any questions or wish to discuss your circumstances with a lawyer, please contact the BAL Lawyers Business & Commercial team on 02 6274 0999.


Join our mailing list

Get in touch