The Government has today released the Report of the Attorney General’s Department’s review of the Privacy Act 1988 (Cth). The Government is seeking feedback on the 116 proposals in the Report before deciding what further steps to take. Submissions on the report are due on 31 March 2023. With this timing, it’s possible that we will see the review finalised towards the end of the first half of 2023.
The report can be accessed here.
The proposals made in the Report centre around:
- Amendment to the definitions of Personal Information, Sensitive Information and Collection.
- Amendment to the small business exemption and the employee records exemption
- Greater consent requirements.
- Security and retention.
- Introduction of a ‘fair and reasonable’ requirement for personal information handling.
- Direct and targeted marketing.
- Recording the purposes for which an entity will collect, use and disclose personal information at or before the time of collection.
- Introduce the concepts of APP entity controllers and APP entity processors into the Act.
- Overseas data flows, such as greater consent requirements.
- A direct right of action in order to permit individuals to apply to the courts for relief in relation to an interference with privacy.
- Introduction of a statutory tort for serious invasions of privacy.
- Significant amendments to the notifiable data breach scheme.
- Access rights expanded.
- Automated decision-making.
- Requirement of a designated privacy officer.
As foreshadowed last year, there seems to be a distinctly European-style flavour to some of these reforms.
The final proposal seeks to amend the Act to require a statutory review of any amendments to the Act within three years of the date of commencement of the amendments. It appears that ongoing privacy reform will no longer be foreign and we can expect consistent regulation in this space.