Article
23 January 2025
Annual Legal Reviews Play a Critical Role in Strengthening Your Business
When it comes to running a successful business, a proactive approach to legal, financial, and operational issues can be a game changer. At […]
[Article originally published 12.12.23 and was reuploaded due to technical issues.]
On 28 September 2023 the Commonwealth Government released its response to the Privacy Act Review Report (Report) which had been published earlier this year (Response).
The Government “agrees in-principle” with many of the proposals from the Report, which indicates that the proposals will be subject to discussion with stakeholders before they are enacted. However, other proposals which the Government specifically “agrees” with are more likely to be implemented promptly without substantial discussion. The Government “notes” other proposals from the Report, which are less likely to be enacted.
In the Response, the Government’s key focus areas for privacy reform are to:
While it is unlikely that a bill to amend the Privacy Act will be released for some time, Australian businesses should consider the Report as they change their existing processes, procedures, technologies, or enter into new contracts, in order to future proof against potential changes to minimise disruption and ensure a smooth transition to the new regime.
The Fair and Reasonable Test
The Government agrees in principle that a new test should be enacted which requires that collection, use, and disclosure of personal information is fair and reasonable in the circumstances. [1] This test would apply even if consent has been given.
The Government has said that “this new requirement will help protect individuals when their personal information is used in complex data processing activities which have emerged through technological advancement, such as screen scraping and AI”.[2]
As the Government notes, what is fair and reasonable will depend on guidance from the Office of the Australian Information Commissioner (OAIC) and enforcement actions, as well as the view of judicial bodies.[3] Once this new requirement is enacted, we expect businesses to err on the side of caution as it is unlikely that clear judicial guidelines on this requirement will emerge until significantly after the test becomes law.
Removal of Small Business Exemption
The Government agrees in principle that the Privacy Act’s small business exception should be removed after sufficient consultation and a transition period.[4]
However, the Government also agree in principle that small businesses which pose a significant privacy risk (e.g. businesses which collect biometric information), or trade in personal information should not be able to rely on the small business exception.[5]
Small businesses will need to assess their data hygiene practices and ensure that they are compliant before the obligations to comply with the Privacy Act take effect.
Specific guidelines for high risk activities
The Government agrees in principle that entities should be required to complete a privacy impact assessment for high privacy risk projects that “identifies the impact that a project might have on the privacy of individuals and sets out recommendations for managing, minimising, or eliminating that impact”.[6] This mirrors an existing requirement for Government agencies.
Individual rights
The Government agrees in principle that individuals should be able to:
subject to prescribed exceptions (e.g., where the right is contrary to public interest, or if the request is frivolous or vexatious).[7]
In the short term, businesses in the process of making changes to internal software which stores or processes personal information should consider future proofing to ensure that if the above rights are enacted, the day-to-day compliance burden is limited. Being across this now and making changes today will help eliminate having to potentially incur further time and cost, modifying processes or procedures to become compliant in the future.
Causes of action for interferences of privacy
The Government agrees in principle that individuals who have suffered loss or damage because of an interference to their privacy should be able to bring a right of action after lodging a complaint with the OAIC or a recognised external dispute resolution scheme.[8]
The Government also agrees in principle that there should be a statutory tort for serious invasions of privacy, with the proposed elements of such cause of action being:
The Government gives two examples of where an action may be brought under this tort:
New enforcement powers
The Government agrees that:
The Government also agrees that the OAIC should receive:
Other proposals
Other key insights from the response include the Government agreeing in principle to the following:
Hillhouse Legal Partners can advise you on all privacy issues. Please feel free to contact us on
(07) 3220 1144 or email the writer at John.
[1] Response, p 8.
[2] Response, p 8.
[3] Response, p 8
[4] Response, p 6.
[5] Response, p 6.
[6] Response, p 10.
[7] Response, p 18.
[8] Response, p 19.
[9] Response, p 19.
[10] Response, p 19.
[11] Response, p 20.
[12] Response, p 20.
The information in this blog is intended only to provide a general overview and has not been prepared with a view to any particular situation or set of circumstances. It is not intended to be comprehensive nor does it constitute legal advice. While we attempt to ensure the information is current and accurate we do not guarantee its currency and accuracy. You should seek legal or other professional advice before acting or relying on any of the information in this blog as it may not be appropriate for your individual circumstances.