Search for:

Australian government releases a long-awaited report on review of the Privacy Act, proposing wholesale amendments to Australia’s flagship privacy legislation.

In brief

The Commonwealth Attorney-General’s Department has released its long-awaited report (the “Report”) on its review of the Privacy Act 1988 (Cth) (“Privacy Act”), which proposes widespread amendments to Australia’s flagship privacy legislation. Stakeholders have until 31 March 2023 to provide feedback to the government on the proposals.


The Report proposes amendments across three areas:

  • Scope and application of the Privacy Act – while the principles-based approach to regulation would be retained, some revisions would be made to clarify and broaden the scope and application of the Privacy Act. Most notably, definitions would be added and amended to provide clarity (for example, to confirm that technical and inferred information is captured), geo-location tracking data would be subject to consent requirements, de-identified information would be regulated to a certain extent, and certain exemptions – including the employee records exemption – would be narrowed or removed completely.
  • Protections – personal information would be subject to enhanced protections, including through the introduction of new EU-inspired rights for individuals and an overarching requirement that collection and handling of personal information must be objectively “fair and reasonable”. Collection notices and consent requirements would be enhanced and might ultimately be standardized. Records would need to be kept regarding purposes of processing and entities would be expected to appoint a privacy officer. Additional transparency would be mandated for certain automated decision making. Privacy impact assessments would be compulsory prior to undertaking high privacy risk activities, and special requirements would apply in respect of vulnerable people’s and children’s personal information. Direct marketing, targeting and trading in personal information would be more heavily regulated, with individuals having clear rights to opt out. Other key proposals include: revisions to security, retention and destruction obligations; adoption of a limited controller-processor distinction; and changes in respect of overseas data flows and extraterritorial application of the Privacy Act.
  • Regulation and enforcement – the range of available penalties for non-compliance would be expanded to cover a clarified and expanded range of conduct. Australia’s privacy regulator, the Office of the Australian Information Commissioner (“OAIC”), would enjoy expanded powers including the right to require entities to identify and mitigate loss and damage that could result from their privacy failings. Other notable changes include: allowing individuals a direct right of action to seek relief for interferences with their privacy; a statutory tort for serious invasions of privacy; and changes to the notifiable data breach scheme, including a 72-hour notification deadline.

Read the full alert here.

Author

Anne-Marie Allgrove is a partner in the Sydney office of Baker McKenzie. She is the Global Chair of the Firm’s IP, Data and Technology Practice. Anne-Marie is recognised in both Chambers and The Legal 500 as a leading individual and was named a Best Lawyer of the Year for Privacy and Data Security in 2020.

Author

Anne has been with Baker McKenzie since 2001. Prior to that, she spent four years with the Australian Attorney-General's Department/Australian Government Solicitor mostly working on large IT projects.
In her time at Baker McKenzie, Anne has spent 18 months working in London (2007-2008) and, more recently, three years working in Singapore (2017-2020).

Author

Toby Patten is a partner in Baker McKenzie's Technology and Healthcare teams in Melbourne. He joined the Firm in March 2005.

Author

Adrian Lawrence is the head of the Firm's Asia Pacific Technology, Media & Telecommunications Group. He is a partner in the Sydney office of Baker McKenzie where he advises on media, intellectual property and information technology, providing advice in relation to major issues relating to the online and offline media interests. He is recognised as a leading Australian media and telecommunications lawyer.

Author

Caitlin Whale is a partner in the Technology, Communications and Commercial team. She advises on technology, outsourcing and commercial law issues. Caitlin advises on technology and rights-specific issues in large corporate and commercial transactions, and has experience in managing multi-territory licensing and divestments for multi-national clients. She has extensive experience in advising on a range of commercial arrangements, including licence and software agreements, research and development and collaboration agreements, supply agreements and distribution agreements. Caitlin has experience in rights management and enforcement, advising on the ownership, registration, exploitation and protection of copyright, trade marks and designs. She has represented rights-owners and users and has particular experience in relation to online infringement issues.