de.iterate logo

Australian Government Response to Privacy Act Review Report: What it Actually Means for Businesses

Australian Government Response to Privacy Act Review Report: What it Actually Means for Businesses

Australian Government Response to Privacy Act Review Report: What it Actually Means for Businesses

3 Oct 2023

In the most comprehensive overhaul of Australia’s privacy laws in decades, the Attorney General’s Department recently published the Australian Government’s response to its Privacy Act Review Report 2023.


In its response, the Government stated that, of the 116 proposals in the report, the Government agreed to 38 proposals, agreed in principle to 68 proposals, and noted 10 proposals.


The Government confirmed that it will progress consideration of reforms under five key focus areas. For further details on these areas, see our earlier post Australian Government Publishes Response to Privacy Act Review Report.


In this post, we’ll take a detailed look at what the Government’s response means for Australian businesses—from a practical perspective.


What It Means for Businesses—Practically

Removal of the Small Business Exemption

Currently, the Privacy Act does not apply to businesses with turnovers of less than $3 million. However, it’s likely that this exemption will be removed. All Australian businesses will then be required to meet minimum data privacy standards, regardless of turnover. This is a significant widening of Australia’s privacy laws—one that will bring us in line with international laws such as the GDPR. The Government has stated that it will engage in industry consultation to assess the repercussions of this change.


Don’t Panic—There Will be an Adjustment Period and Support for Small Businesses

The Government has assured that small businesses will not be immediately subjected to the new compliance measures under the Privacy Act, promising adequate support and time for adaptation.


Removal of the small business exemption will occur only after extensive consultation. This consultation process will aim to identify and address compliance gaps, so that educational material and compliance tools can be developed and supplied by the Government.


The Government’s response also stipulates that there will be a transition period to ensure that small businesses are equipped to meet the new Privacy Act requirements.


Accelerated Compliance for High-Risk Small Businesses

However, there is an exception to the rule. Not all small businesses have identical data risk profiles. As such, the Government has flagged that some small entities will be subjected to the provisions of the Privacy Act earlier than their counterparts. In particular, small enterprises and start-ups that deal with biometric data (such as facial recognition technology) and those that trade personal information are expected to have to adhere to the Privacy Act before those deemed ‘low risk’.


Removal of Employee Record Exemption

At the moment, certain employee records are exempt from the provisions of the Privacy Act—it is likely that this exemption will be removed. The original rationale for this exemption was that employee privacy was better regulated through workplace relations laws. Again, removal of this exemption will occur only after extensive consultation.


Establishment of Data Retention Periods

The collection and use of data poses significant risks. But so does the prolonged storage of such data by businesses, with malicious entities attracted to extensive reserves of amassed data.


To mitigate this risk, mandated minimum and maximum durations for data retention could be introduced. These would need to be clearly communicated to users and customers through privacy policies. The Government has also indicated that the Office of the Australian Information Commissioner should provide clear information to businesses on how to de-identify or destroy personal information.


Reforming Privacy Notices

Privacy notices define how a users’ data will be handled. The Government has indicated that “complex, lengthy, legalistic and vague” privacy notices leave users unable to understand what it is that they’re agreeing to. As such, privacy notices will need to be “clear, up-to-date, concise and understandable”.


Enhanced Reporting Requirements

If a data breach occurs, businesses will need to be able quickly and clearly alert their customers, employees, and regulators. In the event of a breach, organisations covered by the Privacy Act should be required to:

  • Inform the Information Commissioner within 72 hours

  • Notify anyone affected as soon as practicable

  • Demonstrate that they have taken “reasonable steps” to implement systems, procedures, and operating practices around personal information and data breaches.


Right to Information

Reforms are also likely to give users much “greater transparency and control” through the creation of new user rights. If asked, businesses would need to provide information to individuals about how their data is being stored and used. Individuals may have the right to require a business covered by the Privacy Act to explain how they comply with it, or request that personal information is deleted or de-identified.


Enhancements to Direct Marketing Regulations

The government has recognised the imperative for individuals to possess an unqualified right to opt out of their personal information being used for direct marketing purposes. However, it should be noted that harmonising these requirements across the various applicable legislation (privacy, spam, and Do Not Call legislation) could pose challenges. The government, in principle, supports barring entities from using sensitive individual data (like race or sexual orientation) for targeting unless it offers societal benefits.


