Site Search

Loading Results

2023 Government Response to the Privacy Act Review Report

5 December 2023

by James Patto and Annie Zhang 

Special thanks to contributors: Jon Benson, Natalie Mu, Sylvia Ng and Elsa Zhong. 

The eagerly awaited reforms to Australia’s privacy laws are about to get underway with the Australian Government releasing its response to the Privacy Act Review Report (Government Response) which, when originally released in February this year, made 116 recommendations to reform the Privacy Act 1988 (Cth) (see our summary and hot takes and our submission in response to the report). The recommendations proposed were ambitious, wide-ranging and, if implemented, would have resulted in the most significant change to Australian privacy laws since the introduction of the APPs. 

Despite broader industry expectations that there would be substantial and expedited reform of the Australian privacy regime following the Privacy Act Review Report, it appears that the Government has adopted a more cautious and measured approach. Rather than proceeding to prepare draft legislation on many of the key recommendations, the Government has taken a similar approach to the Inquiry into Future Directions for the Consumer Data Right (CDR), by electing to undertake further industry consultation. The Government has undertaken to propose more substantial legislative changes to the Privacy Act once this consultation is complete. This approach is also not dissimilar to how industry regulators (e.g. APRA) finalise guidance. The Government has advised that the delay and further consultation is being undertaken on the basis that practical considerations need to be examined to ensure there is balance between uplifting privacy protection and the regulatory burden. 

Set out below we highlight some of the key reforms that will be significant in re-shaping the landscape of Australia’s privacy and data protection laws.

Snapshot of Government response to the Privacy Act Review Report's proposals

Key takeaways:

  • Of the 116 recommendations proposed in the Privacy Act Review Report:
    • 38 have been ‘agreed’ by the Government and the Attorney-General's Department will prepare legislation to implement these recommendations;
    • 68 have been ‘agreed in-principle’ and will require further analysis / consultation to determine whether and how they can be implemented; and
    • 10 have been ‘noted’ meaning there is somewhat less clarity around if, and when, these recommendations may result in meaningful changes to privacy legislation and regulation.
  • The Government is taking a measured and cautious approach in refreshing Australia’s privacy regime on the basis that practical considerations need to be examined to ensure there is balance between enhancing privacy protection and the potential increase in regulatory burden.
  • Given many of the recommendations have been agreed only in-principle, there is a degree of uncertainty for organisations as to what the Privacy Act will look like in the future, and what standard of compliance organisations should be working towards.
  • Organisations should consider the recommendations that were 'agreed’ and prioritise compliance activities accordingly. The legislation for implementing agreed recommendations will be informed through consultation across industries.
  • Given that the Government has signalled its intent to implement more ambitious and significant reforms in the future, organisations should look to begin the substantial uplift today, using the ‘agreed in-principle’ recommendations as a guide.
  • Forward planning will be critical for organisations – a quick look at equivalent privacy reforms in other regions highlights the value of taking initiative and beginning scoping and planning early, for example a number of organisations struggled to achieve compliance within the allotted transition period for General Data Protection Regulation (GDPR).
  • Organisations can begin refreshing their privacy and data protection practices even before the reforms are detailed or come into force as “no-regret" activities. Organisations can factor in the key themes emerging from the Government’s response – these include improving, more generally, data governance and transparency, consent and control mechanisms for individuals, enhancing PIAs for high privacy risk activities and refining security (in particular, in respect of destruction and de-identification). This will place organisations in a good position for when these reforms are introduced, as compliance activities can be accelerated (as and when necessary), allowing for expedited compliance.
  • Ultimately, good data hygiene and governance can be a competitive advantage for organisations.

Key proposals ‘Agreed’ by the Government

38 of the 116 proposals were ‘agreed’ by the Government, meaning legislation will be developed following targeted consultation. Interestingly, not all 38 proposals will result in legislative change and it appears that the actual scope of legislative change that will emerge from this review process, at least in first instance, will be quite limited.  

11 of these recommendations are proposals for further consideration or consultation and 6 relate to OAIC activity or other recommendations that are unlikely to result in legislative change. This means that only 21 of the 116 recommendations will find their way into the first tranche of draft legislation to be released shortly. These changes will include: 

  • changes in relation to the use of automated decision-making such as a requirement for privacy policies to include meaningful information on the types of personal information used as part of automated decisions and requirements of transparency in relation to how automated decisions are made; 
  • strengthening of the Notifiable Data Breaches scheme by allowing the Attorney-General to permit the information sharing with appropriate entities that may be able to reduce the risk of harm in a data breach; 
  • relaxing the threshold for ‘serious and repeated’ breaches of privacy by eliminating the requirement that breaches need to be repeated, and thereby making it easier to sanction breaches of privacy;  
  • changes to the enforcement regime, including giving a court the power to ‘make any order it sees fit’ once a privacy interference has been established, and new powers and requirements on the OAIC; and 
  • uplifting protections to children’s privacy by introducing a Children's Online Privacy Code that applies to online services that are likely to be accessed by children. 

