Recently, the Australian Government responded to the Privacy Act Review Report, which aims to modernise and strengthen privacy laws in the digital age. With a focus on personal protections and corporate accountability, they’ve embraced 38 recommendations, agreed in principle to 68 more, and acknowledged 10. These proposals will be prioritised for legislation in 2024, with further consultation on those agreed in principle.
Notable reforms that the government has agreed to include:
- Children’s Online Privacy Code: creating a code that would apply to online services that children are likely to access.
- Automated decisions: Requiring privacy policies to set out the kind of personal information used in decisions that are largely automated and have a significant effect on individuals’ rights.
- Data destruction: Strengthening existing obligations by clarifying that “reasonable steps” now includes technical and non-technical (organisational) measures.
Reforms that the government has agreed to in principle subject to further consultation, include:
- Direct right of action: They’ve also agreed in principle to create a direct right of action for individuals to seek compensation through court action in cases of serious breach of privacy leading to loss or damage. This would be for any breaches of Australian Privacy Principles.
- Small business exemption removal: The government has agreed in principle to remove the current exemption for small businesses, committing to transition and consultation with small business groups.
- Strengthening enforcement and penalties: The government has also acknowledged the need to strengthen enforcement
- Statutory tort for privacy: Introducing a new statutory tort of privacy is also agreed in principle, allowing individuals to sue for intentional and reckless invasions of privacy beyond the scope of the Privacy Act.
- Employee data: Employee records will now fall under privacy laws.
Other noteworthy changes include redefining what constitutes “personal information,” enhancing notification requirements for breaches within 72 hours and mandating senior appointed privacy officers within organisations.
Here at CIE Legal, we advise a wide range of businesses on their obligations under the Privacy Act. Our team, led by Andrew Thompson, will keep you posted by staying close to further consultations, as well as the final changes, which the Government intends to implement in 2024.