What’s Next for Australia’s Privacy Laws?

The release of the long-awaited review of the Privacy Act by the Attorney-General’s Department signals widespread updates to Australia’s privacy law.

Amid multiple significant data breaches affecting the country, Australia’s Attorney General’s Department published its review of the Privacy Act 1988 last week. Following a two-year period of consultation and review, the report outlines 116 proposals aimed at bringing Australia’s privacy laws in line with globally recognized legislation, and specifically the EU’s GDPR.

These proposals aim to “adequately protect Australians’ privacy in the digital age.” Acknowledging the current Act hasn’t kept pace with the rapid digital transformation of the last few years, the Attorney General remarked that, “strong privacy laws are essential to Australians’ trust and confidence in the digital economy and digital services provided by governments and industry.”

The Office of the Australian Information Commissioner welcomed the findings of the review, commenting that the proposals “shift the burden from individuals, who are currently required to safeguard their privacy by navigating complex privacy policies and consent requirements, and places more responsibility on the organizations who collect and use personal information to ensure that their practices are fair and reasonable in the first place.”

Among the changes proposed by the report, the most significant include:

• A broader definition of ‘personal information’ to include information that “relates to” an individual; wording that aligns the Act to other privacy-related legislation.
• The prohibition of re-identifying de-identified (anonymized) information received from third parties and the introduction of a criminal offence for malicious re-identification of information.
• The introduction of data processor and controllers, aligning the Act with other global regulation. This reduces the obligations for data processors, while controllers carry the full weight of the legislation.
• Greater regulation of the use of data for automated decision making and in targeted advertising.
• Enhanced privacy rights for individuals through the right of erasure, additional protection for children and vulnerable persons, alongside the right to seek compensation for loss or damage resulting from privacy breaches.
• Increased obligations on businesses for handling employee records, conducting privacy impact assessments for “high privacy risk activities” as well as reduced notification periods for privacy breaches.

The Australia Privacy Act has seen significant increases in breach penalties with the introduction of the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, which raised the maximum to the greater of $50 million AUD, three times the value gained from misuse of information, or 30% of adjusted turnover. There is potential for enforcement powers and penalties to increase further in light of the Privacy Act review.

What’s very clear from the report is that business can expect significant changes to the way they are permitted to collect and handle personal information. Preparing for any upcoming changes means establishing a clear view of all personal data across the organization, so that remediation steps can be identified and addressed ahead of any enforcement deadlines.

Enterprise Recon by Ground Labs provides fast and accurate data discovery, management and remediation solutions, packaged with Australia-specific data patterns to streamline Privacy Act compliance. Request a complimentary data risk assessment today.