Australian Government announces a major review of the Privacy Act

The Australian Government has announced that it is undertaking a review of the Privacy Act 1988 (Cth) (the “Privacy Act”) and consider options for reform. The review is the latest step in a series of proposals to reform the Privacy Act that commenced early last year.

The review is a response to the Digital Platforms Inquiry undertaken by the Australian Competition and Consumer Commission (“ACCC”) in 2019 (see our previous article here). In its report, the ACCC recommended a large number of amendments to the Privacy Act including:

  • updating the definition of “personal information” to include online identifiers such as IP addresses, device identifiers and location data;
  • removing the current exemptions under the Act for small businesses, employee records and registered political parties;
  • strengthening existing requirements to notify individuals how an organisation will collect, use and disclose their personal information at the time of collection;
  • strengthening the Australian Privacy Principles, for example by requiring all use and disclosure of personal information to be lawful and fair;
  • strengthening the requirements for obtaining valid consent from individuals, including requiring “opt-in” rather than “opt-out” consent;
  • providing standards for de-identification, anonymization and pseudonymisation of personal information, to address the risks of re-identification;
  • providing individuals with a right to require that their personal information be deleted (the so-called “right to be forgotten”);
  • providing individuals with a right to take action (including a class action) to seek compensation from an organisation which has contravened the Act; and
  • increasing penalties for contravention of the Act.

The ACCC also recommended that the Government should also consider:

  • applying for an adequacy decision from the European Commission to facilitate the transfer of personal information from the European Economic Area to Australia; and
  • introducing a statutory cause of action for serious invasions of privacy (a proposal originally made by the Australian Law Reform Commission in 2014).

The Government also notes that the review “builds on” reforms originally announced in March 2019 to increase the civil penalties under the Privacy Act and increase funding to the Office of the Australian Information Commissioner (see our previous article here) – although those reforms were never in fact enacted.

The Attorney-General’s Department has issued an Issues Paper which raises the above issues and a wide range of other potential reforms, including the effectiveness of the notifiable data breach scheme introduced in 2018 and the introduction of an independent certification scheme to monitor and demonstrate compliance with Privacy Act. Submissions in response to the Issues Paper are due by 29 November 2020.

The Issues Paper will be followed by a Discussion Paper in early 2021, seeking public feedback on specific proposals for reform.