Momentous changes to Privacy Act proposed

Friday, 03 March 2023

Simon Mitchell photo
Simon Mitchell
Senior Policy Adviser, Education & Policy Leadership, AICD

    The Attorney General’s Department has released the long-awaited proposals of the Privacy Act Review. Were the changes to be adopted by the Government, and passed by the Parliament, they would represent a profound shift in how organisations of all sizes manage and store personal information and how they are held to account for any failures. The AICD is seeking views from directors on the implications of the key recommendations on the governance of Australian organisations.

    The Privacy Act Review (the Review) commenced in 2020 following recommendations by the Australian Competition and Consumer Commission in its 2019 Digital Platforms Inquiry. The AICD made a submission in response to the Review Discussion Paper in early 2022.

    The prominence of the Review has increased following the high-profile cyber attacks and data losses at Medibank and Optus in late 2022 and the Government has signalled that it will utilise the Review to significantly strengthen Australia’s privacy regime.

    The Final Report of the Review was released on 16 February 2023 and the Attorney General’s Department is consulting on the proposals until the end of March. The Government will consider the consultation feedback when it makes its formal response potentially by the middle of 2023.l be kept confidential.

    Key recommendations

    The Final Report contains 116 proposals or recommendations covering both enhancements or changes to existing elements of the Privacy Act, such as the Notifiable Data Breaches scheme, and new obligations.

    Due to the volume and scope of the recommendations it is difficult to comprehensively summarise all elements. However, we highlight the following recommendations as potentially having significant impacts on organisations of all sizes:

    1.       Small business exemption

    Currently most businesses with less than $3 million annual turnover are exempt from the Privacy Act. The Review proposes that this exemption be removed. This change would be considerable with millions of previously exempt small businesses facing the full suite of Privacy Act obligations.

    2.       Direct right of action and a statutory tort for privacy

    The Report proposes a direct right of action for individuals who have suffered loss or damage as a result of a privacy breach and separately a statutory tort for serious invasions of privacy that are intentional or reckless. The direct right of action would allow individuals (and representative groups) to seek compensation in the Federal Court. However, there would be a ‘gateway’ model where individuals will have to make a complaint to the Office of the Australian Information Commissioner (OAIC) prior to commencing court action.

    3.       OAIC enforcement powers and penalties

    In addition to the significant changes in the penalty provisions passed by the Parliament in December 2022, the Review proposes new mid and lower tier penalties with the OAIC able to issue infringement notices without the need for court proceedings. Separately the OAIC would have new powers to create targeted codes of practices, and to undertake public inquiries and reviews into specified matters.

    4.       Targeted amendments to Australian Privacy Principles 11 – Protection of personal information (APP 11)

    The Review proposes amendments to APP 11 to clarify the concept of ‘reasonable steps’ and to include baseline privacy outcomes informed by the Government’s development of its 2023-2030 Australian Cyber Security Strategy.

    Other important recommendations include a broader definition of ‘personal information’, a right to erasure and the introduction of the categories of ‘processor’ and ‘controller’ organisations with controllers having heightened obligations.

    Potential implications

    Were the proposals legislated they would represent a major shift in how organisations collect, manage and dispose of personal information and the consequences for failing to meet these obligations. The changes would bring Australia broadly into alignment with the European Union’s General Data Protection Regime (GDPR).

    The changes would also create a far more prescriptive and demanding privacy regime in Australia and there would be considerable costs for businesses of all sizes in complying.

    In totality the Privacy Act would be elevated as a key regulatory framework and the OAIC a more empowered regulator.  Directors should be alive to the potential implications of the recommendations for their organisations and how they may shift the board’s role in overseeing data management and practice practices.

    Call for assistance

    The AICD is seeking views from company directors on the Privacy Act Review proposals and how they may impact the governance of all sizes and types of Australian organisations. This feedback will inform our engagement with the Government on the proposed recommendations.

    We would particularly appreciate feedback on:

    • the impact of the removal of small business exemption;
    • how a direct of action and separately a statutory tort for privacy would alter the liability environment, including any class action activity associated with privacy breaches; and
    • reflections on the desirability of alignment with the GDPR.

    We are keen to hear from directors across all sectors, including directors of listed companies, SMEs and not-for-profits.

    Please email comments to or All feedback will be kept confidential.

    Latest news

    This is of of your complimentary pieces of content

    This is exclusive content.

    You have reached your limit for guest contents. The content you are trying to access is exclusive for AICD members. Please become a member for unlimited access.