The Federal Government released its response to the Privacy Act Review Report on 28 September, indicating what the upcoming privacy law reforms will look like. The Privacy Act Review Report contained 116 proposals for reform of the Privacy Act 1998. In its response, the Government has agreed to 38 of those 116 proposals without qualification and agreed ‘in-principle’ to a further 68 proposals. Where proposals have been agreed to ‘in-principle’, the Government agrees with the intent of the proposal but is reserving judgement based on requiring further consultation.


Read our earlier article to learn more about the Privacy Act Review Report.

The five central themes of the Government’s response are:

  • Bringing the Privacy Act into the digital age;
  • Uplifting protections;
  • Increasing clarity and simplicity for entities and individuals;
  • Improving control and transparency for individuals over their personal information; and
  • Strengthening enforcement.


One of the most significant proposals is the removal of the small business exemption, which exempts businesses with a turnover of less than $3 million from the Privacy Act. This reform will bring a significant cost to small business in complying with the legislation.

Other key proposals supported by the government include:

  • Enhancing powers for the Office of the Australian Information Commissioner (OAIC);
  • Requiring entities to get ‘informed consent’ in regard to the handling of personal information to give individuals more control;
  • Ensuring entities are accountable for handling information and strengthening the requirements for entities to keep personal information secure;
  • Clarifying how entities can protect the privacy of individuals and what the obligations are for handling personal information on behalf of another entity;
  • Changes to regulation in regard to the use of automated decision-making;
  • Introducing greater protections for children, including creating a Children’s Online Privacy Code;
  • New civil penalties for low and mid-tier breaches that do not meet the ‘serious breach’ threshold; and
  • Creating a criminal offence for the act of intentionally re-identifying information to cause harm.


The Government also intends to look in to giving individuals the power to sue for a breach of privacy if:

  • there is a serious invasion of privacy;
  • the person had a reasonable expectation of privacy;
  • the invasion was committed intentionally or recklessly;
  • the public interest in privacy outweighs any countervailing public interest.


Overall, the response indicates that there will be three main areas of reform: increased obligations for collecting personal information; more rights for individuals in regard to their personal information; and a broader scope of application for the Act. The response is an indication for businesses as to the changes that we are likely to see. Draft legislation is set to be introduced in 2024.


If you have any queries on this topic or need assistance updating your privacy policy, please do not hesitate to contact our team. It’s critical that you ensure you have a clear and comprehensive privacy policy in place, we can assist you in updating your privacy policy.


At FAL Lawyers, we are committed to making sure that you receive the right advice tailored to suit your needs. Contact us to book a free consultation today.


Note: The contents of this article does not constitute legal advice and should not be relied upon as such. If this article pertains to any matters you or your organisation may have, it is essential that you seek legal and relevant professional advice.

Interested to find out more? Feel free to contact us today.