On 2 May, Attorney General Mark Dreyfus delivered a highly anticipated update on the future of Australia’s Privacy Law reforms.
At the Privacy By Design Awards the Attorney General announced, “At the request of the Prime Minister I will now be bringing forward legislation in August to overhaul the Privacy Act and protect Australians from doxing, the malicious use of their personal and private information.”
He also stated: “A failure to improve Australia’s privacy standards would not only have implications for individuals but has the potential to adversely impact the international competitiveness of Australian business. We must keep pace and more closely align with global standards”.
The Privacy Act currently applies to Australian government agencies and organisations with an annual turnover of more than $3 million. An organisation can be defined as a sole trader, a body corporate, partnership, trust, or any other unincorporated association.
The need for reforms on how privacy and personal information is handled is something that has been a hot topic for many Australians—particularly given the ever-increasing number of data breaches.
“We know Australians are concerned about the protection of their personal information, and of the risks associated with the misuse or mismanagement of their information. And we know Australians want more done to strengthen protections of their personal information,” Dreyfus said.
This announcement follows the Attorney General’s Department’s publication of the Australian Government’s response to its Privacy Act Review Report in September 2023. In its response, the Government stated that, of the 116 proposals in the report, the Government agreed to 38 proposals, agreed in principle to 68 proposals, and noted 10 proposals.
What are the proposed changes to the Privacy Act?
The Australian Government is currently evaluating various proposals to integrate Privacy by Design Principles more deeply into the national framework. These initiatives aim to make sure that privacy notices are clear, concise, and comprehensible. The consideration of a ‘fair and reasonable’ test seeks to regulate how personal information is collected, used, and disclosed, ensuring these actions are justifiable under specific circumstances.
There’s an additional focus on addressing high risk privacy practices which could mean expanding the requirement for Privacy Impact Assessments to more entities, particularly for activities that may pose significant privacy risks. This may include things like certain uses of facial recognition and biometric identification technologies in public areas.
Some of the other proposed changes include specifying the types of personal data used in automated decisions in privacy policies and granting individuals the right to understand how these decisions are made. The government is also contemplating a statutory tort for serious privacy invasions to enhance existing Privacy Act protections. This may extend to cover broader privacy harms including unwarranted physical intrusions.
The government also supports granting individuals direct access to legal remedies for Privacy Act breaches, encouraging them to seek compensation for privacy infringements. One of the aims of the reform is to boost control over personal information.
There are also discussions about mandating entities to define maximum and minimum retention periods for personal data, something which would be detailed in their privacy policies. Ongoing consultations with the industry ensure that the reforms are practical and consider the regulatory impact on businesses.
In addition to the reforms, the Attorney General’s Department is leading a cross jurisdictional forum to facilitate updates and gather feedback on privacy reform proposals from various State and Territory agencies. This is to help ensure there is a cohesive approach to privacy reform across the country.
If you need help or want to find out more about privacy reach out to the team at de.iterate—we’re here to help you get your ducks in a row.
Tags:
