Privacy Act in review

A blue-tinged cityscape at night time. The foreground is overlaid with a digital pattern of curved lines.

After two years of extensive consideration and consultation, the Commonwealth Attorney-General's Department released its much-anticipated report on the Privacy Act 1988 (Cth) (Privacy Act), published 16 February 2023.

The Privacy Act Review Report contains 116 proposals aimed at strengthening the Privacy Act. It comes at an important time, as a number of recent high-profile data breaches and privacy infringements have placed privacy and data protection firmly at the forefront of concern for Australian businesses and citizens.

The proposed reforms set out in the Report cover the scope and application of the Privacy Act, its protections, and regulation and enforcement.

Scope and application of the Privacy Act

The Report highlights current uncertainty around what information should be protected by the Privacy Act and who should protect it.

A key proposal is the expansion of the term "personal information", including that the expanded term be extended to technical and inferred information such as IP addresses and device identifiers (where they specifically relate to reasonably identifiable individuals).

Likely spurred on by recent high-profile breaches, the Report also proposes the introduction of greater flexibility in the Privacy Act, including in relation to emergency declarations in order to bolster responses of entities subject to the Australian Privacy Principles (APP entities) in emergency situations.

This section of the Report also contemplates current exemptions in and from the Privacy Act and proposes to reconsider exemptions in order to address contemporary privacy risks and meet current community expectations, such as the inclusion of small businesses (which previously would not have been considered APP entities) under the Privacy Act and a more balanced approach to employee records (in contrast to the current broad-brush employee records exemption).


The second section of the Report asserts that individuals need to have more transparency and control over how their personal information is handled, and that entities should be held responsible for ensuring that their information-handling practices are sufficient, fair and not harmful.

Key proposals for increased protections include:

  • improvements to the quality of privacy collection notices and consents obtained from individuals (including accessibility)
  • a new "fair and reasonable" test for the activities of APP entities when handling personal information
  • stronger protections to prevent unauthorised access to personal information and minimising the amount of personal information collected and retained
  • the regulation of "targeting" ─ covering the collection, use or disclosure of information to target individuals with services, content, information, advertisements or offers provided or withheld
  • introducing rights similar to "data subject rights" under the European Union’s General Data Protection Regulation (GDPR), such as the rights to object, request erasure and have search results deindexed
  • introducing the concepts of "controllers" and "processors" to provide greater transparency in relation to APP entities that process personal information under the directions of other entities (echoing the approach taken in Europe under the GDPR).


In relation to enforcement, the Report acknowledges that the enforcement of privacy obligations needs to be strengthened and for individuals to have further remedies when their privacy has been breached, including for serious invasions of privacy not covered by the Privacy Act.

The Report proposes the introduction of new civil penalties and new powers for the Information Commissioner in relation to investigations, public inquiries and determinations.

After being raised as a key issue by many organisations involved in consultation, the government also proposes a direct right of action for individuals to seek remedies in court for breaches of the Privacy Act which cause them harm.

A statutory tort of serious invasion of privacy has also been proposed to address the lack of remedies available to Australian individuals for breaches of privacy that fall outside the Privacy Act.

Additionally, the Report considers introducing a criminal offence for the malicious re-identification of de-identified information where there is an intention to harm another or obtain an illegitimate benefit (with appropriate exceptions).

Finally, the Report considers reducing complexity where there are co-existing privacy and reporting obligations under different legislative frameworks, through streamlining obligations and minimising duplicate obligations. It also proposes the development of a privacy law design guide to assist Commonwealth agencies in the creation of schemes with privacy obligations.

Final thoughts

The government's proposals for changing the Privacy Act are not unexpected, as many were flagged during the recent consultation process. However, the extensive nature of the proposals will undoubtedly increase the compliance burden on businesses, and not all are likely to be welcomed by the business community.

We are encouraged by the inclusion in the Report of a number of recommendations made by Lander & Rogers through various committee submissions, including suggested improvements to accessibility of collection notices (e.g. for the visually impaired) and the proposal that overseas disclosure to jurisdictions with similar data protection laws to Australia is made more compatible with our global digital, cloud-based economy.

For more information on the proposed reforms and how they may impact your organisation, please contact a member of our Digital Economy team.

All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted.