Almost four years after the review of the Privacy Act began, the Australian government has introduced a reform bill that many argue fails to address the critical changes needed to modernize the country’s privacy laws.
Attorney-General Mark Dreyfus had pledged in May that the government would reform a privacy framework he described as “woefully outdated and unfit for the digital age.” However, the new bill leaves most of the fundamental principles of the existing privacy law—enacted in 1988—largely untouched, despite the significant shifts in technology since then.
One key inclusion in the bill is the long-awaited statutory tort for serious invasion of privacy. The reform also introduces the prospect of a children’s privacy code and “tiered” penalties that reduce fines for minor breaches. But privacy advocates argue that the bill still leaves Australians vulnerable to extensive tracking and profiling by data brokers, retailers, rental platforms, and other companies with limited regulation.
Key Changes in the Bill
Although the government has labeled this reform as the “first tranche,” there is no clear timeline for more comprehensive changes, with further reforms likely to occur after the next federal election.
The bill introduces a statutory tort, allowing Australians to sue for serious invasions of privacy, such as being filmed in a private setting or having personal information misused. However, it will only apply to cases of intentional or reckless invasions, meaning organizations’ negligent actions will not be subject to lawsuits.
Another major feature is the inclusion of an “anti-doxing” law, which imposes prison sentences of up to seven years for publishing personal details with the intent to harass. This amendment responds to a high-profile case earlier this year, but critics argue it won’t fundamentally improve how organizations handle personal data.
Additionally, the bill provides a framework for the development of a Children’s Online Privacy Code, though the final version is unlikely to be implemented before 2025.
What the Bill Fails to Address
The reform bill leaves out several essential measures that privacy experts argue are necessary to bring Australia’s laws in line with international standards.
One key omission is the absence of a “fair and reasonable” test for handling personal data, which would have restricted businesses from unfairly using consent forms to exploit personal information. Similarly, the exemption for small businesses remains intact, meaning Australia’s privacy laws will continue to exclude about 95% of the country’s businesses.
An updated definition of “personal information” is also missing from the bill. Privacy advocates had hoped the new definition would cover data used to track individuals online, but the existing definition remains unchanged, allowing data brokers to continue their operations with minimal oversight.
Additionally, the bill does not update the definition of “consent.” The proposed changes would have required consent to be clear, specific, and voluntary, but under the current law, consent can be implied through vague language in user agreements.
Finally, the reform fails to grant individuals the right to pursue legal action directly for privacy breaches. Instead, individuals must continue filing complaints with the Office of the Australian Information Commissioner, which has the discretion to investigate cases but has not yet imposed any penalties under existing laws.
Long Road to Comprehensive Reform
The Australian Competition & Consumer Commission (ACCC) called for a wide-ranging overhaul of the country’s privacy laws in 2019, noting that other nations had modernized their frameworks to better protect citizens in the digital age.
The Privacy Act review, which began in 2020, received hundreds of submissions, culminating in 116 proposals from the Attorney-General’s department earlier this year. The government has agreed, or agreed “in principle,” to 106 of these recommendations, yet many key proposals remain unaddressed in the current bill.
Despite passing some amendments in 2022, which included raising penalties for serious breaches, the underlying privacy rules have largely remained unchanged.
The bill is expected to be referred to a parliamentary committee for review, with a potential passage date in 2025. For now, Australia’s privacy protections are likely to remain behind those in jurisdictions like the European Union, where data protection laws are considered more robust.