The Attorney General has published his long awaited review of the Australian Privacy Act 1988.
The review emphasises how important strong privacy laws are if Australians are to have trust and confidence in engaging with the digital economy. It also notes that Australian privacy laws have fallen behind global standards (as starkly exposed by a number of high-profile data breaches in 2022).
Although the Australian Government has already taken some action to increase penalties for privacy breaches and to boost the Australian Information Commissioner’s enforcement powers, the AG notes that Australians rightly expect still greater levels of protection, transparency and control over their personal information.
The review makes 116 proposals, and the AG is seeking feedback by the end of March, which will then inform what further steps are taken.
Many of the proposals will be familiar (and may seem very sensible) to anyone who has had dealings with the UK or European GDPR. Particular examples include:
- tightening up the definition of what constitutes personal information;
- removing the $3million turnover threshold so that the Australian Privacy Principles apply to all businesses;
- clearer rights for individuals to see what information is being held on them and for what purposes;
- a new “right to be forgotten”;
- increased protection for children and vulnerable people;
- clarifying exemptions for political parties, journalists etc;
- requiring Privacy Impact Assessments in areas of high risk to personal information;
- implementing new concepts of information controllers and processors, as well as “organisational accountability”, to drive proper compliance with the Act;
- requiring reasonable technical and organisational measures to secure, retain and destroy information;
- more options for individuals to directly enforce their rights under the Act.
Back in 2015, the EU realised that its data protection regime was in serious need of a reboot. The resulting GDPR has gone on to become the de facto global standard for privacy protection, acting as a template for new laws in China, California, Brazil and many other countries. Australia, meanwhile, has been in danger of lagging behind and this AG’s review is a welcome chance to catch up with advanced digital economies around the world.
The final form of any amendments to the Privacy Act 1988 remain to be determined but we will be keeping a close eye on developments. If you have any questions on what the new rules may mean for you and your compliance team, please contact our specialist team.
This memo presents an overview and commentary of the subject matter. It is not provided in the context of a solicitor-client relationship and no duty of care is assumed or accepted. It does not constitute legal advice.
© Moulis Legal 2023