Institution of a Statutory Tort for Major Privacy Breaches

The government is in favour of creating a statutory tort for significant violations of privacy. At present, Australians don’t have a direct remedy for privacy breaches. This would allow individuals to pursue legal remedies if they can prove the severity of the violation, a legitimate expectation of privacy, intentional or reckless conduct, and a prevailing public interest in privacy.


Other Highlights

Retention of Political Party Exclusion

Interestingly, it is expected that political parties will maintain their exclusion from the Privacy Act. The government has justified this by stating it will improve the functioning of electoral and political procedures.


Journalism Exclusion

The government has signalled that the exclusion for journalism will remain in place. However, the Office of the Australian Information Commissioner (OAIC) may develop and make public standards for media privacy to promote transparency and accountability in media, in accordance with changing privacy norms. Media entities must ensure data security, proper disposal of unnecessary information, and reporting of qualified data breaches to the OAIC.


Regulating Dark Patterns and Improving Privacy Controls

Social media platforms might be subject to new guidelines aimed at regulating the usage of dark patterns that lead users to agree to intrusive privacy practices. Furthermore, online settings might be modified to prioritise user privacy as a default, to pass a “fair and reasonable” criterion, a concept tentatively approved by the government. These steps emphasise the government’s intention to preserve user privacy online.


Enhancements to Children's Privacy Safeguards

In light of growing concerns about children's privacy, the government is endorsing additional protective measures, such as restricting targeting and the trade of children's personal information, with certain exceptions, and developing a Children's Online Privacy code, depending on the enactment of legal protections for children.


If you need help, reach out to the team at de.iterate—we’re here to help you get your ducks in a row.

In the most comprehensive overhaul of Australia’s privacy laws in decades, the Attorney General’s Department recently published the Australian Government’s response to its Privacy Act Review Report 2023.


In its response, the Government stated that, of the 116 proposals in the report, the Government agreed to 38 proposals, agreed in principle to 68 proposals, and noted 10 proposals.


The Government confirmed that it will progress consideration of reforms under five key focus areas. For further details on these areas, see our earlier post Australian Government Publishes Response to Privacy Act Review Report.


In this post, we’ll take a detailed look at what the Government’s response means for Australian businesses—from a practical perspective.


What It Means for Businesses—Practically

Removal of the Small Business Exemption

Currently, the Privacy Act does not apply to businesses with turnovers of less than $3 million. However, it’s likely that this exemption will be removed. All Australian businesses will then be required to meet minimum data privacy standards, regardless of turnover. This is a significant widening of Australia’s privacy laws—one that will bring us in line with international laws such as the GDPR. The Government has stated that it will engage in industry consultation to assess the repercussions of this change.


Don’t Panic—There Will be an Adjustment Period and Support for Small Businesses

The Government has assured that small businesses will not be immediately subjected to the new compliance measures under the Privacy Act, promising adequate support and time for adaptation.


Removal of the small business exemption will occur only after extensive consultation. This consultation process will aim to identify and address compliance gaps, so that educational material and compliance tools can be developed and supplied by the Government.


The Government’s response also stipulates that there will be a transition period to ensure that small businesses are equipped to meet the new Privacy Act requirements.


Accelerated Compliance for High-Risk Small Businesses

However, there is an exception to the rule. Not all small businesses have identical data risk profiles. As such, the Government has flagged that some small entities will be subjected to the provisions of the Privacy Act earlier than their counterparts. In particular, small enterprises and start-ups that deal with biometric data (such as facial recognition technology) and those that trade personal information are expected to have to adhere to the Privacy Act before those deemed ‘low risk’.


Removal of Employee Record Exemption

At the moment, certain employee records are exempt from the provisions of the Privacy Act—it is likely that this exemption will be removed. The original rationale for this exemption was that employee privacy was better regulated through workplace relations laws. Again, removal of this exemption will occur only after extensive consultation.


Establishment of Data Retention Periods

The collection and use of data poses significant risks. But so does the prolonged storage of such data by businesses, with malicious entities attracted to extensive reserves of amassed data.


To mitigate this risk, mandated minimum and maximum durations for data retention could be introduced. These would need to be clearly communicated to users and customers through privacy policies. The Government has also indicated that the Office of the Australian Information Commissioner should provide clear information to businesses on how to de-identify or destroy personal information.


