Long-overdue Australian privacy law reform is here – and it’s still not fit for the digital era

Almost four years since the Privacy Act review commenced^[1], the Australian government has introduced a reform bill that fails to make most of the fundamental changes needed to modernise our privacy laws.

Attorney-General Mark Dreyfus^[2] said in May that the government would introduce legislation to reform a privacy regime that’s “woefully outdated and unfit for the digital age”.

But the new bill doesn’t touch most of the substantive principles in our privacy law, originally passed in 1988 and largely unchanged since then. This was an era long before our everyday lives were conducted via the internet or smartphones.

The reform bill does finally introduce a statutory tort for serious invasion of privacy, which has been anticipated for more than a decade^[3]. It also provides a process for a potential children’s privacy code, and “tiered” penalties that provide lower fines for more minor breaches of the act.

But it continues to leave Australians at the mercy of rampant tracking, targeting and profiling by data brokers^[4], major retailers, rental platforms and data-matching firms. Catastrophic data breaches flow from poorly regulated data practices – and we’re still not protected.

What does the reform bill change?

While the government calls this a “first tranche” of reform, it has not yet committed to a timeline for further reform. That would come after the election.

The amendments are far from the “overhaul” that privacy experts and advocates expected. Instead, they focus on rules for relatively narrow situations or groups, without changing the most important principles that tell government and businesses how to treat our personal information.

A Children’s Online Privacy Code, to be developed by the privacy commissioner, is likely to be a long time in the making, following further periods of consultation. The deadline for registering this code is more than two years away.

But we urgently need fundamental privacy protections for all Australians, whether they be 13, 18 or 80 years old.

The proposed reform includes a statutory tort (a civil wrong) for serious invasions of privacy. This is a positive, if belated, development – it was already recommended in 2008^[5] and 2014^[6].

It would allow Australians to sue for damages for serious invasions of privacy. This is either an intrusion into seclusion (for example, being filmed in a private place) or misuse of information relating to a person, where they had a reasonable expectation of privacy.

This law would only apply if the invasion is “serious” and committed intentionally or recklessly. Serious harms caused by an organisation’s negligence would not be enough.

The bill also includes an “anti-doxing” offence, with prison sentences up to seven years. This amendment was not debated as part of the Privacy Act review. It responds to an incident earlier this year^[7] when the personal details of hundreds of Jewish members of an online support group were published without their consent^[8].

The introduction of a doxing offence will not broadly improve the way organisations treat our personal data. Most privacy harms are not caused by the publication of personal details that is “menacing or harrassing” under criminal law.

Read more: What is doxing, and how can you protect yourself?^[9]

What does the bill leave out?

The proposed amendments leave out most of the fundamental reforms necessary to make Australia’s privacy laws fit for the digital era.

There is no “fair and reasonable” test for dealing with personal information. This would have helped prevent businesses relying on supposed “consents” to use information unfairly in situations where a person has no real choice but to provide the information.

The proposal to end the small businesses^[10] exemption was also omitted. Unlike most countries, Australia’s privacy law doesn’t apply to small businesses, which make up about 95% of businesses.

For instance, real estate agents and rental platforms^[11] are becoming notorious for the privacy risks and harms some inflict on renters and clients. But if their annual revenue is less than A$3 million, they may have no obligations under the Privacy Act.

The bill leaves out an updated definition of “personal information”, which would capture data commonly used to track and profile Australians online. An updated definition would help guard against data brokers singling out individuals^[12] using unique identifiers, but claiming the Privacy Act doesn’t apply to them.

An improved definition of “consent”^[13] was also left out. The proposal would have required consent to be “voluntary, informed, specific, current, and unambiguous”. The current law allows consent to be “implied”. Companies have used this to rely on vague terms hidden in the fine print of website policies.

There is still no direct right of action for individuals to seek relief in the courts for a breach of the Australian privacy principles. Instead, they must make a complaint to the Office of the Australian Information Commissioner, which then decides whether it will make any investigation or determination.

Four years and little to show

The Australian Competition & Consumer Commission recommended^[14] wide-ranging reform of Australia’s privacy law in 2019. It noted other countries have modernised their privacy laws, but Australians use the same digital platforms without comparable protections in place.

The Privacy Act review began in 2020 and received hundreds of submissions. This culminated in 116 proposals made in a report by the Attorney-General’s department^[15] in 2023. Later that year, the government agreed^[16] or agreed “in principle” to 106 of those proposals.

In the interim, following several major data breaches^[17] in 2022, the government did pass narrow amendments to the Privacy Act^[18]. This included large increases in maximum penalties. But the underlying rules remained unchanged and no penalty has ever been imposed.

The bill is likely to be referred to a parliamentary committee for review. This in turn means it isn’t likely to be passed until 2025, further delaying the limited amendments. As it stands, the reform bill is not enough to fundamentally change the way organisations treat Australians’ personal information.

Our data-protection laws will likely remain well behind those in jurisdictions such as the European Union^[19] for years to come.

References

1. ^{^} since the Privacy Act review commenced (www.ag.gov.au)
2. ^{^} Attorney-General Mark Dreyfus (ministers.ag.gov.au)
3. ^{^} anticipated for more than a decade (www.alrc.gov.au)
4. ^{^} profiling by data brokers (theconversation.com)
5. ^{^} 2008 (www.alrc.gov.au)
6. ^{^} 2014 (www.alrc.gov.au)
7. ^{^} incident earlier this year (www.smh.com.au)
8. ^{^} published without their consent (theconversation.com)
9. ^{^} What is doxing, and how can you protect yourself? (theconversation.com)
10. ^{^} small businesses (www.afr.com)
11. ^{^} real estate agents and rental platforms (www.choice.com.au)
12. ^{^} data brokers singling out individuals (cprc.org.au)
13. ^{^} definition of “consent” (www.salingerprivacy.com.au)
14. ^{^} Australian Competition & Consumer Commission recommended (www.accc.gov.au)
15. ^{^} report by the Attorney-General’s department (www.ag.gov.au)
16. ^{^} the government agreed (www.ag.gov.au)
17. ^{^} major data breaches (www.abc.net.au)
18. ^{^} narrow amendments to the Privacy Act (www.legislation.gov.au)
19. ^{^} jurisdictions such as the European Union (www.abc.net.au)