Privacy reforms are on their way
Australian privacy law is facing a period of dramatic change, with significant reforms to the Privacy Act on their way. Penalties were ramped up in 2022, the POLA Act reforms commence from 11 December 2024, while the Government has committed to introducing further ‘tranche two’ reforms in 2025.
Let Salinger Privacy know-how guide you through.
The latest news
23 December 2024 – We have updated our guide to The Privacy Act in a Nutshell, to reflect the impact of the Tranche 1 reforms.
10 December 2024 – The POLA Act has now received Royal Assent, and thus many of the Tranche 1 amendments to the Privacy Act commence tomorrow. See our advice on what to do now, and what can wait.
29 November 2024 – The POLA Bill (with amendments by the Government) quickly passed the House of Reps this morning. Most components will commence almost immediately, upon Royal Assent. See our analysis of the reform’s impacts.
28 November 2024 – The POLA Bill has passed the Senate, after the Government tabled amendments to address recommendations from the Senate Committee, primarily to do with clarifying the statutory tort aspects of the Bill. Amendments proposed by the Greens (to improve privacy protections) and the Opposition (to remove the statutory tort from the Bill) were both defeated. The amended Bill will return to the House for a vote tomorrow.
21 November 2024 – Senator Shoebridge has tabled amendments to the POLA Bill, to reform the definitions of ‘personal information’ and consent, and to introduce a ‘fair and reasonable’ test.
17 November 2024 – Our latest blog compares the proposal for a statutory tort in the POLA Bill with the common law tort recently the subject of a Victorian court ruling.
14 November 2024 – The Senate Legal and Constitutional Affairs Legislation Committee has published its report on the POLA Bill. The Committee recommended that the Senate pass the Bill, subject to a number of amendments, primarily focused on the statutory tort. Additional comments from Greens Senator Shoebridge describe the POLA Bill as a “missed opportunity”, and referred to the urgent need to reform the definitions of ‘personal information’ and consent, and add a ‘fair and reasonable’ test, as the Government had previously agreed to in principle. Debate in the Senate is expected to commence in the 25 November sitting week.
6 November 2024 – The POLA Bill was considered in the Federation Chamber, a standing committee of the House of Representatives. Independent MP Zoe Daniel moved amendments to reform the definitions of ‘personal information’ and consent, while independent MP Kylea Tink moved amendments to limit the media exemption from the statutory tort. You can watch the debate here, starting about 1 hr 20 mins in to the video. The Government opposed those amendments, and the outstanding amendments were referred to the Senate as ‘unresolved questions’, for consideration by the Senate.
3 November 2024 – Wondering how to prepare for Privacy Act reforms? See our advice on what to do now, and what can wait.
12 September 2024 – The Privacy and Other Legislation Amendment Bill 2024 (the POLA Bill) was tabled this morning. Described as the ‘first tranche’ of reforms to implement the legislative proposals agreed to by the Government in 2023, this Bill – for the most part – does not alter the existing framework of the Privacy Act, in terms of the Act’s scope, or the core obligations under the APPs.
If passed, these reforms will require the OAIC to develop a Children’s Online Privacy Code, introduce a statutory tort for serious invasions of privacy, and add a new ‘doxxing’ offence to the Criminal Code to cover the malicious release of personal information online.
The POLA Bill also seeks to create a three-tier model of civil penalties. In addition to the current ‘top tier’ penalties (up to $50M) for a serious interference with privacy, the Bill introduces a ‘middle tier’ for an interference with privacy which falls short of being ‘serious’ (up to $3.3M penalty for body corporates), and a ‘bottom tier’ option for the OAIC to issue infringement notices without having to go to court, of up to $330,000 for certain breaches of the APPs or the notifiable data breach scheme under the Privacy Act, including:
- Not having a clear, up-to-date and easily accessible Privacy Policy
- Poorly drafted notices to individuals about a notifiable data breach
- Not having a simple mechanism by which people can opt out of receiving direct marketing, or
- Failing to deal with an access or correction request within 30 days.
This new tiered penalty regime will have immediate effect once the Bill becomes law; there is no proposed transition period.
Two reforms of note relate to the APPs. One obligation being strengthened is in relation to the Data Security principle, APP 11, which will clarify that the ‘reasonable steps’ required under APP 11 to protect data can include organisational measures, as well as technical measures. This suggests that organisations could be at risk of breaching APP 11 not only if they have poor cyber defences, but also if they have not sufficiently trained all staff in their privacy obligations. This change to APP 11 will have immediate effect once the Bill becomes law; there is no proposed transition period.
