Australia has commenced its review (Review) of the Privacy Act 1988 (Cth) (Privacy Act), with the Attorney General’s Department’s recent release of the Terms of Reference and Issues Paper. This article sets out what is being reviewed and aims to assist businesses to position themselves for any reforms that may arise out of the Review.

What is being reviewed and considered?

The Review is considering several issues, including:

  • the scope and application of the Privacy Act including the definition of ‘personal information’, exemptions and general permitted situation for the collection, use and disclosure of personal information;
  • whether the Privacy Act protects personal information and provides practical frameworks for promoting good privacy practices, specifically in relation to:
    • notification;
    • consent;
    • overseas data flows; and
    • erasure of personal information.
  • whether individuals should have direct rights to enforce privacy obligations;
  • whether a tort for serious invasions of privacy should be introduced;
  • the impact and effectiveness of the Notifiable Data Breaches Scheme;
  • the effectiveness of enforcement powers and mechanisms under the Privacy Act and the interaction with other Commonwealth regulatory frameworks; and
  • whether it is desirable or feasible to introduce an independent certification scheme to monitor and demonstrate compliance with Australian privacy laws.

Ultimately, the purpose of the Review is to assess whether the Privacy Act’s enforcement mechanisms remain fit for purpose.

What’s not being considered?

The review will not consider the following areas of the Privacy Act:

What can we expect?

We can expect to see significant reform to the Privacy Act which will take it from a principles-based regime to a more prescriptive one. For example, we anticipate seeing an updated, more expansive definition of ‘personal information’, stricter requirements around how consent is obtained, further protections in relation to de-identified information and wider enforcement powers of the Office of the Australian Information Commissioner (OAIC). It is less clear whether the ‘employee exemption’ will be retained, which exempts the personal information of private sector employees from protection under the Privacy Act.

The Review has been welcomed by the Australian Information Commissioner and Privacy Commissioner Angelene Falk, who has stated that “The review of the Privacy Act will help ensure that our regulatory framework can protect personal information into the future and hold organisations to account.”

Overall, we can expect amendments to the Privacy Act which will strengthen consumer rights and impact how businesses collect, handle and disclose personal information.

Next Steps

This Issues Paper is the first of two papers seeking public feedback, which outlines the current law and seeks feedback on potential issues relevant to reform.

The Attorney General’s Department has stated that a discussion paper will be released in early 2021, seeking more specific feedback on preliminary outcomes, including any possible options for reform.

For more information and advice on privacy practice, please get in touch with us today.

This article was originally published on OneTrust and is available here.