Attorney-General releases report following two-year review of the Privacy Act

Steven Klimt, Jason Shailer and Natalie William
16 Feb 2023
Time to read: 1 minutes

The Privacy Act Review Report's 116 proposals to enhance the Privacy Act are now available for public consultation. Responses are due 31 March 2023.

The Attorney-General's Department has this morning issued a report of findings from its two year consultation and review of the Privacy Act 1988 (Cth). Submissions on the Report are due 31 March 2023.

The Report sets out 116 proposals aimed at bringing Australia's privacy laws in line with global standards including the EU's GDPR. The proposals include the:

  • introduction of the concept of "controller" and "processor" APP entities;
  • expansion of the definition of personal information;
  • removal of the small business exemption, however, only after:
    • an impact analysis has been undertaken;
    • appropriate support is developed;
    • consultation on the most appropriate way for small business to meet their obligations proportionate to the risk (for example, through a code); and
    • small businesses are in a position to comply with their obligations;
  • introduction of an overall "fair and reasonable" obligation with respect to the collection, use and disclosure of personal information;
  • enhancement of individuals' rights with respect to their personal information, including the introduction of a right to erasure;
  • enhancement of privacy collection notices;
  • compulsory Privacy Impact Assessments for activities with high privacy risks; and
  • enhanced regulatory powers for the OAIC.

Attorney-General, the Hon Mark Dreyfus KC MP commented that "strong privacy laws are essential to Australians' trust and confidence in the digital economy and digital services provided by governments and industry" and noted that the Privacy Act has not kept pace with these changes.

Next steps

The Government will determine what further steps will be once submissions are in. However, the Attorney-General has previously commented that, in light of multiple high-scale data breaches in 2022, legislation amending the Privacy Act will be passed within this term of Government.

Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.