Australia: Privacy Act Review Report—latest update

In an increasingly digitised environment, the storage and access of data and associated privacy principles are now at the forefront for businesses and Australian regulators, not least due to high profile data breaches in 2022 involving Optus and Medibank. The Attorney General's Department Privacy Act Review Report 2022 (Report) was released on 16 February 2023, providing the greatest indication yet that Australian privacy laws are likely to be updated, having far reaching effects on consumers and businesses alike.

The Report is the outcome of more than two years of consultation regarding proposed amendments to the Privacy Act (Act). The Report contains 116 proposals to strengthen and modernise Australian privacy law. In this article, lawyer Jordan Windress gives an overview of the most pertinent changes, and the effect they may have on consumers and businesses.

SMALL BUSINESS EXEMPTION

Arguably the most substantial recommendation in the Report is removing the small business exemption. Under the current legislation, most small businesses with an annual turnover of less than $3 million are not required to comply with the Act, unless they are engaged in exempt activities. Removing this exemption will require all non-exempt businesses to become fully compliant with Australian privacy laws. The government has acknowledged the impact this will have on businesses, particularly smaller entities, and has pledged to undertake a full impact analysis and industry consultation.

NOTIFIABLE BREACH

The last 18 months has demonstrated the commercial damage to a business a data breach can cause, along with society's expectations around how those breaches are reported. The Report introduces an obligation for entities to provide an eligible data breach statement to the Office of the Australian Information Commissioner (OAIC) within 72 hours of becoming aware there are reasonable grounds to believe an information breach has occurred. An entity must also then notify individuals as soon as practicable and take reasonable steps to prevent adverse impacts to the individuals affected.

CIVIL PENALTIES

Reforms in December 2022 increased the maximum penalties for serious or repeated privacy offences. Following this, the Report recommends that legislation introduce new low-tier and medium-tier civil penalty provisions to address the issue that any sanction for breaching the Act that is less than serious or repeated can only be dealt with via an OAIC determination. Whilst penalty amounts are yet to be determined, it is likely these new penalties will target minor privacy breaches and administrative breaches resulting in increased regulatory action and enforcement against businesses.

RIGHT OF ERASURE

The Report proposes individuals should be empowered to request deletion of their personal information by complying entities. Whilst this is practically an extension of the current obligation to delete personal information that is no longer needed, it is expanded in that individuals will be able to request the deletion of any category of personal information. However, the Report suggests these requests will not be accepted where there is a competing public interest, it is unauthorised by law, or is an abuse of process.

PERSONAL INFORMATION

Finally, the Report recommends altering the definition of 'personal information' to include information relating to a person. This expansion will allow businesses to capture a larger range of information and helpfully brings it into line with other existing Commonwealth legislation.

WHERE TO NOW?

The consultation period for the review regarding the proposed amendments closed on 31 March 2023. Whilst it remains to be seen which amendments will be enacted, it is likely the increased regulation will impact more Australian businesses, greatly increasing compliance costs. Conversely, it is hoped the increased powers and changes will provide enhanced protections to consumers. However, some market commentators suggest the broader definition of personal information, and the increase in businesses having to maintain privacy policies, may lead to increased class actions, litigation risk, and insurance premiums within industry.