On 28 September, the Attorney General's Department published the Australian Government's response to its Privacy Act Review Report 2023.

In its response, the Government stated that, of the 116 proposals in the report, the Government agreed to 38 proposals, agreed in principle to 68 proposals, and noted 10 proposals.

This represents the biggest overhaul of Australia’s privacy laws in decades.

Five Key Focus Areas

The Government has committed to progressing consideration of reforms to Australia’s privacy framework under five key focus areas.

1. Bring the Privacy Act into the digital age

Update and modernise the Privacy Act to reflect the advancements of the digital era, acknowledging the societal need to safeguard privacy. Investigate comprehensive methods to extend the application of the Act to encompass a wider array of information and bodies managing such personal data.

2. Uplift protections

Enhance the safeguards provided by the Privacy Act by mandating organisations to be responsible for managing personal information in line with societal norms, and by strengthening obligations to maintain information security and to dispose of it when no longer required. Modifications to the Notifiable Data Breaches (NDB) program will aid in mitigating damages potentially arising from data violations, and the introduction of new organisational accountability stipulations will motivate organisations to integrate privacy-centred approaches into their operational procedures. Additional distinct safeguards will be extended to activities posing significant privacy risks and to more susceptible populations, such as children, particularly in online environments.

3. Increase clarity and simplicity for entities and individuals

Offer clearer guidance to organisations on safeguarding individuals’ privacy and streamline the duties imposed on entities managing personal information for another body. The revisions will enhance the adaptability of code-creation under the Act, minimise discrepancies, and augment uniformity across diverse legal structures offering privacy defences. They will also facilitate the processes for transferring personal data internationally, especially to nations with comparable privacy legislations, by making the prerequisites more straightforward.

4. Improve control and transparency for individuals over their personal information

Grant individuals enhanced visibility and authority over their data via refined notification and consent procedures. Additionally, the Australian Government plans to delve into the extent and implementation of new personal information rights and expanded channels for obtaining remedies for privacy infringements. This includes the introduction of a direct legal avenue allowing individuals to approach the courts for remedies under the Privacy Act, as well as a new legal provision for grave privacy breaches.

5. Strengthen enforcement

Amplify the enforcement capacities of the OAIC, broaden the range of rulings that can be made by the court in civil penalty actions, and authorise courts to review requests for relief submitted directly by individuals. A comprehensive evaluation of the OAIC, coupled with a detailed review of its resource needs—including an exploration of the viability of an industry funding structure and the creation of litigation funds—will boost the proficiency of Australia’s privacy regulatory body.

What It Means for Businesses

Businesses will need to understand, adapt to, and comply with these changes to ensure the secure handling of personal information. The reforms come with increased responsibilities and require businesses to integrate privacy-by-design into their operational processes.

For more detailed analysis of the expected impact on Australian businesses, read our blog [insert title / link].

Our Take

The de.iterate team welcomes these changes. We have been expecting these changes and preparing for them. Privacy and cyber security used to be a 'Big Business' problem—it is now a consideration for every Australian business. Strong privacy protections are integral to business sustainability and international competitiveness. This move aligns Australia’s privacy standards more closely with global standards, ensuring the protection of personal information and uplifting privacy in the technological era.

The vast data flows underpinning digital ecosystems have created the conditions for recent major data breaches affecting millions of Australians, with their sensitive personal information being exposed to the risk of identity fraud and scams.

Clearly, strong privacy protections are critical to building the security, confidence and trust necessary to drive innovation and economic growth.

Next Steps

The Attorney-General’s Department is tasked with leading the next phase of implementation, involving:

• Crafting ‘agreed’ legislative suggestions, followed by specific consultations.

• Discussing ‘in-principle agreed’ proposals with entities to understand the feasibility and implementation methods, aiming for a balanced approach between privacy protection and potential repercussions and regulatory impositions.

• Conducting a thorough impact analysis to evaluate possible compliance costs for regulated bodies and any other economic impacts or benefits, including those affecting consumers.

• Submitting more refined advice to the Government in 2024, which will include the outcomes of additional consultations and proposed legislation.

For further information on what this all means for businesses, take a look at our post: Australian Government Response to Privacy Act Review Report: What it Actually Means for Businesses.

And, if you need help, reach out to the team at de.iterate—we’re here to help you get your ducks in a row.