The Australian Government released today its long-awaited response to the Attorney-General’s Department Privacy Act Review Report 2022.
Of the 116 proposals in the Report (which we summarised in this earlier briefing), the Government agrees with 38 proposals, agrees in-principle to 68 proposals and ‘notes’ 10 proposals:
- Agrees – draft legislation to be introduced in 2024: This category includes proposals to introduce:
- a new mid-tier penalty for breaches (even if they are not serious and / or repeated) and a lower-level civil penalty for administrative breaches with the power for the Office of the Australian Information Commissioner (OAIC) to directly issue infringement notices
- new OAIC powers to conduct public inquiries and reviews
- increased individual rights in respect of automated decision making, and
- a mechanism to facilitate overseas transfers of personal information to approved countries without the need for additional contractual or other measures.
- Agrees-in-principle – subject to further and more detailed consultation with impact analyses: This is the largest category and includes recommendations to:
- broaden the definition of personal information
- remove the small business exemption
- extend certain privacy protections to private sector employees
- clarify and strengthen notice and consent requirements
- introduce a fairness requirement for collection, use and disclosure of personal information
- strengthen existing individual rights and introduce new rights (including a right to erasure)
- require entities to record their purposes for collecting, using and disclosing personal information, when or before collecting that information
- require privacy impact assessments to be conducted for high privacy risk activities
- tighten restrictions around direct marketing, targeting and trading in personal information
- clarify data security requirements
- require entities to establish minimum and maximum retention periods for personal information and specify retention periods in their privacy policies
- set a 72-hour timeframe to notify the OAIC of eligible data breaches
- introduce a direct right of action to sue for breaches of the Privacy Act, and
- introduce a tort of serious invasion of privacy.
- Notes- but will not proceed with: The Government will not proceed with this category of reforms,covering:
- removing the exemption for political parties and activities
- extending the Act’s protections to de-identified information, and
- introducing an unqualified right to opt-out of targeted advertising.
What’s next?
Despite the Government expressing its support/support in principle for most of the proposed reforms, there are several steps/hurdles before their introduction.
- The Government has committed to, as a priority (in 2024), draft and introduce legislation to implement the 38 recommendations it agrees with. Once draft legislative provisions have been developed, it will undertake targeted consultation with entities prior to settling their final form.
- In respect of recommendations that it supports in principle, the Government agrees with this largest category of reforms, subject to further and more detailed consultation with impacted entities and impact analyses (including cost/benefit analyses). The Attorney-General’s Department, in consultation with Treasury, will lead the consultation process which will inform Government’s further consideration of these proposals.
We expect to hear more about these next steps after next month’s referendum.
Any proposals ultimately adopted by the Government will apply in the context of last year introduction of increased penalties (up to $50 million and sometimes more) and greater regulatory powers (as detailed in this briefing),and will complement other reforms including the 2023-2030 Australian Cyber Security Strategy, the National Strategy for Identity Resilience, and Supporting Responsible AI in Australia.
We will publish a detailed commentary on the Government response soon. In the meantime, our team is available to discuss further how the reform may impact you or how you may engage with future consultations.
For further information, please contact:
Julian Lincoln, Partner, Herbert Smith Freehills
julian.lincoln@hsf.com