Australia: Government responds to proposed changes to Australia's privacy regime

The Australian Government confirms its agreement to make significant amendments to Australia's privacy laws, and to progress additional reforms through further consultation

In brief

The Australian Government has released its much-anticipated response ("Response") to the Commonwealth Attorney-General Department's report ("Report") on its review of the Privacy Act 1988 (Cth) ("Privacy Act"). The Report recommended wholesale amendments to Australia's principal privacy legislation and contained 116 proposals for consideration by the government (for a detailed look at the Report, and the background to the review of the Privacy Act, see our previous alert here).


The Response is largely receptive to the Report's proposals, indicating positive support for a majority of the recommendations, with none rejected outright. However, the government has only "agreed" to the development of specific legislation for 38 of the proposals, which for the most part relate to less contentious changes focused on strengthening Australia's existing privacy regime. These include:

  • Regulating information used in automated decision-making and clarifying information security requirements
  • Developing a Children's Online Privacy Code to apply to online services likely to be accessed by children
  • Introducing new mid-tier and low-tier civil penalty provisions to allow for targeted regulatory responses, alongside enhanced enforcement powers for the privacy regulator and the courts

A further 68 proposals are "agreed-in-principle", but will be subject to further consultation to explore whether and how they may be implemented so as to balance privacy safeguards with other key concerns, such as the burden on regulated entities. These include a number of the more controversial proposals, such as:

  • The introduction of a maximum 72-hour period to notify the regulator upon becoming aware that there are reasonable grounds to believe there has been an eligible data breach
  • The introduction of new individual rights (including enhanced control over personal information and a "right to be forgotten") and a statutory tort for serious invasion of privacy
  • Certain changes to how data collection and data breaches are managed
  • The removal of existing exemptions for small businesses and employee records, and the introduction of additional safeguards relating to the journalism exemption

The 10 remaining "noted" proposals, which include recommendations relating to the protection of deidentified information, are flagged for potential further consideration by the government. The Response indicates that the government agrees with the broad intention of a majority of such recommendations, but not necessarily the specific approach put forward.

The government has indicated there will be opportunities for further consultation but will introduce legislation in 2024. There will be a transition period for any changes. For a more detailed look at some of the key proposals that have been agreed, agreed-in-principle, and noted, read our full alert.

Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.