'Landmark’ Australian privacy reforms released: Key changes and what's next for businesses

Blog

3 min. read

|

The Australian Government has released the first tranche of proposed reforms to Australia’s information privacy laws.

After nearly four years of departmental reviews in 2022-2023 and initial public consultations, the Commonwealth Attorney-General today introduced “landmark” privacy reforms into Parliament.

If passed into law, these reforms would implement many of the recommendations “agreed” by the Government in its September 2023 response to the Review Report.

What reforms are proposed?

Headline items among the proposed reforms are:

  • a right of action for individuals to sue for serious invasions of privacy;
  • streamlined information sharing across government agencies, in cases of emergencies or eligible data breaches;
  • powers to make data breach declarations, to prevent or reduce the risks of harm occurring to individuals in the event of an emergency or an eligible data breach;
  • greater transparency requirements for automated decision making;
  • development of a Children's Online Privacy Code; and
  • tiered penalty provisions for (among other things) failure to notify individuals of an eligible data breach as soon as practicable, or failure to have a compliant privacy policy, or for submitting a non-compliant data breach statement.

The proposed private right of action (to sue for serious invasions of privacy) may come as a surprise to many observers, and if passed, it will have significant impacts both on how organisations respond to data breaches, and on general privacy claims.

The reforms would also introduce new criminal offences for doxxing, the malicious release of personal data online. These offences would come with penalties of up to six years' prison for malicious use of personal data, or up to seven years' where a person or group is targeted for their race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or national or ethnic origin.

In our preliminary view, this reforms package is modest and measured, relative to the full scope of changes as recommended by the recent Privacy Act review.

What’s not here?

The current reforms are the smaller, lighter-touch items, whereas structural changes recommended by the 2022 Review Report will likely need to wait until after the next federal election. 

Future changes may include:

  • reducing the existing 30-day period for assessing whether a data incident is an ‘eligible data breach’ and mandatory notification;
  • removing or de-scoping the existing exemptions for small businesses and employee records;
  • right of erasure or “to be forgotten”; and
  • an overarching, "fair and reasonable" test for handling personal information.

We will provide more guidance on these proposed changes as the Bill progresses over coming weeks.

For now, your business or not-for-profit organisation should prepare for these reforms by re-focusing on good information handling practices and preparedness for reducing cyber risks.

We're ready to assist

For more information about the proposed reforms, or help to uplift your capabilities in preparation for them, reach out to our team.
|By HopgoodGanim Lawyers