Skip to content

How Will the Anticipated Privacy Act Reforms Change Privacy Obligations in Australia?

The government is in the process of conducting a review of Australia’s national Privacy Act. The review is broad and to date has considered a wide range of issues. At the time of writing, the review is still in the process of identifying issues and accepting submissions on how to address such issues. A key contributor to the dialogue is the Office of the Australian Information Commissioner (OAIC). This article looks at some of the key changes expected as a result of the anticipated reforms to the Privacy Act in Australia. It will then consider how they may impact your business’ privacy obligations.

Current Exemptions

Currently, the majority of Australian businesses are exempt from compliance with the Privacy Act because of the small business exemption. The small business exemption is a monetary threshold that exempts businesses with an annual turnover of $3 million or less from the Privacy Act. The issue with the exemption is that in the current data-driven world, many small businesses are collecting and handling a lot of personal data. Therefore, it does not make sense for individuals’ privacy to be at risk because a small business is handling the data. This also does not align with other similar jurisdictions which do not have this exception. For this reason, the OAIC has submitted that the exemption should be scrapped as one of many privacy reforms in Australia. 

The Privacy Act also includes an exemption for employers handling employee records. The OAIC has suggested this exception be removed. This exemption exempts certain acts of employers by reducing the burden of dealing with employee information. However, businesses collect more employee information now than ever. This is due to things like GPS tracking of corporate vehicles and biometric scans for secure entry to workplaces. Furthermore, there has been an increase in the monitoring of employee health information, including as a result of COVID-19. 

If this exemption is removed and you currently fall under the $3 million-plus threshold, your privacy obligations will change. You will need to upgrade your privacy processes and policies. If your business is currently subject to the Privacy Act, then you may rely on the employee records exemption. The removal of this exemption will require that you reassess how you handle employee personal information. Indeed, you will likely be required to introduce new steps for collecting information in a compliant fashion.

Another of the privacy reforms being considered by the review in Australia is notice. In particular, the concept of how and when businesses give notice under the Privacy Act. The OAIC is pushing for the use of a standardised form when notifying an individual about data collection. 

There is also discussion about legislating the requirements for consent. These proposed changes would ensure it is clearer when consent is required. They would also define what amounts to true consent. For example, the review submits that the Privacy Act should define consent as a clear and affirmative act. Therefore, the act would define consent as informed, specific, voluntarily given and unambiguous. 

The suggested changes to notice and consent are driven by a desire to give individuals more control of their personal information. These suggested changes will hopefully fulfil the aim of better aligning the Privacy Act with privacy laws in other jurisdictions. 

Changes to notice and consent requirements will require an update of your privacy notices. You will also need to undertake a review of your current consents to ensure they are compliant. 

Continue reading this article below the form
Loading form

What New Remedies Are on the Table?

Two major items form part of the review. These items are intended to update the remedies available where there is a breach of privacy under the Privacy Act. The first is an increase in the maximum fine. The second is a right for an individual to bring a direct action for breach of their privacy.

In March 2019 by the Digital Platforms Inquiry announced an increase in the maximum penalty. The increase aims to provide a greater incentive for businesses to comply with the Privacy Act. Part of the review is considering whether the current balance between investigating and mediating complaints and enforcement is effective. If penalties are increased, you are at increased risk as a business. Therefore, you should reassess your risk profile for each activity or function in which your business handles personal information.

Currently, there is no right under the Privacy Act for a person to bring a direct action for breach of their privacy. Instead, they have to complain to the OAIC. It is then up to the OAIC to investigate and decide what steps are appropriate. Therefore, the review considers whether individuals should have direct access to courts to enforce their privacy. The review considers how to provide this right while curtailing the risk of ill-considered claims tying up the courts’ resources. Introduction of a right to bring a direct action for a privacy breach would significantly impact the risk to your business in the event of a security incident or other incorrect handling of personal information. As a result, it would be prudent for your business to enhance its privacy policies and processes and run updated training for staff.

Key Takeaways

The current review of the Privacy Act in Australia is broad and is considering a range of reforms. Some of the key updates the report considers are scrapping exemptions to compliance with the Privacy Act, changes to the notice requirements, a better definition of consent, higher fines and a direct right for an individual to take your business to court for breaching their privacy.

Changes to the Privacy Act will impact your risk profile and, therefore, will require that you reassess your privacy policies, both internal and external, and processes. In updating such documentation, you should also run staff training to ensure they are also up to speed with the changes.


For more help with privacy in your business, call LegalVision’s privacy lawyers on 1300 544 755 or fill in the form on this page. 

Frequently Asked Questions

What changes can I expect to the Privacy Act?

The current exemptions for small businesses and employees may be scrapped. There may also be changes to the notice and consent requirements. In terms of remedies, the maximum penalty may increase and individuals may have increased rights to take matters to court.

My privacy has been breached. Can I go to court?

Currently, there is no right under the Privacy Act for a person to bring a direct action for breach of their privacy. Instead, they have to complain to the OAIC. It is then up to the OAIC to investigate and decide what steps are appropriate. However, this may change.

Register for our free webinars

ACCC Merger Reforms: Key Takeaways for Executives and Legal Counsel

Online
Understand how the ACCC’s merger reforms impact your legal strategy. Register for our free webinar.
Register Now

Ask an Employment Lawyer: Contracts, Performance and Navigating Dismissals

Online
Ask an employment lawyer your contract, performance and dismissal questions in our free webinar. Register today.
Register Now

Stop Chasing Unpaid Invoices: Payment Terms That Actually Work

Online
Stop chasing late payments with stronger terms and protections. Register for our free webinar.
Register Now

Managing Psychosocial Risks: Employer and Legal Counsel Responsibilities

Online
Protect your business by managing workplace psychosocial risks. Register for our free webinar.
Register Now
See more webinars >
Jacqueline Gibson

Jacqueline Gibson

Read all articles by Jacqueline

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards