The Australian Government confirms its agreement to make significant amendments to Australia’s privacy laws, and to progress additional reforms through further consultation
The Australian Government has released its much-anticipated response (“Response“) to the Commonwealth Attorney-General Department’s report (“Report“) on its review of the Privacy Act 1988 (Cth) (“Privacy Act“). The Report recommended wholesale amendments to Australia’s principal privacy legislation and contained 116 proposals for consideration by the government (for a detailed look at the Report, and the background to the review of the Privacy Act, see our previous alert here).
The Response is largely receptive to the Report’s proposals, indicating positive support for a majority of the recommendations, with none rejected outright. However, the government has only “agreed” to the development of specific legislation for 38 of the proposals, which for the most part relate to less contentious changes focused on strengthening Australia’s existing privacy regime. These include:
- Regulating information used in automated decision-making and clarifying information security requirements
- Developing a Children’s Online Privacy Code to apply to online services likely to be accessed by children
- Introducing new mid-tier and low-tier civil penalty provisions to allow for targeted regulatory responses, alongside enhanced enforcement powers for the privacy regulator and the courts
A further 68 proposals are “agreed-in-principle“, but will be subject to further consultation to explore whether and how they may be implemented so as to balance privacy safeguards with other key concerns, such as the burden on regulated entities. These include a number of the more controversial proposals, such as:
- The introduction of a maximum 72-hour period to notify the regulator upon becoming aware that there are reasonable grounds to believe there has been an eligible data breach
- The introduction of new individual rights (including enhanced control over personal information and a “right to be forgotten”) and a statutory tort for serious invasion of privacy
- Certain changes to how data collection and data breaches are managed
- The removal of existing exemptions for small businesses and employee records, and the introduction of additional safeguards relating to the journalism exemption
The 10 remaining “noted” proposals, which include recommendations relating to the protection of deidentified information, are flagged for potential further consideration by the government. The Response indicates that the government agrees with the broad intention of a majority of such recommendations, but not necessarily the specific approach put forward.
The government has indicated there will be opportunities for further consultation but will introduce legislation in 2024. There will be a transition period for any changes. For a more detailed look at some of the key proposals that have been agreed, agreed-in-principle, and noted, read our full alert.