Anticipating the Next Wave of Privacy Act Reforms in Australia  - de.iterate

As Australia prepares for significant updates to its Privacy Act, businesses and individuals alike are watching closely. The Federal Government is expected to table draft legislation in Parliament this week, marking a crucial step in the long-running reform of the country’s privacy laws.  

Although the exact details of the changes are not yet known, we can reflect on the journey so far and what we might expect from these upcoming reforms. 

What is the Privacy Act? 

In Australia, businesses are responsible for protecting the personal information provided to them by customers.  

In 1988, the Privacy Act was introduced to regulate how businesses and federal government agencies handle personal information, and ensure that their customers’ privacy is protected. 

Organisations must adhere to 13 Australian Privacy Principles that govern the collection, use and disclosure of personal information. Business owners are required to handle customers’ personal information in a clear and transparent way, and protect against theft, loss, misuse, interference, modification, and unauthorised access. 

A Long-Awaited Overhaul 

The movement toward updating the Privacy Act has been in the works for several years. With the rise of digital technologies, the existing framework—considered by many as outdated and insufficient—has been under scrutiny.  

The Attorney-General’s Department has been leading a comprehensive review of the Privacy Act. In 2023, it put forward 116 recommendations for reform. The Federal Government has since accepted 38 of these recommendations in full, with an additional 68 accepted in principle. 

Key Focus Areas of the Reform 

The proposed reforms aim to bring Australia’s privacy laws into the digital age, with a strong emphasis on online safety, particularly for vulnerable groups such as women and children.  

Among the changes expected to be included in the legislation being tabled this week are: 

• Removal of the Small Business Exemption: Currently, the Privacy Act does not apply to businesses with turnovers of less than $3 million. However, it’s likely that this exemption will be removed. All Australian businesses will then be required to meet minimum data privacy standards, regardless of turnover. This is a significant widening of Australia’s privacy laws—one that will bring us in line with international laws such as the GDPR.  

• Civil Penalty Regime: Introduction of a tiered civil penalty system, categorising breaches into low, medium, and high severity. This will allow for more precise enforcement actions. 

• Automated Decision-Making Transparency: Privacy policies will need to include details about personal information used in automated decisions that have legal or significant effects, giving individuals the right to request more information on how these decisions are made. 

• Children’s Online Privacy Code: A new code specifically for online services that are likely to be accessed by minors, enhancing protections for this vulnerable group. 

Broader Implications and Expected Additions 

In addition to the confirmed changes, there are several broader reforms that could also make their way into the legislation. These include the potential introduction of a statutory tort for serious invasions of privacy, an expansion of data subject rights, and measures to combat doxxing—where personal information is maliciously shared online. 

Timeline of the Reform Process 

The journey to this point has been marked by extensive consultation and analysis: 

• 2020-2022: The Attorney-General’s Department conducts a thorough review of the Privacy Act, leading to the release of the Privacy Act Review Report in early 2023. 

• 2023: The Federal Government responds to the report, agreeing to a majority of the recommendations, with the reform agenda gaining momentum. 

• 2024: Draft legislation is expected to be introduced in Parliament, setting the stage for what could be the most comprehensive overhaul of Australia’s privacy laws in decades. 

What’s Next? 

As we await the tabling of the draft legislation, businesses should start preparing for the changes that are likely to come. The reform process is a clear signal that privacy and data protection are becoming more critical than ever in the digital era. Once the legislation is introduced, we will provide a detailed analysis of the changes and how businesses can ensure compliance. 

Stay tuned for our next update, where we’ll break down the specifics of the new privacy laws and what they mean for your organisation. 

For now, the team at de.iterate is here to help you navigate this evolving landscape. Reach out to us for guidance on preparing your business for the new privacy regulations.