Reforming Privacy Notices

Privacy notices define how a users’ data will be handled. The Government has indicated that “complex, lengthy, legalistic and vague” privacy notices leave users unable to understand what it is that they’re agreeing to. As such, privacy notices will need to be “clear, up-to-date, concise and understandable”.


Enhanced Reporting Requirements

If a data breach occurs, businesses will need to be able quickly and clearly alert their customers, employees, and regulators. In the event of a breach, organisations covered by the Privacy Act should be required to:

  • Inform the Information Commissioner within 72 hours

  • Notify anyone affected as soon as practicable

  • Demonstrate that they have taken “reasonable steps” to implement systems, procedures, and operating practices around personal information and data breaches.


Right to Information

Reforms are also likely to give users much “greater transparency and control” through the creation of new user rights. If asked, businesses would need to provide information to individuals about how their data is being stored and used. Individuals may have the right to require a business covered by the Privacy Act to explain how they comply with it, or request that personal information is deleted or de-identified.


Enhancements to Direct Marketing Regulations

The government has recognised the imperative for individuals to possess an unqualified right to opt out of their personal information being used for direct marketing purposes. However, it should be noted that harmonising these requirements across the various applicable legislation (privacy, spam, and Do Not Call legislation) could pose challenges. The government, in principle, supports barring entities from using sensitive individual data (like race or sexual orientation) for targeting unless it offers societal benefits.


Institution of a Statutory Tort for Major Privacy Breaches

The government is in favour of creating a statutory tort for significant violations of privacy. At present, Australians don’t have a direct remedy for privacy breaches. This would allow individuals to pursue legal remedies if they can prove the severity of the violation, a legitimate expectation of privacy, intentional or reckless conduct, and a prevailing public interest in privacy.


Other Highlights

Retention of Political Party Exclusion

Interestingly, it is expected that political parties will maintain their exclusion from the Privacy Act. The government has justified this by stating it will improve the functioning of electoral and political procedures.


Journalism Exclusion

The government has signalled that the exclusion for journalism will remain in place. However, the Office of the Australian Information Commissioner (OAIC) may develop and make public standards for media privacy to promote transparency and accountability in media, in accordance with changing privacy norms. Media entities must ensure data security, proper disposal of unnecessary information, and reporting of qualified data breaches to the OAIC.


Regulating Dark Patterns and Improving Privacy Controls

Social media platforms might be subject to new guidelines aimed at regulating the usage of dark patterns that lead users to agree to intrusive privacy practices. Furthermore, online settings might be modified to prioritise user privacy as a default, to pass a “fair and reasonable” criterion, a concept tentatively approved by the government. These steps emphasise the government’s intention to preserve user privacy online.


Enhancements to Children's Privacy Safeguards

In light of growing concerns about children's privacy, the government is endorsing additional protective measures, such as restricting targeting and the trade of children's personal information, with certain exceptions, and developing a Children's Online Privacy code, depending on the enactment of legal protections for children.


If you need help, reach out to the team at de.iterate—we’re here to help you get your ducks in a row.

In the most comprehensive overhaul of Australia’s privacy laws in decades, the Attorney General’s Department recently published the Australian Government’s response to its Privacy Act Review Report 2023.


In its response, the Government stated that, of the 116 proposals in the report, the Government agreed to 38 proposals, agreed in principle to 68 proposals, and noted 10 proposals.


The Government confirmed that it will progress consideration of reforms under five key focus areas. For further details on these areas, see our earlier post Australian Government Publishes Response to Privacy Act Review Report.


In this post, we’ll take a detailed look at what the Government’s response means for Australian businesses—from a practical perspective.


What It Means for Businesses—Practically

Removal of the Small Business Exemption

Currently, the Privacy Act does not apply to businesses with turnovers of less than $3 million. However, it’s likely that this exemption will be removed. All Australian businesses will then be required to meet minimum data privacy standards, regardless of turnover. This is a significant widening of Australia’s privacy laws—one that will bring us in line with international laws such as the GDPR. The Government has stated that it will engage in industry consultation to assess the repercussions of this change.


Don’t Panic—There Will be an Adjustment Period and Support for Small Businesses

The Government has assured that small businesses will not be immediately subjected to the new compliance measures under the Privacy Act, promising adequate support and time for adaptation.


Removal of the small business exemption will occur only after extensive consultation. This consultation process will aim to identify and address compliance gaps, so that educational material and compliance tools can be developed and supplied by the Government.


