Australia: Significant changes proposed to Australia's privacy regime

Australian government releases a long-awaited report on review of the Privacy Act, proposing wholesale amendments to Australia's flagship privacy legislation.

In brief

The Commonwealth Attorney-General's Department has released its long-awaited report (the "Report") on its review of the Privacy Act 1988 (Cth) ("Privacy Act"), which proposes widespread amendments to Australia's flagship privacy legislation. Stakeholders have until 31 March 2023 to provide feedback to the government on the proposals.


Contents

The Report proposes amendments across three areas:

  • Scope and application of the Privacy Act - while the principles-based approach to regulation would be retained, some revisions would be made to clarify and broaden the scope and application of the Privacy Act. Most notably, definitions would be added and amended to provide clarity (for example, to confirm that technical and inferred information is captured), geo-location tracking data would be subject to consent requirements, de-identified information would be regulated to a certain extent, and certain exemptions - including the employee records exemption - would be narrowed or removed completely.
  • Protections - personal information would be subject to enhanced protections, including through the introduction of new EU-inspired rights for individuals and an overarching requirement that collection and handling of personal information must be objectively "fair and reasonable". Collection notices and consent requirements would be enhanced and might ultimately be standardized. Records would need to be kept regarding purposes of processing and entities would be expected to appoint a privacy officer. Additional transparency would be mandated for certain automated decision making. Privacy impact assessments would be compulsory prior to undertaking high privacy risk activities, and special requirements would apply in respect of vulnerable people's and children's personal information. Direct marketing, targeting and trading in personal information would be more heavily regulated, with individuals having clear rights to opt out. Other key proposals include: revisions to security, retention and destruction obligations; adoption of a limited controller-processor distinction; and changes in respect of overseas data flows and extraterritorial application of the Privacy Act.
  • Regulation and enforcement - the range of available penalties for non-compliance would be expanded to cover a clarified and expanded range of conduct. Australia's privacy regulator, the Office of the Australian Information Commissioner ("OAIC"), would enjoy expanded powers including the right to require entities to identify and mitigate loss and damage that could result from their privacy failings. Other notable changes include: allowing individuals a direct right of action to seek relief for interferences with their privacy; a statutory tort for serious invasions of privacy; and changes to the notifiable data breach scheme, including a 72-hour notification deadline.

Read the full alert here.


Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.