The Federal Government Attorney- General's Department released its much anticipated Privacy Act Review Report1 this year ("Review"), foreshadowing sweeping changes to privacy legislation in Australia.

While the digital age has generated benefits such as new efficiencies, consumer convenience and employment opportunities, 2 it has also resulted in the creation of copious amounts of data which in turn has led to greater concerns for individual privacy. In conjunction with this, the vulnerability of people's information in the digital age has been highlighted recently with the exposure of several high-profile data breaches. [3]

The Review considered whether the Privacy Act was "fit for purpose"4 and made 116 recommendations, including:

  • The addition of a "fair and reasonable test" in relation to privacy principles dealing with the collection, use and disclosure of personal information;
  • A broader definition of "personal information";
  • The removal of some exemptions to the Privacy Act, including the small business exemption and changes to the employee records exemption;
  • Additional consent requirements providing that consent must be voluntary, informed, current, specific and unambiguous;
  • More direct rights of actions for individuals through a right of access, introduction of a new statutory tort for invasion of privacy and allowing individuals to apply to courts for relief;
  • Enhanced enforcement powers for the Office of the Australian Information Commissioner;
  • Further individual rights in relation to opting out of targeted advertising;
  • Stricter requirements for notifiable data breaches; and
  • Requiring entities to conduct privacy impact assessments for any high privacy risk activities.

Feedback was sought in relation to the Review and recently the Australian Government released a response to the recommendations outlined in the Review. Of the 116 proposals, the Government agreed to 38 of the proposals, agreed in principle to 68 and noted 10 proposals.5 The proposals that were agreed in principle will be subject to further public consultation with an impact analysis to be undertaken before a final decision about the proposals are made.6 Of the 38 proposals that were agreed to, legislation that incorporates these proposals is anticipated to be introduced in 2024.


1 Attorney-General's Department, Privacy Act Review Report 2022.

2 Ibid, 1.

3 Yolanda Redrup, "Millions caught in data breaches before Optus or Medibank" Australian Financial Review (Article, 10 Nov 2022); Miklos Bolza, "Latitude his with $1 million lawsuit over data breach", Nine News (Article, 26 June 2023)

4 Privacy Act Review Report 2022 (n 1), 1.

5 'Government response to the Privacy Act Review Report' Attorney-General's Department (Website, 28 September 2023) < >.

6 Australian Government, 'Government Response I Privacy Act Review Report', (20 September 2023).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.