The other change is to the Accountability & Transparency principle, APP 1, which will obligate organisations to include details about automated decision-making in their Privacy Policy. This change has a two year transition period.
Read more in our analysis of the impacts of this ‘first tranche’ Bill.
The ‘second tranche’ of reforms, now expected in 2025, is expected to contain the more significant reforms, such as updates to the definitions of personal information and consent, the introduction of a ‘fair and reasonable’ test, and the abolition of the small business exemption.
Wondering how to prepare for Privacy Act reforms, now it has been split into two tranches? See our advice on what to do now, and what can wait.
2 May 2024 – The Attorney General, the Hon Mark Dreyfus KC MP, used a speech for Privacy Awareness Week to announce that he will be bringing the Bill to reform the Privacy Act to the House of Representatives in August.
Need an overview of the major proposals for reform? Here is our analysis: Glass half empty, or glass half full? How to read the Privacy Act reform proposals, plus a run-down of the 16 most impactful reforms.
Want to get ready? We have a free handout: Seven Steps to Prepare for Law Reforms.
Prefer a deeper dive? We have a 90 minute recorded presentation on the Privacy Act Reforms – what’s proposed, what’s next, and how to prepare. The presentation, and a copy of the associated handouts, is available as part of our Privacy Act Reforms Bundle.
12 February 2024 – The Government has today committed to urgently bring forward the reforms to the Privacy Act, given the focus on a recent ‘doxxing’ incident.
28 November 2023 – Our Principal Anna Johnston was a guest panelist on the Tech Mirror podcast to share her thoughts on the Government’s response to the Privacy Act Review Report. See Episode 35: Privacy: Move fast and regulate it.
9 October 2023 – To reflect the proposals for law reform to which the Government has now agreed, we have updated our fast guide for busy people: The Privacy Act in a Nutshell – An Executive Briefing Paper.
28 September 2023 – Of the 116 proposals in the Privacy Act Review Report from February 2023, the Attorney General has today agreed and committed the Government to act on 38, and to introduce a Bill to Parliament in 2024. Another 68 proposals are agreed to ‘in principle’, while 10 have been shelved.
Here is our analysis: Glass half empty, or glass half full? How to read the Privacy Act reform proposals, plus a run-down of the 16 most impactful reforms.
19 April 2023 – Our April blog takes a deeper dive on the proposed new definition of ‘personal information’.
31 March 2023 – We have made a detailed submission to the Department on the Privacy Act Review Report.
28 March 2023 – In a long-form blog, we have teased out some of the surprising proposals from the Final Report into the review of the Privacy Act.
16 February 2023 – The final report by the Attorney-General’s Department into their Review of the Privacy Act is out today! The report has 116 recommendations, including a strengthened definition of ‘personal information’, specific tests to be met when relying on consent as the basis for handling personal information, the introduction of a ‘fair and reasonable’ test, mandatory Privacy Impact Assessments of high-risk activities, and a right to erasure. Attorney-General the Hon Mark Dreyfus KC MP will embark on another round of consultations, with responses to a 42-question survey due 31 March. Join our webinar on 4 April to understand the Privacy Act Reforms – what’s proposed, what’s next, and how to prepare.
20 December 2022 – The final report by the Attorney-General’s Department about their Review of the Privacy Act has been handed to the Attorney-General, the Hon Mark Dreyfus KC MP. Dreyfus announced on Twitter today that he will now “carefully consider” the report over the summer as he prepares “to overhaul the Act next year”. Dreyfus has previously stated that he is committed to bringing forward the reforms arising from that review within the current term of government.
12 December 2022 – The amendments to the Privacy Act, brought about by the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, commenced today, upon the Bill receiving Royal Assent. The key effect is to increase the maximum civil penalties which relate to ‘serious or repeated’ breaches of the 13 APPs, or the notifiable data breach scheme. The maximum penalty for a serious or repeated breach by a body corporate will increase (from what was a maximum of $2.22M) to whichever is the greater out of $50 million, 30% of turnover, or three times the benefit obtained from the breach. For individuals (e.g. sole traders), partnerships and other unincorporated entities, the penalty will increase from the current maximum of $440,000 to $2.5 million.
This amendment did not change the fact that the OAIC has to ask the Federal Court to levy these fines, and that the fines are only for serious or repeat conduct. We expect further reforms in the second tranche in 2024, including possibly a tiered scheme to include lower penalties for less serious conduct.