The Government’s response also stipulates that there will be a transition period to ensure that small businesses are equipped to meet the new Privacy Act requirements.


Accelerated Compliance for High-Risk Small Businesses

However, there is an exception to the rule. Not all small businesses have identical data risk profiles. As such, the Government has flagged that some small entities will be subjected to the provisions of the Privacy Act earlier than their counterparts. In particular, small enterprises and start-ups that deal with biometric data (such as facial recognition technology) and those that trade personal information are expected to have to adhere to the Privacy Act before those deemed ‘low risk’.


Removal of Employee Record Exemption

At the moment, certain employee records are exempt from the provisions of the Privacy Act—it is likely that this exemption will be removed. The original rationale for this exemption was that employee privacy was better regulated through workplace relations laws. Again, removal of this exemption will occur only after extensive consultation.


Establishment of Data Retention Periods

The collection and use of data poses significant risks. But so does the prolonged storage of such data by businesses, with malicious entities attracted to extensive reserves of amassed data.


To mitigate this risk, mandated minimum and maximum durations for data retention could be introduced. These would need to be clearly communicated to users and customers through privacy policies. The Government has also indicated that the Office of the Australian Information Commissioner should provide clear information to businesses on how to de-identify or destroy personal information.


Reforming Privacy Notices

Privacy notices define how a users’ data will be handled. The Government has indicated that “complex, lengthy, legalistic and vague” privacy notices leave users unable to understand what it is that they’re agreeing to. As such, privacy notices will need to be “clear, up-to-date, concise and understandable”.


Enhanced Reporting Requirements

If a data breach occurs, businesses will need to be able quickly and clearly alert their customers, employees, and regulators. In the event of a breach, organisations covered by the Privacy Act should be required to:

  • Inform the Information Commissioner within 72 hours

  • Notify anyone affected as soon as practicable

  • Demonstrate that they have taken “reasonable steps” to implement systems, procedures, and operating practices around personal information and data breaches.


Right to Information

Reforms are also likely to give users much “greater transparency and control” through the creation of new user rights. If asked, businesses would need to provide information to individuals about how their data is being stored and used. Individuals may have the right to require a business covered by the Privacy Act to explain how they comply with it, or request that personal information is deleted or de-identified.


Enhancements to Direct Marketing Regulations

The government has recognised the imperative for individuals to possess an unqualified right to opt out of their personal information being used for direct marketing purposes. However, it should be noted that harmonising these requirements across the various applicable legislation (privacy, spam, and Do Not Call legislation) could pose challenges. The government, in principle, supports barring entities from using sensitive individual data (like race or sexual orientation) for targeting unless it offers societal benefits.


Institution of a Statutory Tort for Major Privacy Breaches

The government is in favour of creating a statutory tort for significant violations of privacy. At present, Australians don’t have a direct remedy for privacy breaches. This would allow individuals to pursue legal remedies if they can prove the severity of the violation, a legitimate expectation of privacy, intentional or reckless conduct, and a prevailing public interest in privacy.


Other Highlights

Retention of Political Party Exclusion

Interestingly, it is expected that political parties will maintain their exclusion from the Privacy Act. The government has justified this by stating it will improve the functioning of electoral and political procedures.


Journalism Exclusion

The government has signalled that the exclusion for journalism will remain in place. However, the Office of the Australian Information Commissioner (OAIC) may develop and make public standards for media privacy to promote transparency and accountability in media, in accordance with changing privacy norms. Media entities must ensure data security, proper disposal of unnecessary information, and reporting of qualified data breaches to the OAIC.


Regulating Dark Patterns and Improving Privacy Controls

Social media platforms might be subject to new guidelines aimed at regulating the usage of dark patterns that lead users to agree to intrusive privacy practices. Furthermore, online settings might be modified to prioritise user privacy as a default, to pass a “fair and reasonable” criterion, a concept tentatively approved by the government. These steps emphasise the government’s intention to preserve user privacy online.


Enhancements to Children's Privacy Safeguards

In light of growing concerns about children's privacy, the government is endorsing additional protective measures, such as restricting targeting and the trade of children's personal information, with certain exceptions, and developing a Children's Online Privacy code, depending on the enactment of legal protections for children.


If you need help, reach out to the team at de.iterate—we’re here to help you get your ducks in a row.

© Secureroo Pty Ltd, 2021-2023

© Secureroo Pty Ltd, 2023