The Privacy Act Review Report was recently released by the Attorney-General, shedding light on the current state of privacy laws in Australia. The report revealed a number of key findings and recommendations for improving privacy protections for individuals and businesses.
The report details several proposals to better the interaction of individuals and the handling of their personal information. Key highlights include:
- The requirement to act fairly and reasonably when collecting, disclosing, and using personal information. This fair and reasonable test will be judged on an objective standard and apply regardless of user consent
- An amended definition of “consent” indicating that consent is voluntary, informed, current, specific, and unambiguous
- A broader definition of personal information to capture information relating to the individual
- A direct right of action to enforce privacy principles for individuals who have suffered loss or damage as a result of their privacy being interfered with. This means individuals can seek compensation from the Federal Court or Federal Circuit Court
- Additional obligations around de-identified information, particularly in relation to unauthorised access and overseas interaction
- Tighter timeframes for Notifiable Data Breaches
- Additional obligations when handling employee records, particularly on retaining information about employees and unauthorised access or interference
- The introduction of processors and controllers in Australia, similar to the General Data Protection Regulation in the European Union
- The requirement to conduct Privacy Impact Assessments for any high privacy risk activity
- The regulation of the use of personal information in automated decision-making
- The regulation of targeted advertising, preventing advertisers from targeting individuals based on sensitive information
- Additional protections for children and vulnerable persons
- A new statutory tort of privacy for serious invasions of privacy that are intentional or reckless
- The introduction of a right of reassure to permit individuals to request to delete their personal information by Australian Privacy Principles entities
- Greater enforcement powers and penalties in relation to breaches of the Privacy Act.
The Attorney-General’s Department is actively seeking public feedback on this report. Interested entities may provide feedback until 31 March 2023.