Proposed changes to Australia’s data privacy regime
The Australian Attorney General has published the long awaited review of the Privacy Act 1988.
The review emphasises how important strong privacy laws are if Australians are to have trust and confidence in engaging with the digital economy. It also notes that Australian privacy laws have fallen behind global standards (as starkly exposed by a number of high-profile data breaches in 2022).
Although the Australian Government has already taken some action to increase penalties for privacy breaches and to boost the Australian Information Commissioner ‘s enforcement powers, the AG notes that Australians rightly expect still greater levels of protection, transparency and control over their personal information.
Proposals for change
The review makes 116 proposals, and the AG is seeking feedback by the end of March, which will then inform what further steps are taken.
Many of the proposals will be familiar (and may seem very sensible) to anyone who has had dealings with the UK or EU GDPR. Particular examples include:
- tightening up the definition of what constitutes personal information;
- removing the $3million turnover threshold so that the Australian Privacy Principles apply to all businesses;
- clearer rights for individuals to see what information is being held on them and for what purposes;
- a new ‘right to be forgotten’;
- increased protection for children and vulnerable people;
- clarifying exemptions for political parties, journalists etc;
- requiring Privacy Impact Assessments in areas of high risk to personal information;
- implementing new concepts of information controllers and processors, as well as ‘organisational accountability ‘, to drive proper compliance with the Act;
- requiring reasonable technical and organisational measures to secure, retain and destroy information;
- more options for individuals to directly enforce their rights under the Act;
Updating privacy law
Back in 2015, the EU realised that its data protection regime was in serious need of a reboot. The resulting GDPR has gone on to become the de facto global standard for privacy protection, acting as a template for new laws in China, California, Brazil and many other countries. Australia, meanwhile, has been in danger of lagging behind and this AG ‘s review is a welcome chance to catch up with advanced digital economies around the world.
We ‘ll know later in the year what the final amendments to the Privacy Act will look like. But it ‘s already clear that businesses are going to have to make substantial changes to their data processing and privacy procedures.