22 Dec 2021

  • Data Compliance and Privacy
  • Privacy and Compliance

Review of the Privacy Act

The biggest focus on Privacy in Australia for 2021 has been the comprehensive review of Australia’s privacy regime. The review is being conducted by the Australian Attorney-General’s Department.

On 21 October 2021, the Federal Government released two key developments that will impact the Australian privacy landscape. They released the Privacy Act Review Discussion Paper and an exposure draft of an Online Privacy Bill.


On 12 December 2019, the Attorney-General announced that the Australian Government would conduct a review of the Privacy Act 1988 to ensure privacy settings empower consumers, protect their data and best serve the Australian economy. The review was announced as part of the government's response to the Australian Competition and Consumer Commission's Digital Platforms Inquiry.

On 31 October 2020, the Attorney Generals Department released its issues Paper. This paper outlines the current law and seeks feedback on potential issues relevant to reform. This issues paper is the first of two papers seeking public input.  It had

• 68 questions
• 3 key areas
   – Scope and application of the Privacy Act
   – Protections
   – Regulation and Enforcement

ADMA’s submission in response to this can be found here

On 21 October 2021, the Federal Government released two key developments that will impact the Australian privacy landscape. They released the Privacy Act Review Discussion Paper and an exposure draft of an Online Privacy Bill.

The Discussion Paper sets out a wider tranche of ideas and proposals, ahead of the release of the Privacy Review’s Final Report to be considered by government. This includes:

  • broadening the definition of personal information, for example to include technical information and inferred information;
  • removal/modification of the employee records exemption;
  • modification of the journalism exception, for example by introducing a public interest requirement into the journalism exemption;
  • amendment of the matters required to be included as part of an organisation’s privacy policy (in respect of direct marketing);
  • amendment of the matters required to be notified as part of a collection notice issued under APP 5.2;
  • additional requirements for information handling, notices and consent in respect of the personal information of children;
  • an additional requirement in respect of collection, use and disclosure of personal information, namely that it be fair and reasonable in the circumstances;
  • an additional requirement that risk-mitigation steps be taken in respect of particular privacy risks in respect of direct marketing;
  • new requirements for pro-privacy default settings on websites, for example requiring opt-in as opposed to opt-out;
  • changed rules for cross-border flows of data;
  • introduction of penalties for re-identification of de-identified information released by Commonwealth agencies;
  • replacement of the ‘de-identification’ requirements with the higher standard of anonymisation;
  • additional requirements for mandatory notification following a eligible data breach occurring; and
  • increased individual rights, such as a right of erasure, a direct right of action, and a tort of privacy.

Submissions Due 10 January 2022.

An exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021.  (“Online Privacy Bill”)

The Online Privacy Bill signals the Federal Government's commitment to strengthen the Privacy Act by increasing penalties and associated enforcement provisions, as well as enabling the introduction of a binding online privacy code for social media and certain other online platforms.

The Online Privacy Bill proposes

- significantly increased penalties for serious or repeated interferences with privacy under the Privacy Act, bringing such penalties inline with Australian Consumer law;
- new compliance obligations under the Act;
- to expand the scope of foreign entities which will be subject under the Act.
- The introduction of a new online privacy code (the OP Code) to regulate various categories of organisations which collect and commercialise personal information in course of providing electronic services and to impose on these categories additional responsibilities especially when collecting handling and using personal information of vulnerable groups and children.

ADMA made a submission which will  be published at the AGD’s discretion.  Or view a copy here.

For more information see these updates published by ADMA here and here

Need more info?