Where to now for the Privacy Act review

The Online Privacy Bill, slated to be passed in the last sitting of Parliament prior to the election failed to pass. This bill, including laws requiring the drafting of Online Privacy codes of conduct and, importantly, increases in the penalties for breaches of the Privacy Act 1988 to the greater of A$10 million or 10% of Australian turnover, is now in limbo awaiting the outcome of the election and the next government’s legislative agenda. 

At the same time, the Online Safety Commissioner continues to work at speed undertaking multiple parallel consultations of new codes, including age verification obligations. The Online Safety Act is a dark horse in online regulation and a must read for any organisation with an online presence.

In October 2021, the Attorney-General’s Department announced a review and significant reform of Australia’s privacy framework. Public consultation on the review of the Privacy Act 1988 (Cth) closed on 10 January 2022. So far, 199 responses to the Government’s Discussion Paper have been published. The parallel consultation on the exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021, otherwise known as the ‘Online Privacy Bill’, closed on 6 December 2021.

With the Privacy Act consultation closed and the Online Privacy Bill kicked into a holding pattern until after the federal election, we expect it to be a quiet time in Privacy law reform in Australia in the short term.

With the pause and potential change in legislative agenda, the proposals under the draft Bill in respect of social media organisations, data brokerage organisations and large online platforms may be reassessed, especially given criticisms of the potential breadth of the laws’ application. Organisations with an online presence should keep a watching brief on the progress of these laws.

It is expected to be some time before the proposed reforms to the Privacy Act 1988 (Cth) are enacted since it is unlikely to be passed before the upcoming federal election. Nevertheless, organisations should be preparing for the raft of new obligations, such as strengthened privacy notice and consent requirements, and should work to improve or introduce any internal processes and procedures necessary to ensure compliance. Organisations must also familiarise themselves with the proposed scope of the requirements – extending to technical and personal data and online identifiers – in assessing whether their existing systems are sufficient to ensure their compliance.