In addition, the OAIC will have a key role to play with the following: 

  • developing practice specific guidance for new technologies and emerging privacy risks; 
  • new regulatory guidance to identify and distinguish the different categories of vulnerable individuals who are at a higher risk of harm from data misuse, and updated best practice information for securing their consent; and 
  • providing improvements and additions to guidance around information security, including to APP 11 and what constitutes as ‘reasonable’ steps to secure, destroy or de-identify personal information, and the type of conduct / behaviour the OAIC expects from entities to identify, mitigate and redress actual or reasonably foreseeable loss. 

Key proposals ‘Agreed In-Principle’ by the Government

The Government has given a more tentative nod to 68 other recommendations – ‘agreed in-principle’ – and will look to engage with stakeholders in another round of consultation on these matters. The Government has further indicated that these recommendations need to be considered in light of other potential consequences and additional regulatory burden. These 68 recommendations are where the more ambitious uplifts to the Privacy Act lie. It is unclear what form the further consultation will take, but the Government has indicated it will be led by the Attorney General’s Department, in consultation with Treasury, and that it will continue into 2024.  

Of note are the following recommendations that, when proposed in the initial Privacy Act Review Report, looked to significantly modernise and strengthen privacy protections for Australians: 

  • requirement to determine and record the purposes for which organisations collect, use and disclose personal information;  
  • amendments to exemptions such as the employee records exemption and removal of the small business exemption; 
  • obligations to appoint or designate a senior employee as having specific responsibility for privacy within the organisation; 
  • requirements to perform privacy impact assessments for high-risk activities; 
  • direct right of action under the Privacy Act and a statutory tort for serious invasions of privacy;  
  • unqualified right to opt-out of individuals’ personal information being used or disclosed for direct marketing purposes;  
  • industry-based funding model for the OAIC;  
  • new individual rights, modelled on the EU GDPR ‘data subject rights’, including rights to object, to request erasure, to opt-out of receiving targeted advertising and being used / disclosed for direct marketing purposes, and to have search results deindexed);  
  • ‘fair and reasonable’ test to determine whether the collection, use and disclosure of personal information is necessary for an entity’s function and activities; and 
  • mechanism to prescribe countries with substantially similar privacy laws and introduction of standard contractual clauses for transferring personal information to countries that are not prescribed. 

These are now subject to additional consultation, delaying the modernisation and alignment of the Australian privacy regime with other jurisdictions. 

Key proposals ‘Noted’ by the Government

10 proposals were ‘noted’ by the Government, with no further action to be taken. Interestingly, we understand that the Government will not be looking to legislate on additional requirements to round out the political exemption, including requiring that political entities take reasonable steps to protect and destroy / de-identify personal information and comply with the NDB scheme, and the proposal to increase privacy protections and security measures for de-identified information. 

Snapshot of Government response to the Privacy Act Review Report's proposals

Our perspectives and insights 

We recognise the scale of change required to implement these recommendations and appreciate the Government’s need to undertake further consultations and follow an approach not dissimilar to the CDR. In our submission, we suggested a tranched approach to reforms to pragmatically help industry implement the wide-ranging changes to the regime that appeared likely at the time. While it is positive to see that the Government has reviewed and prioritised recommendations into tranches to progress forward, the absence of a clear roadmap and timeframes for implementation of tranches may cause further ambiguity for organisations around whether they should act now or wait until further clarity on regulatory expectations is available. 

Further, there is a risk that the approach that is being taken by the Government to these reforms leaves organisations with even greater uncertainty as to what they should be prioritising in terms of their data governance and compliance uplift. Organisations know that some level of reform is coming – but is this enough to justify substantially increased expenditure on privacy uplift when, at this stage, there is no certain position from Government on many of the more significant reforms? 

There are a number of recommendations which are good practice and we recommend industry take steps to implement these recommendations as measures to address organisational data risk. For example, key reforms relating to the time taken to notify an eligible data breach, the requirement to appoint or designate a senior employee as having specific responsibility for privacy within the organisation, and requirements to perform privacy impact assessments for high-risk activities. These are only three examples, but there are a range of other ‘low-hanging fruit’ recommendations that could have been included in the initial set of ‘agreed’ reforms, and which industry should focus on today to enhance privacy and data protection and prepare for impending legislative changes.  

It is, however, encouraging to see recommendations relating to substantial regulation of de-identified data being dismissed. These recommendations have the potential to over-complicate the privacy regime in Australia and would impose onerous and burdensome obligations on Australian organisations that would be out of step with international equivalents.  

While the Government Response shows a recognition of the need to enhance trust and confidence of individuals and entities in the handling of personal information in Australia, there is a missed opportunity that a more comprehensive reform package has not been included in the first round of changes. Since its introduction in 2018, many countries have adopted GDPR-like regulations to modernise and enhance privacy protections. Australia must now move at pace to ensure our own legislation does not fall even further behind.  

What should organisations do? 

What should organisations do?

Contact us

Adrian Chotar

Partner, Legal Business Solutions, Sydney, PwC Australia

+61 2 8266 1320

Email

Jon Benson

Partner, Assurance - T&R Cyber, Melbourne, PwC Australia

+61 438 565 299

Email

James Patto

Director - Digital, Cyber and Tech Law, Melbourne, PwC Australia

+61 431 275 693

Email

Natalie Mu

Director - Data Trust and Privacy, Melbourne, PwC Australia

+61 (3) 8603 5863

Email

The information contained in this article is general in nature, and is not intended to be a substitute for legal advice. Readers should obtain independent legal advice as to their specific circumstances.