The amendments also extend the extra-territorial reach of the Privacy Act, and expanded the powers of the OAIC.
What to expect
As well as the significantly higher penalties for breaches already enacted, and the impacts of the first tranche POLA Bill, when the second tranche Bill is ready in 2025 we can also expect a tightening of the rules for when and how personal information can be collected, used and disclosed, with an overarching ‘fair and reasonable’ test proposed. Also expect more emphasis on accountability for privacy risk management when designing new products, services or systems. New definitions of ‘personal information’ and ‘consent’ are expected to bring Australian law closer to the tougher European model. The small business exemption is going to go (but timing is an issue), and new obligations will be imposed. See below for more details on what we know of the reform proposals thus far, and how to prepare.
How we can help
We offer a number of resources and services, to help you understand and prepare for the coming reforms, and uplift preparedness across your enterprise.
- Privacy Act Reforms – what’s proposed, what’s next, and how to prepare – a recorded presentation
Between the proposals for tough new privacy rules, already beefed-up penalties, and the fallout from massive data breaches continuing to rattle Boards and senior execs alike, privacy law and practice is likely to dominate the legislative, political and business agenda through 2023 and beyond. Based on the Attorney-General’s Department Final Report, we can see the likely legal reforms start to take shape. This 90 minute webinar explains where the review of the Privacy Act is at, what is likely to come next, and what you can do to prepare.
- The Privacy Act in a Nutshell – An Executive Briefing Paper
Australian businesses, non-profits and federal government agencies need guidance on the law as it is now, as well as where it is headed in the near future. A plain language primer for busy executives, in a succinct 28-page download, The Privacy Act in a Nutshell describes the law as it is today, with sidebars offering additional explainers of key topics, and the more significant law reform proposals currently being considered. Updated October 2023, to reflect the final set of law reform proposals released in September 2023.
Our Privacy Act compliance online training module has a fresh contemporary design, and the content is constantly updated to reflect the latest legal developments. (It was most recently updated in December 2022, to reflect the new penalties now in force.)
Co-designed by privacy and learning & development experts for an approach to learning which is fun, interactive and effective, our eLearning module is available off-the-shelf, or we can brand or customise it for you further. SCORM-compliant to integrate with your LMS, or enjoy instant access via our hosted environment, which includes regular reporting to you on staff progress.
Guidance for small to medium-sized businesses about privacy compliance and marketing rules, plus tools and templates to get the basics right: a Privacy Policy which complies with the Australian Privacy Act, a Data Breach Response Plan, a checklist of common privacy risks (and how to fix them), template language to use on webpages and in forms and contracts, and what to tell staff about their privacy obligations.
We can also offer executive briefings, webinars and other short-form presentations to explain the reforms to your team. Contact us to find out more.
Wondering where to start building a privacy compliance program, or worried about where your gaps might be? Download your free copy of The Privacy Management Handbook to help you get started, and link you to other resources you might find useful along the way.
Navigate your way through your privacy obligations with resources tailored to your needs. Whether you want just the basics for a start-up, advice about a particular risk area, or a complete privacy management program, we have a Compliance Kit to suit. Crafted by our team of privacy specialists, each Compliance Kit offers expert guidance and pragmatic tools, such as templates, checklists and briefing papers.
Get the good stuff in your inbox: subscribe to our email newsletter to receive a regular dose of privacy news and our award-winning blogs.
Further information
The review of the Privacy Act commenced in 2019, with a number of reports and proposals being subject to public consultation in that time. Salinger Privacy has been actively involved in the review process, monitoring the progress of proposals and assessing how various reforms will impact on our clients.
- Our analysis of the POLA Bill, October 2024
- Our analysis of the Government’s Response, September 2023
- The Government’s Response to the Privacy Act Review Report, September 2023
- See our detailed explanation of the 116 proposals from the Attorney-General’s Department, March 2023
- Salinger Privacy submission on the Privacy Act Review Report, March 2023
- The Final Privacy Act Review Report from the Attorney-General’s Department, February 2023
- See our detailed explanation of the 2021 Discussion Paper’s proposals
- Salinger Privacy submission on the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, November 2022
- Salinger Privacy submission in response to the Privacy Act Review Discussion Paper, January 2022
- Salinger Privacy submission in response to the exposure draft Online Privacy Bill, December 2021
- Salinger Privacy submission in response to the Privacy Act Review Issues Paper, November 2020
- Attorney-General’s Department main page for the Review of the Privacy Act 1988